1 of 27

CAPSTONE

2 of 27

Marvin The Martian SOC Team

Henry Lor - Analyst�Thomas Neufeld - Analyst

Vin Lisi - Engineer

Carlos Enamorado - Engineer

3 of 27

DAY 1 - Agenda

Onboarding Documentation
Internal Ticketing System
Current Network Diagram
Recommendations

4 of 27

Internal Ticketing System

Spiceworks management tool installed

Track all user requests and perform key support tasks
View related devices, tickets, purchases, contact info, and photos
Manages tickets raised by clients and users

5 of 27

Network Diagram

6 of 27

Asset Discovery

Network Diagram

A visual representation of all assets in a network
Used as a reference by Incident Response teams
Tracks components and devices through the network layout

7 of 27

Proposed Asset �Discovery

8 of 27

Recommendations

Password Management Policies Update

Password Manager
No password reuse

Must not be similar to last password

12-15 Characters minimum including special character, lowercase, and uppercase
Password changes every month if not every 6 months

Systems Updates

All system should be updated weekly for small patches

Big updates should be monthly for security changes to reduced risks

9 of 27

DAY 2 - Agenda

Risk Assessment
Vulnerability Scan
OSINT
Log Analysis:

Brocade
IDS
Firewall

10 of 27

Risk Assessment

CARVER Matrix

Identifies high risk assets
Categorizes and prioritizes assets
Assesses vulnerabilities and consequences

11 of 27

Vulnerability Scan

Nessus Scan

Scans network for vulnerabilities
Provides additional clues for threat intelligence and hunting
Gives detailed list of Common Vulnerabilities and Exposures (CVE) reference for threat mitigation

12 of 27

Open Source Intelligence (OSINT)

What We Recommend:

Draft an employee Non-Disclosure Agreement outlining the limits of what business information can/can not be shared via social media and its repercussions.

NDA

Remove Damn Vulnerable Linux from the network. This machine holds no value in a retail business setting and could allow threat actors to laterally gain access to the rest of the network.

Creating a subnetted network, like previously stated, would allow for network hardening and protection against OSINT tools

13 of 27

Log Analysis

There is a gap in many of the different categories from 1500-1844 where it is blank and then picks right back up While that gap is there priority is 0 but for every other log it is 2 Zone(Origin/Impacted) both have internal for every value besides that gap. During the gap they say unknown This gap either indicates an attacker trying to cover their tracks or a simple misconfiguration. Last column “Log Message” is encrypted Evidence of employee time theft, personal web browsing: Recommend blocking any sites the company views as unnecessary and whitelist only trusted sites.

Brocade Log File Findings

The log files were captured over a three day span December 17,18,19 There are three user logins from the “DefaultWebVPNGroup” that do not match our credentials list. We are guessing these users don’t work for the company anymore IDS detected spyware attacks on DNS. Recommend DNSSEC extensions to attach cryptographic digital signatures Suggest DNSSEC software Logs indicate events related to unnecessary open ports

IDS Log File Findings

14 of 27

Log Analysis Continued

Indicators of Compromise (IOC) -- GoogleUpdateSetup.exe has been associated with Trojan Malware The firewall needs to be reconfigured to ensure port security by whitelisting Black list external IP’s that have logged too many security events Suspicious activity logged in by unknown user accounts

Firewall Log File Findings

15 of 27

DAY 3 - Agenda

External Threat Feed (ETF)
Security Plan with Timelines
Incident Response Plan

16 of 27

External Threat Feed

What we recommend:

Alienvault OTX or Emerging Threats to monitor external threat feeds

Both industry are recognized and extremely helpful in monitoring threats across industries and cyberspace as a whole

17 of 27

Security Plan With Timelines

Year one

Network segmentation
Firewalls
New password policies

Year two

Intrusion Prevention System
ETF programs

Year three

SIEM

18 of 27

Incident Response Plan

5 Steps:

Preparation

Prep a team for communication and threats

Detection & Analysis

Develop detection strategy

Response, Containment, Eradication
Recovery and Follow-up
Post Incident

Report and adapt

19 of 27

DAY 4 - Agenda

Discuss Internal Honeypot
Review Security Events
Web Bugs with Deployment Plan

20 of 27

Internal Honeypot

A cyber security defense tactic used to lure bad actors away from sensitive data and systems
Typically isolated from the rest of the network
Logs activity of any traffic or connection attempts to its environment
A Honey Pot is typically deployed in networks of organizations meeting higher maturity standards with greater traffic, risk and resources.

21 of 27

22 of 27

23 of 27

Major Security Events

What we found:

Malware downloaded on multiple devices on the network
jSpy Trojan in Windows Machines 2 & 4 in Acme-Admin Accounts
Wannacry Worm in Ubuntu 16.04 Machine 2 in Admin account
FU-Rootkit on Ubuntu 16.04 Machine 2
Evidence of user activity from non registered accounts
SMB backdoor on the Ubuntu 16.04 Machine
Auto Login file (light.dm) allowed us to login as admin without a password

Carlos

Malware downloaded on multiple devices on the network
jSpy Trojan in Windows Machines 2 & 4 associated with Acme-Admin Accounts
Wannacry Worm in Ubuntu 16.04 Machine 2 in Admin account
FU-Rootkit access in user account of Susan Blackburn and admin account of Tom Riddle Ubuntu 16.04 Machine 2
Rootkits resemble device drivers or loadable modules, giving them unrestricted access to the target computer. These rootkits avoid detection by operating at the same security level as the OS
Evidence of user activity from non-registered accounts - Suspect admin level creation to cover tracks or orphan accounts (old user accounts that haven’t been deleted) being used to sustain system access
SMB backdoor on the Ubuntu 16.04 Machine -

Server Message Block is a network file sharing protocol that allows users or applications to request files and services over the network. In this case, no ssl encryption keys were configured to ensure authenticated connections. This could allow privileged access if exploited.

Lightdm.conf (auto login) file allowed us to login as admin without a password

24 of 27

Web Bugs With Deployment

Lacking Visibility Solution

Perform a technical audit
Perform technical improvements such as page loading speed, website usability, navigation and coding
Use keyword research to help users find the website
Register Acme’s website with Google Search Console. The tool allows you to submit your website and its sitemap for indexing

Monitoring Website Access Solution

We can use SimilarWeb.com. SimilarWeb.com is online marketing tool that is used to ascertain the total traffic that is received for a particular website
Google Analytics offers: demographics, geographical location, device, entry and exit path, source, dwell time, pageviews, bounce rate, and popularity
IP tracking software

25 of 27

Monitoring Internal Server Access

Monitoring Internal Server Access

Intrusion Detection System (IDS) can be used to see someone accessing an internal server
Check event logs
Firewalls monitor incoming and outgoing network traffic and either permits or blocks data packets based on set security rules