Project 3 - We were hacked (?)

Introduction

This assignment will focus on the security mechanisms of a Linux systems, and the analysis of an attack chain according to the MITRE Attack Matrix. The matrix lists the typical Tactics, Techniques, and Procedures (TTP) used by an attacker when developing an attack, and specifically, the mechanisms that are explored to inject code, get persistence and remote control, break confinement, get additional permissions, exfiltrate data and hide their activities. Finally the motivations of an typical attacker.

We expect groups of 4 students.

Description

Our automatic monitoring systems detected a unintended change in one of our frontend VMs. We are not sure what happened, of if there is really an issue, as this will be the first action to the automated alarm. The VM was stopped and the traffic from the offending IP address was recorded as a PCAP file.

We need to know if this was an attack or simply an application that crashed. Gather your other 3 team members and analyze the VM disk, as well as the packet logs, and deliver a report.

Your report should have an executive summary, for us to deliver to our manager. Remember that he has no security background, but he needs to know if there was an issue.

Then it should be followed by a security oriented part with:

  • A detailed analysis of every actions performed by the attacker. Please identify potential vulnerabilities or misconfigurations. You know, CWEs if possible.
  • An analysis of data objects that were modified (files, configurations)
  • An analysis of any exfiltrated data.
  • An analysis of potential suspect IP addresses (inside or outside our network).
  • An analysis of any persistent objects (C2 beacon?).
  • Indicators of Compromise (IoC), so that we may rapidly scan other hosts and check for breaches.
  • A mapping of your findings according to the MITRE Attack Matrix. This is important for us to correlate the modus operandi with other attacks. I know we were using some confinement in those VMs, so I’m also curious what could have happened.
  • Your conclusions about the potential intentions, and what should we do to mitigate the impact.

The assets are:

  • A VM Disk, that you can add to a VirtualBox VM as an additional disk to inspect.
  • A packet capture in PCAP format. You can use Wireshark to analyze it.
  • A text file with the HTTP request/response headers. This was automatically extracted from the packet capture.

These files are provided in MS Teams.

Project delivery

Delivery should consist of a zip with a report and support files through the assignment in MS Teams.

Reports will be graded according to the analysis provided. Please respect the requested topics and justify your conclusions. Whenever relevant, provide proofs (screenshots) of your observations throughout the analysis.

References

Previous