Institute of Coding Skills Workshop

Cyber Security - Week 3: Security Operations and Incident Response

The purpose of this task is to introduce you to the work of a Security Operations Center (SOC), and the use of Security Information and Event Management (SIEM) systems. Often referred to as the “blue team”, the SOC is responsible for defending our systems and our networks. They will proactively monitor activity, triage alerts against published threat reports, and will provide incident response in the case of a breach. SOC analysts are in high demand as they need to be able to examine and understand large volumes of activity data, and contextualise these against the infrastructure they are protecting. We will work through a room on the TryHackMe platform based on Splunk, one of the most commonly used SIEM tools in the industry. We will use Splunk to investigate a scenario using the “Boss of the SOC” dataset, to identify an Advanced Persistent Threat within our network. They have defaced our external website, and now we need to find out who is responsible for this.

https://tryhackme.com/room/bpsplunk

You should be familiar by now with launching rooms in TryHackMe. You should also be able to connect using either the built-in AttackBox, or you may have set up your own Kali Linux virtual machine locally, to then connect to TryHackMe via OpenVPN.

Splunk

Splunk is a widely-used SIEM platform. It essentially provides the mechanism to ingest and search data at scale, meaning that it is well-suited for machine data such as machine-generated logging. The use case of Splunk actually extends beyond cyber security to various other big data analysis domains. Users can search data using the Splunk Query Language, a similar concept to that of Structured Query Language used for common databases.

Reconnaissance

What IP is scanning our web server? (imreallynotbatman.com)

What web scanner scnnned the server?

What is the IP address of our web server?

What content management system is imreallynotbatman.com using?

Exploitation

What address is performing the brute-forcing attack against our website?

What was the first password attempted in the attack?

One of the passwords in the brute force attack is James Brodsky's favorite Coldplay song. Which six character song is it?

What was the correct password for admin access to the content management system running imreallynotbatman.com?

What was the correct password for admin access to the content management system running imreallynotbatman.com?

How many seconds elapsed between the time the brute force password scan identified the correct password and the compromised login rounded to 2 decimal places?

How many unique passwords were attempted in the brute force attempt?

Installation

What is the name of the executable uploaded by P01s0n1vy?

What is the MD5 hash of the executable uploaded?

Actions on Objective

What is the name of the file that defaced the imreallynotbatman.com website?

Command and Control

This attack used dynamic DNS to resolve to the malicious IP. What fully qualified domain name (FQDN) is associated with this attack?

Weaponization

What IP address has P01s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?

Based on the data gathered from this attack and common open source intelligence sources for domain names, what is the email address that is most likely associated with P01s0n1vy APT group?

Delivery

GCPD reported that common TTPs (Tactics, Techniques, Procedures) for the P01s0n1vy APT group if initial compromise fails is to send a spear phishing email with custom malware attached to their intended target. This malware is usually connected to P01s0n1vy’s initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware.

Weaponization

What special hex code is associated with the customized malware discussed in the previous question?

What does this hex code decode to?

Version: 1.0
Author: Phil Legg
E-mail: Phil.Legg@uwe.ac.uk

In [ ]: