In this Project, you are given a network traffic data and should use Splunk to identify cyberattacks by leveraging the analytics capabilities of this software. The aim is to strengthen your skills in analyzing traffic patterns and identifying their changes over time, which might be signs of suspicious activities. In searching the evidences of cyberattacks, and hunting the attack sources and targets, you will develop the practical security incident investigation skills and mindset of a real-world Cyber Security Analyst. In addition, you will skill-up yourself in tracing attacks back in time to create an attack narrative^[1]. Then generating and extracting significant patterns/features of detected attacks will pave the way for the next project that is heavily machine learning focused. Lastly, you will develop your skills as a Cyber Defender by proposing the countermeasures to detect/mitigate similar attacks in the future.

You will write a technical report on your findings, and your proposal on how the identified attack patterns and evidence can be used to detect and mitigate similar cyberattacks in future.

Deliverables

A technical report that describes your methodology for

1. Ingesting the given pcap file into Splunk

Note: If you fail to ingest pcap file after multiple attempts, you can ask your Tutor for a copy of the indexed file <file_name>.pcap.csv. Then copy the file to this directory:

$SPLUNK_HOME/etc/apps/SplunkForPCAP/PCAPcsv/. Please use this as last resort only. Before asking for the indexed file, please be prepared to lose the mark for this deliverable, and you will have to explain what steps youve taken to troubleshoot the issue.

2. Analyzing the data using Splunk, validating the evidences of the following attack scenarios contained in the given pcap file. You can use either Splunk Search or PCAP Analyzer Dashboard where applicable, new field extraction may be required if you are using Splunk Search.

2.1 Botnet Command & Control (C2)

1. Calculate the number of HTTP based C2 requests to C2 server com, and the URI strings were used (Hint: you will need to get the IP address of the C2 server first)
2. List the start time and the end time

2.2 SPAM

1. Calculate how many email addresses have been targeted by this spam (Hint: search by protocol and key word RCPT)
2. List the start time and the end time, the first and last recipient (email address) of this email spam

2.3 ClickFraud

1. Calculate the number of ClickFraud requests have been made to web site generalamuse.com, and the URI strings were used (Hint: you will need to get the IP address of the web site first)
2. List the start time and the end time

2.4 IRC

1. Identify all IRC servers (IP addresses) and the number of POST requests made by the infected machine. (Hint: search by protocol or port number)
2. List the start and end time

3. Creating the attack narratives using the four scenarios above, please include the IP address of the infected system
4. Evaluating the consequences of the attacks on the targeted network (Hint: targeted network is where the infected system belongs to, evaluate the impact using CIA triad)
5. Generating and extracting the significant patterns/features for attack scenarios above, g., src_IP+dst_IP+dst_Port is a significant pattern to detect Port Scan
6. Assuming you are the Cybersecurity Analyst who is part of the Incident Response team, and youve been given the greenlight to put in any controls to mitigate this attack. You can safely ignore any business impact as the priority is to the contain the current attack. Please propose your countermeasures to detect/mitigate the above attacks scenarios, using evidence and patterns in deliverable #2 and #5

Technical Report

A technical report, of 2000-2500 words in PDF format, comprising:

1. A data description and a summary of detected attacks, including the IP addresses of attackers and victims, the attacked services, the timestamp, and the type of the attack per attack scenario.
2. Methodology of analysis to find evidence of cyberattacks in the network traffic data.
3. Description of each attack and the attack narrative.
4. Possible approaches for extracting features (fields) and summary of your approach.
5. Proposed countermeasures per attack scenarios.
6. Conclusions

You should include a bibliography and citations to relevant research papers and external resources and codes you have used.

Assessment Criteria

Report (20 marks out of 20)

1. Methodology: (8 marks)

You will describe your methodology in a manner that would make your work reproducible. You should describe in detail how you have detected the cyberattacks using Splunk search capabilities: the exact SPL commands you ran and the corresponding generated results, or the dashboards you used in pcap app (PCAP Analyzer) and the corresponding data and generated results. Your approach to model patterns in data and detect changes in them for identifying cyberattacks should be clearly explained. The description of your proposed countermeasures should include reasons for choosing it based on the types of attacks you have detected. You should not use a network traffic feature generator as a black box without explaining the reasons for extracting the reported features.

2. Critical Analysis: (6 marks)

You should validate the evidence you have found in the data for proving that a certain type of attack has happened. The attack narrative should specify the time of start and end of the attack and the consequences of the attack on the victim network.^[2] You should identify other types of data that could be collected to more accurately and effectively detect/mitigate the identified cyberattacks.

3. Report Quality: (6 marks)

You will produce a formal report and express your methodology and findings concisely and clearly. The quality and description of figures and tables should be acceptable. In real-world scenarios, this report will have a range of audience in a company. Thus, it should be structured such that summary of the findings is available for the managers and non-technical audience and on the other hand, the attack narratives should include technical details for other analyzers that may read your report.

Description of the Data

The dataset for Project 1 (download link) includes packet capture (pcap) file of network traffic for a network that was victim of cyberattacks. This file was captured on the interfaces of virtual machines being infected by malware, which contains attacks including but not limited to four scenarios listed in the Deliverable section. It also contains normal traffic prior to malware infection. This enables you to compare the patterns in data from normal operation (before infection) and post infection to identify attacks that occurred.

Changes/Updates to the Project Specifications

If we require any changes or clarifications to the project specifications, they will be posted on the LMS. Any addendums will supersede information included in this document.

[1] When the attack was started, the attacker(s), the victim(s) and the type of attack.

[2] We validate your findings with our ground truth, and you lose marks for identifying non-anomalous traffic as anomaly and vice-versa.