Professional Documents
Culture Documents
CCNA Cybersecurity Operations v1.0 Skills Assessment Answer
CCNA Cybersecurity Operations v1.0 Skills Assessment Answer
0
Skills Assessment
Introduction
Working as the security analyst for ACME Inc., you notice a number of events on the SGUIL dashboard. Your
task is to analyze these events, learn more about them, and decide if they indicate malicious activity.
You will have access to Google to learn more about the events. Security Onion is the only VM with Internet
access in the Cybersecurity Operations virtual environment.
The tasks below are designed to provide some guidance through the analysis process.
You will practice and be assessed on the following skills:
o Evaluating Snort/SGUIL events.
o Using SGUIL as a pivot to launch ELSA, Bro and Wireshark for further event inspection.
o Using Google search as a tool to obtain intelligence on a potential exploit.
Content for this assessment was obtained from http://www.malware-traffic-analysis.net/ and is used with
permission. We are grateful for the use of this material.
Addressing Table
The following addresses are preconfigured on the network devices. Addresses are provided for reference
purposes.
© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 4
Skills Assessment CCNA Cybersecurity Operations v1.0
g. What is the MAC address of the internal computer involved in the events? How did you find it?
00:1b:21:ca:fe:d7
using wireshark
h. What are some of the Source IDs of the rules that fire when the exploit occurs? Where are the Source IDs
from?
Multiple source IDs and emerging threats websites.
i. Do the events look suspicious to you? Does it seem like the internal computer was infected or
compromised? Explain.
Yes, the events look suspicious and it seems like the internal computer was infected or compromised.
The outdate Flash plugin alert paired with the Angler EK alerts are strong evidence of possible
compromise.
j. What is the operating system running on the internal computer in question?
windows
c. Do a quick Google search on ‘Angler EK’ to learn a little about the fundamentals the exploit kit.
Summarize your findings and record them here.
- Eksploit kit is a serve-base framework that used eksploits to take advantage of vulnerabilities in
browser-related software application to infect a client (a window desktop or laptop) without the user’s
knowledge.
- EK will not deliver malware to a system. Somehow, a user must be directed to an EK server before it
will deliver any malware. Actors use campaigns to guide victim traffic to an EK.
- Actors are most often identified from characteristics of the malware they distribute. Campaigns are
most often identified from characteristics of the network traffic before the victim reaches an
EK. Actors and campaigns are two different terms. An actor might use one or more campaigns to
distribute malware. And more than one actor might use the same campaign to deliver different types
of malware.
© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 4
Skills Assessment CCNA Cybersecurity Operations v1.0
d. How does this exploit fit the definition on an exploit kit? Give examples from the events you see in SGUIL.
The exploit uses a compromised website to scan a host for vulnerabilities and then download malicious
software
e. What are the major stages in exploit kits?
- Attackers compromise a number of high traffic sites and inject malicious code.
- Users visit the compromised sites and their browsers run the malicious injected code
- The malicious code scans the victim's system and searching for vulnerabilities and exfiltrates the
result to another malicious server via POST.
- Based on the exfiltrated data, the malicious server prepares a customize exploit and sends it to the
victim's browser.
© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 4
Skills Assessment CCNA Cybersecurity Operations v1.0
h. Use ELSA to gather more evidence to support the hypothesis that the host you identified above delivered
the malware. Launch ELSA and list all hosts that downloaded the type of file listed above. Remember to
adjust the timeframe accordingly.
Were you able to find more evidence? If so, record your findings here.
Elsa > HTTP SWFs > top > change date from 2019-07-09 04:20:11 to 2017-09 07
i. At this point you should know, with quite some level of certainty, whether the site listed in Part 3b and
Part 3c delivered the malware. Record your conclusions below.
192.168.0.12, the internal host, infected.
It has an outdated version of the flash plugin which was noticed by the exploit kit. 192.168.0.12 was then
led to download a malicious SWF from qwe.mvdunalterableairreport.net
b. What is the domain name that delivered the exploit kit and malware payload?
qwe.mvdunalterableairreport.net
c. What is the IP address that delivered the exploit kit and malware payload?
192.99.198.158
d. Pivoting from events in SGUIL, launch Wireshark and export the files from the captured packets as was
done in a previous lab. What files or programs are you able to successfully export?
binary file
SGUIL > CNT klik kanan View Torrelet Event > Alert ID > wireshark
Wireshark > file export object
© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 4