A typical incident response task begins with a piece of obtained intelligence that the security analyst uses as starting point in an investigation. This workshop session features several scenarios of this kind.
Please read the background story for the following exercises to familiarize yourself with the necessary context.
Part 1: Ill-Considered Authentication
You discover that the users at HBDairy don’t have much sense when it comes to passwords. One employee uses a single password for many different web services, and it appears clear that one of those services uses a weak form of standardized web authentication because Synonymous was able to public demonstrate that they possess the user’s password.
Exercise
Examine the web traffic in the illauth.pcap trace to discover which web server used the weak authentication scheme.
Exercise
What was the user’s password?
Part 2: Information Theft From a Web Server
Mr. Cheeze informs you that some of the sensitive information that Synonymous leaked came from a file on the HBDairy web server, though the file was not part of the content to which the server was supposed to provide access. He is reluctant to tell you the specifics of the information, but wants you to determine how the theft occurred.
Exercise
Analyze the web accesses in the theft.pcap trace. Determine the type of attack used to access the file.
Exercise
How do you know it was successfully accessed? What was the filename?
Part 3: Email Leakage
Due to some other information leaked by Synonymous, HBDairy is certain that someone carelessly forwarded a sensitive document using unencrypted email.
Exercise
Analyze the SMTP traffic in the email.pcap trace to locate the document and determine who sent the email.
Exercise
Who appears to have authored the document? What are the two links contained in the document?
Part 4: YouTube Becomes NoTube
One of the competitive benefits that HBDairy provides to its employees is on-the-job access to YouTube. Lately, many disgruntled employees have complained that they have lost this benefit because their browsers report "page could not be loaded" when they try to access YouTube.
Exercise
Analyze the web traffic in the notube.pcap trace to find out how Synonymous disrupted the YouTube access.
Exercise
How much downtime did this result in?
Exercise
Who were the poor victims of the outage?
Part 5: The Mysterious DairyStock Transaction
DairyStock is a stock management web application favored by HBDairy employees that allows registered users to buy and sell stocks and transfer them to each other. Synonymous denounces its use as an example of HBDairy’s ineptitude when dealing with Internet security issues, and states that as a demonstration they arranged to introduce a bogus transaction for a "modest" sum of money.
Exercise
Examine the traffic in the dairystock.pcap trace to find the unauthorized transfer Synonymous refers to. Sketch the attacker’s steps.
Page Contents
Quick Links
- 13 February 2020: Ask the Zeeksperts - Aashish Sharma
- 18 February 2020 - Portland OR: Zeek Days Workshops
- 27 February 2020: Ask the Zeeksperts
- 7-9 October 2020 - Austin, Texas: ZeekWeek 2020
