- September 5, 2020
COMP90073 Security Analytics © University of Melbourne 2020 School of Computing and Information Systems The University of Melbourne COMP90073 Security Analytics, Semester 2 2020 Project 1: Detecting cyberattacks in network traffic data Release: Tue 11 Aug 2020 Due: 1pm, Tue 8 Sep 2020 Marks: The Project will contribute 20% of your overall mark for the subject; you will be assigned a mark out of 20, according to the criteria below. Overview In this Project, you are given a network traffic data and should use Splunk to identify cyberattacks by leveraging the analytics capabilities of this software. The aim is to strengthen your skills in analyzing traffic patterns and identifying their changes over time, which might be signs of suspicious activities. In searching the evidences of cyberattacks, and hunting the attack sources and targets, you will develop the practical security incident investigation skills and mindset of a real-world Cyber Security Analyst. In addition, you will skill-up yourself in tracing attacks back in time to create an attack narrative1. Then generating and extracting significant patterns/features of detected attacks will pave the way for the next project that is heavily machine learning focused. Lastly, you will develop your skills as a Cyber Defender by proposing the countermeasures to detect/mitigate similar attacks in the future. You will write a technical report on your findings, and your proposal on how the identified attack patterns and evidence can be used to detect and mitigate similar cyberattacks in future. Deliverables A technical report that describes your methodology for 1. Ingesting the given pcap file into Splunk Note: If you fail to ingest pcap file after multiple attempts, you can ask your Tutor for a copy of the indexed file “.pcap.csv”. Then copy the file to this directory: “$SPLUNK_HOME/etc/apps/SplunkForPCAP/PCAPcsv/”. Please use this as last resort only. Before asking for the indexed file, please be prepared to lose the mark for this deliverable, and you will have to explain what steps you’ve taken to troubleshoot the issue. 2. Analyzing the data using Splunk, validating the evidences of the following attack scenarios contained in the given pcap file. You can use either Splunk Search or PCAP Analyzer Dashboard where applicable, new field extraction may be required if you are using Splunk Search. 2.1 Botnet Command & Control (C2) 1 When the attack was started, the attacker(s), the victim(s) and the type of attack. COMP90073 Security Analytics © University of Melbourne 2020 a. Calculate the number of HTTP based C2 requests to C2 server “finalcortex.com”, and the URI strings were used (Hint: you will need to get the IP address of the C2 server first) b. List the start time and the end time 2.2 SPAM a. Calculate how many email addresses have been targeted by this spam (Hint: search by protocol and key word “RCPT”) b. List the start time and the end time, the first and last recipient (email address) of this email spam 2.3 ClickFraud a. Calculate the number of ClickFraud requests have been made to web site “www.generalamuse.com”, and the URI strings were used (Hint: you will need to get the IP address of the web site first) b. List the start time and the end time 2.4 IRC a. Identify all IRC servers (IP addresses) and the number of POST requests made by the infected machine. (Hint: search by protocol or port number) b. List the start and end time 3. Creating the attack narratives using the four scenarios above, please include the IP address of the infected system 4. Evaluating the consequences of the attacks on the targeted network (Hint: targeted network is where the infected system belongs to, evaluate the impact using CIA triad) 5. Generating and extracting the significant patterns/features for attack scenarios above, e.g., “src_IP+dst_IP+dst_Port” is a significant pattern to detect Port Scan 6. Assuming you are the Cybersecurity Analyst who is part of the Incident Response team, and you’ve been given the greenlight to put in any controls to mitigate this attack. You can safely ignore any business impact as the priority is to the contain the current attack. Please propose your countermeasures to detect/mitigate the above attacks scenarios, using evidence and patterns in deliverable #2 and #5 Technical Report A technical report, of 2000-2500 words in PDF format, comprising: 1. A data description and a summary of detected attacks, including the IP addresses of attackers and victims, the attacked services, the timestamp, and the type of the attack per attack scenario. 2. Methodology of analysis to find evidence of cyberattacks in the network traffic data. 3. Description of each attack and the attack narrative. 4. Possible approaches for extracting features (fields) and summary of your approach. 5. Proposed countermeasures per attack scenarios. COMP90073 Security Analytics © University of Melbourne 2020 6. Conclusions You should include a bibliography and citations to relevant research papers and external resources and codes you have used. Assessment Criteria Report (20 marks out of 20) 1. Methodology: (8 marks) You will describe your methodology in a manner that would make your work reproducible. You should describe in detail how you have detected the cyberattacks using Splunk search capabilities: the exact SPL commands you ran and the corresponding generated results, or the dashboards you used in pcap app (PCAP Analyzer) and the corresponding data and generated results. Your approach to model patterns in data and detect changes in them for identifying cyberattacks should be clearly explained. The description of your proposed countermeasures should include reasons for choosing it based on the types of attacks you have detected. You should not use a network traffic feature generator as a black box without explaining the reasons for extracting the reported features. 2. Critical Analysis: (6 marks) You should validate the evidence you have found in the data for proving that a certain type of attack has happened. The attack narrative should specify the time of start and end of the attack and the consequences of the attack on the victim network.1 You should identify other types of data that could be collected to more accurately and effectively detect/mitigate the identified cyberattacks. 3. Report Quality: (6 marks) You will produce a formal report and express your methodology and findings concisely and clearly. The quality and description of figures and tables should be acceptable. In real-world scenarios, this report will have a range of audience in a company. Thus, it should be structured such that summary of the findings is available for the managers and non-technical audience and on the other hand, the attack narratives should include technical details for other analyzers that may read your report. Description of the Data The dataset for Project 1 (download link) includes packet capture (pcap) file of network traffic for a network that was victim of cyberattacks. This file was captured on the interfaces of virtual machines being infected by malware, which contains attacks including but not limited to four scenarios listed in the Deliverable section. It also contains normal traffic prior to malware infection. This enables you to compare the patterns in data from normal operation (before infection) and post infection to identify attacks that occurred. 1 We validate your findings with our ground truth, and you lose marks for identifying non-anomalous traffic as anomaly and vice-versa. COMP90073 Security Analytics © University of Melbourne 2020 Changes/Updates to the Project Specifications If we require any changes or clarifications to the project specifications, they will be posted on the LMS. Any addendums will supersede information included in this document. Academic Misconduct For most people, collaboration will form a natural part of the undertaking of this project. However, it is still an individual task, and so reuse of ideas or excessive influence in algorithm choice and development will be considered cheating. We will be checking submissions for originality and will invoke the University’s Academic Misconduct policy (http://academichonesty.unimelb.edu.au/policy.html) where inappropriate levels of collusion or plagiarism are deemed to have taken place. Late Submission Policy You are strongly encouraged to submit by the time and date specified above, however, if circumstances do not permit this, then the marks will be adjusted as follows. Each day (or part thereof) that this project is submitted after the due date (and time) specified above, 10% will be deducted from the marks available, up until 5 days has passed, after which regular submissions will no longer be accepted. Extensions If you require an extension, please email Yujing ([email protected]) using the subject ‘COMP90073 Extension Request’ at the earliest possible opportunity. We will then assess whether an extension is appropriate. If you have a medical reason for your request, you will be asked to provide a medical certificate. Requests for extensions on medical grounds received after the deadline may be declined. Note that computer systems are often heavily loaded near project deadlines, and unexpected network or system downtime can occur. Generally, system downtime or failure will not be considered as grounds for an extension. You should plan ahead to avoid leaving things to the last minute, when unexpected problems may occur.