COMP90073-Project 1 Detecting Cyberattacks in Network Traffic Data Solved

In this Project, you are given a network traffic data and should use Splunk to identify cyberattacks by leveraging the analytics capabilities of this software. The aim is to strengthen your skills in analyzing traffic patterns and identifying their changes over time, which might be signs of suspicious activities. In searching the evidences of cyberattacks, and hunting the attack sources and targets, you will develop the practical security incident investigation skills and mindset of a real-world Cyber Security Analyst. In addition, you will skill-up yourself in tracing attacks back in time to create an attack narrative[1]. Then generating and extracting significant patterns/features of detected attacks will pave the way for the next project that is heavily machine learning focused. Lastly, you will develop your skills as a Cyber Defender by proposing the countermeasures to detect/mitigate similar attacks in the future.  

You will write a technical report on your findings, and your proposal on how the identified attack patterns and evidence can be used to detect and mitigate similar cyberattacks in future.

Deliverables
A technical report that describes your methodology for

1.      Ingesting the given pcap file into Splunk  

Note: If you fail to ingest pcap file after multiple attempts, you can ask your Tutor for a copy of the indexed file “<file_name.pcap.csv”. Then copy the file to this directory: 

“$SPLUNK_HOME/etc/apps/SplunkForPCAP/PCAPcsv/”. Please use this as last resort only.  Before asking for the indexed file, please be prepared to lose the mark for this deliverable, and you will have to explain what steps you’ve taken to troubleshoot the issue.   

2.      Analyzing the data using Splunk, validating the evidences of the following attack scenarios contained in the given pcap file.  You can use either Splunk Search or PCAP Analyzer Dashboard where applicable, new field extraction may be required if you are using Splunk Search.

2.1 Botnet Command & Control (C2)  

  

a.      Calculate the number of HTTP based C2 requests to C2 server “finalcortex.com”, and the URI strings were used (Hint: you will need to get the IP address of the C2 server first)

b.      List the start time and the end time

2.2 SPAM  

a.      Calculate how many email addresses have been targeted by this spam (Hint: search by protocol and key word “RCPT”)

b.      List the start time and the end time, the first and last recipient (email address) of this email spam

2.3 ClickFraud  

a.      Calculate the number of ClickFraud requests have been made to web site “www.generalamuse.com”, and the URI strings were used (Hint: you will need to get the IP address of the web site first)

b.      List the start time and the end time

2.4 IRC  

a.      Identify all IRC servers (IP addresses) and the number of POST requests made by the infected machine.  (Hint: search by protocol or port number)

b.      List the start and end time

3.      Creating the attack narratives using the four scenarios above, please include the IP address of the infected system

4.      Evaluating the consequences of the attacks on the targeted network (Hint: targeted network is where the infected system belongs to, evaluate the impact using CIA triad)

5.      Generating and extracting the significant patterns/features for attack scenarios above, e.g., “src_IP+dst_IP+dst_Port” is a significant pattern to detect Port Scan  

6.      Assuming you are the Cybersecurity Analyst who is part of the Incident Response team, and you’ve been given the greenlight to put in any controls to mitigate this attack. You can safely ignore any business impact as the priority is to the contain the current attack.  Please propose your countermeasures to detect/mitigate the above attacks scenarios, using evidence and patterns in deliverable #2 and #5

Technical Report  
A technical report, of 2000-2500 words in PDF format, comprising:

1.      A data description and a summary of detected attacks, including the IP addresses of attackers and victims, the attacked services, the timestamp, and the type of the attack per attack scenario.

2.      Methodology of analysis to find evidence of cyberattacks in the network traffic data.

3.      Description of each attack and the attack narrative.  

4.      Possible approaches for extracting features (fields) and summary of your approach.


 
[1] When the attack was started, the attacker(s), the victim(s) and the type of attack.