Situation Three

Insider Threat

This situation deals with an insider threat. There has been an attack on a victim, and the victim believes it was an attack by an insider. Your job is to look at the computer logs for their system and find the IP that intruded upon the system, analyze it, and find a MAC (media access control) address. Once you have a MAC address, try to identify a computer based on it. When you’re finished, take the quiz to measure your knowledge and understanding.

Scroll down to start the activity.

01

Introduction

A company recently experienced a hack where data was stolen from their servers. They believe the culprit may be an insider. You need to analyze their system logs and look at the logins. Search for unusual port numbers and activity. Once you have found something, look at the public access point IP for that and try to match MAC addresses to the company’s logs.

02

Glossary

When searching for the culprits of a DDoS attack, it is important to understand the infrastructure and systems behind it. Some of key terms are highlighted below.

MAC Address
  • Media Access Control (MAC) addresses are essentially unique identifiers for modern electronic devices. They act like fingerprints.
  • While MAC addresses are changeable, they are much harder to change and more static than IP addresses.
  • Many computer intrusions take place in public locations, libraries, and coffee shops, generally have free wifi and allow for slightly more anonymity.
  • Public access based intrusions can be combatted in part by looking at the MAC address and other unique identifiers of devices.
  • Once you find the bots, you can suggest firewall rules to prevent them from accessing or performing DDoS attacks.
  • IP addresses are relatively unique identifiers for systems connected to the internet. They are important for attributing behavior within a certain time to an actor online.
  • IP resolution is the process of taking an IP and getting information back on who owns it, who it is assigned to, the location, and more.
  • IP ports are different options when connecting to an IP address. Generally each port hosts a different service, and you can search to find what service is hosted on which port.
  • IP port 21 is normally for FTP (File Transfer Protocol).
03

Company Security Logs

Src IP Src Port Dest IP Dest Port Date Time (UTC) Mac Address User
10.1.1.94 53647 216.58.194.78 80 12/18/2021 15:35:49 a4-4c-c8-4d-99-9a BBlack
216.58.194.78 80 10.1.1.94 53647 12/18/2021 15:35:50
10.1.1.94 53694 151.101.1.67 80 12/18/2021 15:36:01 a4-4c-c8-4d-99-9a BBlack
151.101.1.67 80 10.1.1.94 53694 12/18/2021 15:36:02
10.1.1.96 54123 216.58.194.78 80 12/18/2021 15:36:02 a4-4c-c8-4d-99-93 LHerron
216.58.194.78 80 10.1.1.96 54123 12/18/2021 15:36:03
10.1.1.94 53698 151.101.1.67 80 12/18/2021 15:36:15 a4-4c-c8-4d-99-9a BBlack
151.101.1.67 80 10.1.1.94 53698 12/18/2021 15:36:16
10.1.1.96 54138 104.23.135.19 80 12/18/2021 15:36:16 a4-4c-c8-4d-99-93 LHerron
104.23.135.19 80 10.1.1.96 54138 12/18/2021 15:36:18
10.1.1.96 54238 104.23.135.19 80 12/18/2021 15:36:55 a4-4c-c8-4d-99-93 LHerron
104.23.135.19 80 10.1.1.96 54238 12/18/2021 15:36:58
10.1.1.99 55387 13.107.21.200 80 12/18/2021 16:05:29 a4-4c-c8-4d-99-96 TFrazier
13.107.21.200 80 10.1.1.99 55387 12/18/2021 16:05:30
10.1.1.99 55399 99.84.181.99 80 12/18/2021 16:05:31 a4-4c-c8-4d-99-96 TFrazier
99.84.181.99 80 10.1.1.99 55399 12/18/2021 16:05:32
10.1.1.99 55405 99.84.181.99 80 12/18/2021 16:05:33 a4-4c-c8-4d-99-96 TFrazier
99.84.181.99 80 10.1.1.99 55405 12/18/2021 16:05:34
98.99.248.157 57891 10.1.1.7 3389 12/18/2021 23:31:15
10.1.1.7 3389 98.99.248.157 57891 12/18/2021 23:31:20 a4-4c-c8-4d-99-10 Server
98.99.248.157 58974 10.1.1.7 21 12/18/2021 23:31:23
10.1.1.7 21 98.99.248.157 58974 12/18/2021 23:31:26 a4-4c-c8-4d-99-10 Server
98.99.248.157 58974 10.1.1.7 21 12/18/2021 23:31:29
10.1.1.7 21 98.99.248.157 58974 12/18/2021 23:31:32 a4-4c-c8-4d-99-10 Server
98.99.248.157 58974 10.1.1.7 21 12/18/2021 23:31:35
10.1.1.7 21 98.99.248.157 58974 12/18/2021 23:31:38 a4-4c-c8-4d-99-10 Server
Click Here to Show the Complete Table
04

Finding Unique Data

You can see that there is a somewhat unique port towards the end of the data. Port 21 starts to appear near the end of the logs. While the other connections mostly have usernames associated, the ones connecting to port 21 do not. Additionally, since you know that there was data taken, you can deduce that the culprit must have had a mechanism for that. Port 21 corresponds to File Transfer Protocol (FTP), which could be used to move files. You can then run the IP addresses to see if any of the results stand out.

Starbucks Domain

Situation Three

Insider Threat Quiz

Take the Quiz