Scribd
Upload
11 views4 pages

CA v1.0a Skills Assessment Project

The document outlines a skills assessment for junior security analysts focusing on analyzing a fake anti-virus malware incident from November 21, 2014. It includes instructions for using Security Onion VM to gather information about the malware, identify infected systems, and report findings. The assessment emphasizes practical skills such as evaluating alerts, using VirusTotal, and documenting the analysis process.

Uploaded by

vabobby1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
11 views4 pages

CA v1.0a Skills Assessment Project

The document outlines a skills assessment for junior security analysts focusing on analyzing a fake anti-virus malware incident from November 21, 2014. It includes instructions for using Security Onion VM to gather information about the malware, identify infected systems, and report findings. The assessment emphasizes practical skills such as evaluating alerts, using VirusTotal, and documenting the analysis process.

Uploaded by

vabobby1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

CyberOps Associates v1.

0a - Skills Assessment
Introduction
You have been hired as a junior security analyst. As part of your training, you were tasked to determine any
malicious activity associated with a fake anti-virus malware. The events happened on Nov. 21, 2014.
An infected system had the following screens:

You will have access to the internet to learn more about the events. You can use websites, such as
VirusTotal, to upload and verify threat existence.
The tasks below are designed to provide some guidance through the analysis process.

 2020 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 4 www.netacad.com
CyberOps Associates v1.0a - Skills Assessment

You will practice and be assessed on the following skills:


o Evaluate event alerts using Squil and Kibana.
o Use Google search as a tool to obtain intelligence on a potential exploit.
o Use VirusTotal to upload and verify threat existence.

Required Resources
 Security Onion virtual machine
 Internet access

Instructions

Part 1: Gather the Basic Information


In this part, you will review the alerts listed in Security Onion VM and gather basic information for the
interested time frame.

Step 1: Verify the status of services


a. Log into Security Onion VM using with the username analyst and password cyberops.
b. Open a terminal window. Enter the sudo so-status command to verify that all the services are ready.
Note: if necessary, wait a few minutes until status is all OK.
c. When the nsm service is ready, log into Sguil or Kibana with the username analyst and password
cyberops.

Step 2: Upload PCAP


a. Click Applications -> Internet -> Chromium Web Browser
b. Type in the web browser the following: https://tinyurl.com/cyberops-skills
c. A Google drive will open that has the cyberops-skills.pcap file. Click Download button to download the
pcap file.
d. Open a terminal window. Enter the command cd Downloads to change directory to Downloads.
e. To import the pcap, type the command sudo so-import-pcap cybercops-skills.pcap and press Enter.

 2020 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 4 www.netacad.com
CyberOps Associates v1.0a - Skills Assessment

Step 3: Gather basic information. (4 pts each)


Questions:

a. Identify time frame of the when the AntiBreach attack, including the date and approximate time.

Click here to enter text.

b. Insert a screenshot for Step 3a

c. List the alerts noted during this time frame associated with the trojan.

Click here to enter text.

d. Insert screenshot for Step 3c.

e. List the internal IP addresses and external IP addresses involved.

Click here to enter text.

f. Insert a screenshot for Step 3e.

Part 2: Learn about the Exploit


In this part, you will learn more about the exploit.

Step 1: Infected host (4 points each)


Questions:

a. Based on the alerts, what is the IP and MAC addresses of the infected computer? Based on the
MAC address, what is the vendor of the NIC chipset? (Hint: NetworkMiner or internet search)

Click here to enter text.

b. Insert a screenshot of the result for Step 1a.

c. Based on the alerts, when (date and time in UTC) and how was the PC infected? (Hint: Enter the
command date in the terminal to determine the time zone for the displayed time)

Click here to enter text.

d. Insert a screenshot showing the result for Step 1c.

Step 2: Examine the exploit. (5 points each)


Questions:

a. Based on the alerts associated with HTTP GET request, what files were downloaded? List the
malicious domains observed and the files downloaded.

Click here to enter text.


b. Insert a screenshot for Step 2a.

 2020 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 4 www.netacad.com
CyberOps Associates v1.0a - Skills Assessment

c. Use any available tools in Security Onion VM, determine and record the SHA256 hash for the
downloaded files that probably infected the computer?

Click here to enter text.

d. Insert a screenshot of the result for Step 2c.

e. Navigate to www.virustotal.com input the SHA256 hash to determine if these were detected as
malicious files. Record your findings, such as file type and size, other names, and target machine.
You can also include any information that is provided by the community posted in VirusTotal.

Click here to enter text.

f. Insert a screenshot showing the result for Step 2e.

g. Examine other alerts associated with the infected host during this timeframe and record your
findings.

Click here to enter text.

h. Insert a screenshot for the result for Step 2g.

Step 3: Report Your Findings (20 points)


Summarizes your findings based on the information you have gathered from the previous parts.

Click here to enter text.

 2020 - 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 4 www.netacad.com

You might also like