7808ICT Cyber Security Management Assignment 2 Specification
Due Date: 25th May 2020 Weighting: 30%
This assignment is worth 30% of the total assessment for 78081CT. It is individual work. While you can discuss the assignment with your peers, your submission should be your own work. You should provide evidence of your own work incorporated in your submission (e.g. screenshots with your login name showing).
The objective of this assignment is to gain knowledge and understanding of the security information and event management tool Splunk through research and practical experience. This understanding is to be demonstrated by submission of a formal technical report of a threat hunting exercise and the development of a Splunk dashboard.
All assignment related data can be found in the botsv2 index (you must include “index=botsv2” in all your searches) on the http://splunk.ict.griffith.edu.au:8000 Splunk Enterprise server. Login using the following credentials if you have not logged into this server before.
Username: sXXXXXXX Password: changeme
If you are trying to connect to the server from off campus, you must connect through a VPN first. Details of how to VPN into the Griffith Network can be found here: https://intranet.secure.griffith.edu.au/computing/remote-access/virtual-private-network
Please note that the assignment data is much bigger and more realistic than your tutorial data, so you must limit your searches, otherwise you will be waiting for a long time for a response as well as slowing down everyone else.
Background Frothly is a small premium beer brewing company with intensions of making it big. New homebrew kits with Frothly proprietary recipes are due to launch later in the year. The FBI has heard chatter from a nation state sponsored hacking group that claim to have successfully compromised the Frothly network and exfiltrated sensitive data. As luck would have it Frothly’s Head of IT, Kevin Lagerfield, has just left the company. Your job is to investigate the breach to determine what was stolen or if a breach actually occurred.
- Amber Turing was hoping for Frothly to be acquired by a potential competitor which fell through, but visited their website to find contact information for their executive team. What is the website domain that she visited? 2. Amber found the executive contact information and sent him an email. What is the CEO’s name? Provide the first and last name. 3. After the initial contact with the CEO, Amber contacted another employee at this competitor. What is that employee’s email address? 4. What is the name of the file attachment that Amber sent to a contact at the competitor? 5. What is Amber’s personal email address? 6. What version of TOR did Amber install to obfuscate her web browsing? Answer guidance: Numeric with one or more delimiter. 7. What is the public IPv4 address of the server running www.brewertalk.com? 8. Provide the IP address of the system used to run a web vulnerability scan against www.brewertalk.com. 9. The IP address from Question 8 is also being used by a likely different piece of software to attack a URI path. What is the URI path? 10. What SQL function is being abused on the URI path from Question 9? 11. What is Frank Ester’s password salt value on www.brewertalk.com? 12. What is user btun’s password on brewertalk.com? 13. What was the value of the cookie that Kevin Lagerfield’s browser transmitted to the malicious URL as part of a XSS attack? 14. The brewertalk.com web site employed Cross Site Request Forgery (CSRF) techniques. What was the value of the anti-CSRF token that was stolen from Kevin Lagerfield’s computer and used to help create an unauthorized admin user on brewertalk.com? 15. What brewertalk.com username was maliciously created by a spear phishing attack? 16. According to Frothly’s records, what is the likely MAC address of Mallory’s corporate MacBook? HINT: Her corporate MacBook has the hostname MACLORY-AIR13. 17. What episode of Game of Thrones is Mallory excited to watch? 18. What is Mallory Krauesen’s phone number? 19. Enterprise Security contains a threat list notable event for MACLORY-AIR13 and suspect IP address 220.127.116.11. What is the name of the threat list (i.e. Threat Group) that is triggering the notable event? 20. Considering the threat list you found in Question 19, and related data, what protocol often used for file transfer is actually responsible for the generated traffic?
As part of the answer for each of these questions, your report must include: • A clear description of the reasoning for your answer. • A detailed description of the process that you followed and the searches that you used to obtain the answer. It is expected that you will include screenshots in your description.