CST 610 Project 2

Cyberspace and Cybersecurity Foundations

Security Detective Monitoring Data Analysis

Prepared By: Mary Joy Williams

Version 1.0
Table of Contents
Introduction.................................................................................................................................... 3
Objectives .....................................................................................................................................3
Definitions.....................................................................................................................................3
Predictions....................................................................................................................................3
Methodology .................................................................................................................................4
Reflections .................................................................................................................................. 13
Introduction
In response to the pressing need for enhanced security measures following the revelation of exposed
services and vulnerabilities within FICBANK's infrastructure, the owner has embarked on a proactive
quest to fortify the credit union's defenses against potential cyber threats. Recognizing the inherent
challenges faced by small credit unions in navigating the intricacies of Security Operations and
Monitoring, the decision to enlist the expertise of a cybersecurity professional marks a pivotal step
towards bolstering FICBANK's IT infrastructure and technical risk management capabilities. With a
mandate to identify gaps in security monitoring data collection, conduct a preliminary analysis thereof,
and document findings using the Security Detective Controls Gap Analysis, this initiative aims to
provide critical insights into FICBANK's security posture, enabling the formulation of targeted
strategies to mitigate risks and enhance overall resilience.

Objectives
1. Prepare to assess FICBANK’s security monitoring infrastructure.
2. Conduct a preliminary security monitoring data analysis.

Definitions

Cat – Prints the content of the file to standard display.

Grep – searches for patterns in a file.
Sort - alphabetizes input
Uniq - deduplicates – detects repeated lines if they are adjacent and removes the duplicates
Wc – word count
-l - displays the line count only
-d - specifies the use of a delimiter other than the default tab; it can only be one character
-f - denotes which field(s) to display, indicated by their numerical order of appearance
-n - sorts input numerically instead of alphabetically
-c - prefixes each line with the number of adjacent occurrences, so you know how many were found in
that position before the duplicates were removed
TLS / SSL - secure sockets layer and transport layer security. It is a protocol or communication rule that
allows computer systems to talk to each other on the internet safely

Predictions
Document the predictions you made before starting the hands-on activity here.
1. What kinds of information do you think will be in the log file(s)?
• Timestamps: Entries will include timestamps indicating when the access occurred. This helps in
reconstructing timelines and identifying suspicious activities.
• Source IP addresses: Logs may contain information about the IP addresses from which the
accesses originated. This aids in tracing the location and potentially the identity of the users.
• Destination IP addresses: Information about the IP addresses being accessed, which could be
servers, websites, or other network resources.
• Usernames/User IDs: If authentication is required, the logs might include usernames or user IDs
associated with the access attempts.
• Access Methods: Details on the methods used to access the resources, such as HTTP requests,
FTP transfers, SSH connections, etc.
 • Success/Failure Status: Whether the access attempt was successful or not. Failed attempts might
indicate potential security threats.
• Requested Resources: Information about the specific resources being accessed, like URLs, file
paths, or database tables.
• User-Agent Information: Details about the client software or web browser used to make the
access request.
• Session IDs: For web applications or services, logs may include session IDs to track user
sessions.

2. What information might not be in the log file(s)?

• Content of Data Accessed: Log files may not contain the actual content of the data accessed,
especially if it involves sensitive information. They usually record metadata and transaction
details rather than the content itself.
• User Activities Beyond Access: Log files might not capture all user activities beyond accessing
resources, such as interactions within applications or modifications made to data.
• Internal Communication Content: Log files typically do not include the content of internal
communications, like emails or chat messages, unless there's specific monitoring in place.
• Encrypted Communication Details: Details of encrypted communications might not be fully
captured in log files due to the encryption protecting the data in transit.
• Physical Access Information: Access logs might not cover physical access to devices or premises
unless integrated with other security systems like CCTV.

3. What tools, techniques, and practices might be best suited to analyzing security monitoring data?
• Log Analysis Tools: Utilize specialized log analysis tools like Splunk, ELK Stack for efficient
log parsing, visualization, and correlation.
• Pattern Recognition: Employ pattern recognition algorithms to identify anomalies or suspicious
patterns in access logs, which could indicate security breaches or insider threats.
• Machine Learning: Implement machine learning algorithms for predictive analysis and anomaly
detection, leveraging historical access patterns to detect deviations from normal behavior.
• Threat Intelligence Integration: Integrate threat intelligence feeds to cross-reference access
patterns with known malicious IP addresses, domains, or signatures.
• Forensic Investigation Techniques: Apply forensic investigation techniques to trace the source of
unauthorized accesses, including timeline analysis, evidence collection, and chain-of-custody
management.
• Incident Response Frameworks: Follow established incident response frameworks like NIST SP
800-61 or SANS Incident Handling to systematically respond to security incidents detected
through log analysis.
• Regular Auditing and Monitoring: Establish a routine auditing and monitoring process to
continuously review access logs, identify security gaps, and improve overall system security
posture.

Methodology

Access-1.Log
1. How many GET requests were logged?
Answer: 156

2. How many unique status codes were returned by the server?

Answer: 5

3. How large was the largest response body in bytes?

Answer: 561

4. How many HTTP tunneling attempts were made?

Answer: 146
 5. How many entries have completely invalid request lines containing raw binary data?
Answer: 11

6. Of those invalid entries, how likely is the result of an attempt to establish an SSL or TLS
connection?
Answer: 10
 7. How many unique user agents were observed, excluding empty or missing user agents?
Answer: 55

8. How many requests were made by Firefox?

Answer: 11
 9. How many attempts were made to exploit CVE-2020-8515?
Answer: 2

Apache Logs
1. How many lines are there in the log file in total?
Answer: 10,000

2. How many unique IPs are there in the log file?

Answer: 1753
 3. What is the IP address from which the server got more traffic from?
Answer: 66.249.73.135

4. What is the URL which was most visited?

Answer: /favicon.ico
 5. What is the total number of requests which got a 200 response?
Answer: 9126

Access-2.log
1. How many GET requests were made?
Answer: 60
 2. How many unique IP addresses made requests?
Answer: 48

3. How many different IP addresses reached the server?

Answer: 21

4. How many requests yielded a 200 status?

Answer: 19

5. How many requests yielded a 400 status?

Answer: 39

6. What IP address rang at the doorbell?

Answer: 186.64.69.141

7. What version of the Googlebot visited the website?

Answer: 2.1

8. Which IP address attempted to exploit the shellshock vulnerability?

Answer: 61.161.130.241
 9. What was the most frequent version of Firefox used for browsing the website?
Answer: version 5.0

10. What is the most common HTTP method used?

Answer: “GET”

Reflections
The analysis of the access logs provided reflects a thorough and proactive approach
towards assessing the safety of FICBANK's security monitoring infrastructure. Through the
proficient use of command-line tools on Linux, we effectively sorted and identified pertinent data
packets within each access log, allowing for a comprehensive evaluation of the security posture.
One notable aspect of the analysis is the identification of unique status codes, which can
serve as indicators of potential security incidents or system vulnerabilities. By scrutinizing status
codes such as 404 (Not Found), 403 (Forbidden), or 500 (Interna l Server Error), I could pinpoint
instances of unsuccessful or irregular access attempts, highlighting areas of concern within the
security monitoring infrastructure.
Furthermore, the detection of invalid requests within the access logs identifies potential
security risks. Requests with malformed syntax or unusual patterns may indicate attempts at
exploiting vulnerabilities or launching malicious attacks against FICBANK's systems. Through
careful analysis and validation of such requests, we can proactively mitigate security threats and
fortify the infrastructure against potential breaches.
By cross-referencing IP addresses recorded in the access logs with known blacklists or
threat databases, I can uncover connections to malicious entities or suspicious activities, thereby
enhancing the overall security posture of FICBANK's infrastructure.
Through the effective use of command-line tools to identify anomalies and assess the
current safety of the infrastructure, I was able to see firsthand the current state of FICBANKS
infrastructure and its resilience against cyber threats.

General:

1. What tools did you use to collect and query security monitoring data?
1. Command-line
2. OSINT
2. What data sources did you analyze during the project?
1. Browser history
2. Web Filter
3. Server Access
4. Apache access log
3. How did you validate the accuracy of the security monitoring data?

Validating the accuracy of security monitoring data was crucial for ensuring the integrity of our
findings. I employed several validation techniques, including cross-referencing log entries

4. What challenges did you face when analyzing security monitoring data?
1. Learning what correct command lines to use to sort the logs
2. How to properly string each command
3. Understanding certain concepts such as HTTP tunneling and how they are recorded in the
access log