Bachelor of Science in Computing

Stage 3, Semester 1
December 2023

Continuous Assessment 4

Module Title: CyberSecurity Defence and Operations

Assessment Type: Practical Assignment
Weighting: 40%
Maximal Possible Mark: 100 marks
Date: 08/12/2023
Instructions

To complete this assessment, you will need to download a preconfigured Security Onion virtual
machine, which you will then import into VirtualBox.

The VM download link will be available on the Assignment link on your Moodle course page.

Usernames and passwords are the same as the virtual machines you have used during the module.

When finished you will upload the following to the Moodle assignment link on your course page:
• Completed Report
• Screencast(s)

Moodle has a maximum upload limit of 300MB.

Important:
Please note that Turnitin is enabled for this assignment submission and will scan your uploaded
document for plagiarism. This submission must be in your own words, do not copy and paste
content from either this assessment document or other sources.
Introduction
Working as the security analyst for the Ziodex Corporation, you notice a number of events on the
SGUIL dashboard. Your task is to analyse these events, learn more about them, and decide if they
indicate malicious activity.

You will have access to the Internet to discover more about the events. Using the Security Onion
VM you may use any reasonable research method at your disposal. The tasks set out in this
assessment are designed to provide some guidance through the analysis process.

You will be assessed on the following skills:

• Evaluating Snort/SGUIL events.
• Using SGUIL as a pivot to launch ELSA, Bro and Wireshark for detailed event inspection.
• Using independent research to obtain intelligence on a potential exploit.

For each step of this assessment, you must provide evidence.

This may be:
• A copy/paste of file/log information.
• A screenshot.
• An explanation of how you found the evidence.

You will decide what evidence is appropriate. There are 28 steps that must be completed.

Marks awarded for each section include both the documentation and screencast evidence.

Addressing Table
The following addresses are preconfigured on the network devices. Addresses are provided for
reference purposes:
Device Interface Network/Address Description
Interface connected to the Internal
eth0 192.168.0.1/24
Network
Security Onion VM
Interface connected to the External
eth2 209.165.201.21/24
Networks/Internet
Part 1 – Gathering Information – 25 marks

1. Log into Security Onion VM with username analyst and password cyberops.
2. Open a terminal window. Enter the sudo service nsm status command to verify that all the
services and sensors are ready.
3. When the nsm service is ready, log into SGUIL with the username analyst and password
cyberops. Click Select All to monitor all the networks. Click Start SQUIL to continue.
4. In the SGUIL window, identify the group of events that are associated with exploit(s) that
have taken place. This group of events are related to a single multi-part exploit.
How many events were generated by the entire exploit?
5. According to SGUIL, when did the exploit begin? When did it end? Approximately how long
did it take?
6. What is the IP address of the internal computer involved in the events?
7. What is the MAC address of the internal computer involved in the events? How did you find
it?
8. What are some of the Source IDs of the rules that fire when the exploit occurs? Where are
the Source IDs from?
9. Do the captured events look suspicious to you? Based on the captured events does it seem
like the internal computer was infected or compromised? Briefly explain.
10. Identify the operating system that is running on the internal computer in question?
Part 2 – The Exploit – 30 marks

11. According to Snort, what is the exploit kit (EK) in use?

Based on your findings write a short summary (500 words min.) detailing the following:

• What is an exploit kit.

• What are the major stages in exploit kits.
• What are the fundamentals of the exploit kit found in step 11.
• Explain/Compare how this exploit fits the definition on an exploit kit.
• Give examples from the events you see in SGUIL.
• What methods can be used to prevent/remove this exploit.
Part 3 – Malware Source – 25 marks

12. In the context of the events displayed by SGUIL for this exploit, record below all the IP
addresses involved.

13. The first new event displayed by SGUIL contains the message “ET Policy Outdated Flash
Version M1”. The event refers to which host? What does that event imply?

14. Pivoting from SGUIL, open the transcript of the transaction. What is the domain name
associated with the IP address of the host that appears to have delivered the exploit?

15. This exploit kit typically targets vulnerabilities in which three software applications?

16. Based on the SGUIL events, what vulnerability seems to have been used by the exploit kit?

17. What is the most common file type that is related to that vulnerable software?

18. Use ELSA to gather more evidence to support the hypothesis that the host you identified
above delivered the malware. Launch ELSA and list all hosts that downloaded the type of file
listed above. Remember to adjust the time frame accordingly.

19. Were you able to find more evidence? If so, record your findings here.

20. At this point you should know, with quite some level of certainty, whether the site
discovered in the earlier steps delivered the malware. Record your conclusions below.
Part 4 - Analyse Details of the Exploit – 20 marks

21. Exploit kits often rely on a landing page used first to scan the victim’s system for
vulnerabilities and then exfiltrate a list of them. Use ELSA to determine if the exploit kit in
question used a landing page. If so, what is the URL and IP address of it? What is the
evidence?

Hint: The first two SGUIL events contain many clues.

22. What is the domain name that delivered the exploit kit and malware payload?

23. What is the IP address that delivered the exploit kit and malware payload?

24. Pivoting from events in SGUIL, launch Wireshark and export the files from the captured
packets as was done in a previous lab. What files or programs are you able to successfully
export?

25. Document this exploit with respect to both the Cyber Kill Chain and the Diamond Model of
Intrusion Analysis. Include diagrams as required.

Part 5 – Screencast

Using for example, Zoom meetings or Screencast-o-matic, record this part of the assignment.
https://screencast-o-matic.com/screen-recorder

This will be a short video confirming/demonstrating how each of the steps above were completed.

You can record your screencast as a single video or to keep file sizes to a minimum as separate
video recordings for parts 1, 2, 3 and 4. As much as is possible try to keep the total duration of all
videos to about 20mins.

Save the screencast making sure to include your student ID in the filename and upload to Moodle
along with your completed report.

Note that if you are having difficulty using Zoom or Screencast-o-matic a smartphone or tablet can
also be used to record this video demonstration. If doing so please make sure that the recording is
clear and that I can see/read all content. If I cannot see it, I cannot grade it!