CSC3064 Practical Assessment
Objective
You have just started a new job as a network security analyst at a security consultancy company.
Your manager has asked you to investigate a network packet capture containing network activity related to a version of the malware family called Mirai, which was taken from a customer’s network a few years ago.
You must analyse the packet capture and provide a concise presentation of your findings and recommendations according to the requirements on page 2.
The packet capture, Assessment-1.pcap, is available to download from Canvas.
You are required to submit a single mp4 video file via the Canvas Assignments page.
This assessment is worth 40% of the available module marks.
The submission deadline is 16:00 on 1st March 2024.
Requirements
You must produce a video report, no longer than 6 minutes, to address the following three parts:
1. Basic Analysis
You are required to concisely present the following information at the start of your video. No other introduction or summary is necessary.
You may wish to summarise information answering parts 1.a, 1.b, and 1.c in a single
PowerPoint slide. This part of the video should take you less than 1 minute to present.
a. For all protocols encapsulated by the transport layer, identify the percentage of bytes belonging to each protocol relative to the entire capture.
b. Identify all IP addresses involved in the capture.
c. State the IP address of the host where the capture was taken, as well as any other IP addresses that you think belong to the same network. Briefly, state any insights that might be inferred about other host IP addresses that you think is useful in understanding the behaviour of the malware.
2. Advanced Analysis
Identify a diverse range of features from the capture that provide clear evidence of network activity and network Indicators of Compromise (IOC) associated with Mirai network activity. This part of the video should take you 2-3 minutes to present.
• Use Wireshark to present your analysis. You are required to demonstrate that you can effectively use the Wireshark tool for packet analysis.
• Provide a verbal and visual explanation of what you think happened in the network. You may want to consider a timeline of the communications that took place and walk through the evidence using Wireshark.
• Be sure to clearly show onscreen the observable features or network Indicators of Compromise that you think are key pieces of evidence.
• Discuss and display specific individual packets, protocol information, headers, IP addresses, payloads, etc. (anything you think is relevant), with commentary about how the information supports your discussion.
3. Demonstrate Network Security Measures
For Part 3 you are required to use the two VMs that were used for Labs 2 and 3. This part of the video should take you 2-3 minutes to present.
• Using the network activity and Indicators of Compromise identified in your answer for Part 2, use hping3 to create test packets that replicate those key features. hping3 will allow you to send created packets from one VM to the other.
• Using whatever network security tools that you think are appropriate within the existing VM environment, propose and demonstrate network security measures that you would implement in a real network to provide protection and detection against the version of Mirai that you observed in the packet capture.
• Briefly explain any pros or cons of your proposed network security measures,i.e. how effective you think each of your proposed measures would be against Mirai.
• For guidance, the test packets you create with hping3 do not have to perfectly
replicate the packets seen in the original packet capture. The expectation is that you create packets with features that are sufficiently similar to allow for meaningful testing of your security measures.
• You should present a diverse set of security measures against various network
indicators that you believe would be effective, i.e. several different measures and IOCs should be covered by your answer.
• Provide a verbal and visual explanation to demonstrate and prove that your test packets and security measures work as expected.
Note that for Part 3 you must create test packets that replicate features of interest that you found in the pcap. You do not need to use the Assessment-1.pcap file within the VM environment. You should not create your own alternative VM environment. You do not need to modify the VMs, apart from using the tools as covered in Labs 2 and 3.
Guidance About the Capture File and Analysis
Some packets have been removed from the original capture to ensure minimal cyber security risks associated with the content of the capture. This will not affect or hinder your ability to analyse the capture.
Don’t visit any hosts or domains you find in the capture – this is not required for your investigation:
• The hosts recorded in the file are not believed to pose a current security risk, however it is recommended that you do not visit any hosts, IP addresses, domains, or URLs that you discover.
Don’t attempt to extract code from this capture or anywhere else on the Internet. This is not required for your investigation.
Guidance About the Video
Aim for around 5-6 minutes. Videos longer than 6 minutes will not be marked beyond 6 minutes.
Target Audience
In terms of the format and the audience, keep in mind the audience for your presentation is your manager at a security consultancy company.
• Present your video as if your manager is sitting with you at your desk for 5 minutes and would like aquick but technically detailed update on your work.
• The presentation should appear professional and convey depth of detail but be concise.
References
References are not required, unless for example you apply a particular detection approach for a specific IOC that you found somewhere online. In this case you should make the source clear.
Video Capture
You may use whichever video and audio capture tools you feel work best for you. However, you must ensure the audio is clear, and any text in Wireshark or the VMs must be clearly visible.
One option is to use PowerPoint, which can capture very good quality screen capture videos with audio. For example, the links below discuss how to use PowerPoint to capture a video, and use of tools in Windows 10 for video editing, merging, etc.
• https://support.microsoft.com/en-us/office/record-your-screen-in-powerpoint-0b4c3f65-534c-4cf1-9c59-402b6e9d79d0
• https://www.howtogeek.com/355524/how-to-use-windows-10s-hidden-video-editor/
Save your video as an mp4 file and upload it via the Canvas ‘Assignments’ submission page.
Plagiarism and Collusion
This is an independent piece of work and must be completed solely by you. You must not discuss or share your analysis with anyone else. The analysis that you present must be your work, and your work alone. This is an open-ended investigation. You are encouraged to find information and present solutions that you believe others may have missed.
By submitting the work, you declare that:
• I have read and understood the University regulations relating to academic offences, including collusion and plagiarism:
http://www.qub.ac.uk/directorates/AcademicStudentAffairs/AcademicAffairs/GeneralRegul ations/Procedures/ProceduresforDealingwithAcademicOffences/
• The submission is my own original work and no part of it has been submitted for any other assignments, except as otherwise permitted.
• I certify that that the submission is my own work, all sources are correctly attributed, and the contribution of any AI technologies is fully acknowledged.