Background:
Frothly is a small premium beer brewing company with intensions of making it big. Competition in the brewing industry has become intense. Other companies are looking to get intellectual property from Frothly by whatever means possible. It looks like the previous web scan was only the beginning.
As luck would have it Frothly’s Head of IT, Kevin Lagerfield, has just left the company. Your job now is to investigate the possible breach to determine what was stolen or if a breach actually occurred.
Splunk Access:
All assignment related data can be found in the botsv2 index (you must include “index=botsv2” in all your searches) on the http://splunk.ict.griffith.edu.au:8000 Splunk Enterprise server. Login using the same credentials you have been using for the tutorials. If you have not logged in before use the following credentials and change your password.
Username: sXXXXXXX
Password: changeme
sXXXXXXX is your Griffith username. When you log in for the first time you will be prompted to change your password (which you will need to remember). Once you have reset the password, use your new password for subsequent logins.
IMPORTANT: If you are trying to connect to the server from off campus, you must connect through a VPN first.Details of how to VPN into the Griffith Network can be found here: https://intranet.secure.griffith.edu.au/computing/remote-access/virtual-private-network
Please note that the assignment data is much bigger and more realistic than your tutorial data, so you must limit your searches, otherwise you will be waiting for a long time for a response as well as slowing down everyone else. |
Investigate Industrial Espionage:
Frothly competitors are looking to take intellectual property from them, even if it means head hunting key personnel. The following questions are related to possible industrial espionage. As part of the answer for each of these questions, your report must include:
- A clear description of the reasoning for your answer.
- A detailed description of the process that you followed and the searches that you used to obtain the answer. It is expected that you will include screenshots in your description.
- Amber Turing was hoping for Frothly to be acquired by a potential competitor which fell through but visited their website to find contact information for their executive team. What is the website domain that she visited?
- Amber found the executive contact information and sent him an email. What is the CEO’s name? Provide the first and last name.
- After the initial contact with the CEO, Amber contacted another employee at this competitor. What is that employee’s email address?
- What is the name of the file attachment that Amber sent to a contact at the competitor?
- What is Amber’s personal email address?
- What version of TOR did Amber install to obfuscate her web browsing?
Lessons Learned: Write a statement on the lessons learned for Frothly regarding the monitoring of corporate data in this situation and how it may be improved.
Threat Intelligence:
Frothly competitors may be attempting to gain access to Frothly through other means. The following questions are related to investigating possible cyber threats that these competitors may employ. As part of the answer for each of these questions, your report must include:
- A clear description of the reasoning for your answer.
- A detailed description of the process that you followed and the searches that you used to obtain the answer. It is expected that you will include screenshots in your description.
- According to Frothly’s records, what is the likely MAC address of Mallory’s corporate MacBook? HINT: Her corporate MacBook has the hostname MACLORY-AIR13.
- What episode of Game of Thrones is Mallory excited to watch?
- Activity from MACLORY-AIR13 is associated with suspect IP address 5.39.93.112. What is the name of the Threat Group associated with this activity?
- What protocol often used for file transfer is responsible for the generated traffic from this activity?
- Mallory’s critical PowerPoint presentation on her MacBook gets encrypted by ransomware on August 18. At what hour, minute, and second does this happen?
Lessons Learned: Write a statement on the lessons learned for Frothly regarding the use of cyber threat intelligence in this situation and how it may be improved.
Threat Hunting:
The FBI has heard chatter from a nation state sponsored hacking group that claim to have successfully compromised the Frothly network and exfiltrated sensitive data. The following questions are related to a possible breach that has already occurred. As part of the answer for each of these questions, your report must include:
- A clear description of the reasoning for your answer.
- A detailed description of the process that you followed and the searches that you used to obtain the answer. It is expected that you will include screenshots in your description.
- A Federal law enforcement agency reports that Taedonggang often spearphishes its victims with zip files that have to be opened with a password. What is the name of the attachment sent to Frothly by a malicious Taedonggang actor?
- The Taedonggang APT group encrypts most of their traffic with SSL. What is the “SSL Issuer” that they use for the majority of their traffic?
- What unusual file (for an American company) does winsys32.dll cause to be downloaded into the Frothly environment?
- What is the first and last name of the poor innocent sap who was implicated in the metadata of the file that executed PowerShell Empire on the first victim’s workstation?
Lessons Learned: Write a statement on the lessons learned for Frothly regarding the use of threat hunting concepts in this situation and how it may be improved.
Metrics and Visualisation:
Develop a Splunk dashboard for the Frothly data. The dashboard should include 5 panels with a variation of visualisations with at least one single value display. The dashboard should use the following Splunk functions:
- Chart
- Timechart
- Macros
- Pivot
- Eval
- Search
- Where
- Stats
- Count
- Transaction
As well as showing the output of the dashboard, your report must include:
- A clear description of the design of your dashboard, explanations of the searches used, and the importance and purpose of each panel.
- A detailed description of how you incorporated command functionality into the dashboard and the reasoning for why the commands are required for the panel.