Beruflich Dokumente
Kultur Dokumente
0
Skills Assessment
Introduction
Working as the security analyst for ACME Inc., you notice a number of events on the SGUIL dashboard. Your
task is to analyze these events, learn more about them, and decide if they indicate malicious activity.
You will have access to Google to learn more about the events. Security Onion is the only VM with Internet
access in the Cybersecurity Operations virtual environment.
The tasks below are designed to provide some guidance through the analysis process.
You will practice and be assessed on the following skills:
o Evaluating Snort/SGUIL events.
events.
o Using SGUIL as a pivot to launch ELSA, Bro and Wireshark for further event inspection.
o Using Google search as a tool to obtain intelligence on a potential exploit.
exploit.
Content for this assessment was obtained from http://www.malware-traffic-analysis.net/ and is used with
permission. We are grateful for the use of this material.
Addressing Table
The following addresses are preconfigured on the network devices. Addresses are provided for reference
purposes.
© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 4
exploit begin dan end, jadi seharusnya 2019/08/01 10.10:12 - 2019/08/01 10.10:34 Selama waktu ini, hanya
berlangsung selama 22 detik
© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 4
Skills Assessment CCNA Cybersecurity Operations v1.0
Internal adalah jaringan tempat eth0 berada, segmen jaringan 192.168.0.0/24, IP yang muncul di dalamnya dan
milik Internal adalah 192.168.0.1, 192.168.0.11, 192.168.0.12. Jadi data dari bagian merah RT paling kiri, dan
192.168.0.12 dari bagian merah.
menekan dan menahan tombol mouse kanan pada bidang "Alert ID" pada layar SGUIL, pilih Wireshark dan
lepaskan, itu akan membuka Wireshark, Anda dapat melihat bahwa MAC 192.168.0.12 (sumber IP) adalah 00: 1b:
21 : ca: fe: d7 (sumber MAC)
j. What is the operating system r unning on the internal computer in question?
c. Do a quick Google search on ‘Angler EK’ to learn a little about the fundamentals the exploit kit.
Summarize your findings and record them here.
d. How does this exploit fit the definition on an exploit kit? Give examples from the events you
you see in SGUIL.
© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 4
Skills Assessment CCNA Cybersecurity Operations v1.0
e. What are
are the major stages in exploit kits?
© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 4
Skills Assessment CCNA Cybersecurity Operations v1.0
d. Pivoting from SGUIL, open the transcript of the transaction. What is the domain name associated with the
IP address of the host that appears to have delivered the exploit?
e. This exploit kit typically targets vulnerabilities in which three software applications?
g. What is the most common file type that is related to that vulnerable software?
h. Use ELSA to gather more evidence to support the hypothesis that the host
host you identified above delivered
the malware. Launch ELSA and list all hosts that downloaded the type of file listed above. Remember to
adjust the timeframe accordingly.
Were you able to find more evidence? If so, record your findings here.
© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 4
Skills Assessment CCNA Cybersecurity Operations v1.0
c. What is the IP address that delivered the exploit kit and malware payload?
_
© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 4