Existing Security Appliances: CookieMiner Analysis
At Globomantics, an employee in the Marketing Department stated they’re receiving “unusual Sign In” alerts from various websites. You (the Security Analyst) must investigate their endpoint through Host-based (and Network-based) Intrusion Detection Systems. In this lab, you’ll investigate Tactics, Techniques, and Procedures (TTPs) that are inspired by the “CookieMiner” malware.
Terms and conditions apply.
Getting Started in the Lab Environment
Here are the initial instructions and explanation of the lab environment. Read this while your environment is busy creating itself from nothing. Yes, this violates physics; we know. How fun!
In this challenge, you'll learn the core tenants of Intrusion Detection Systems: event collection, event analysis, and event visualization. You'll also deploy a piece of malware that you'll investigate in subsequent challenges.
Malware: FIM Alert
In this challenge, you'll learn the basics of File Integrity Monitoring (FIM). Through this process, you'll leverage a FIM alert to inform a threat hunting session.
In this challenge, you'll do a deep dive into what triggered the FIM alert (i.e., malware.sh). Through this deep dive, you'll learn of a real-world attack that attempts to subvert Multi-Factor Authentication. You'll also learn how malware can evade detection mechanisms.
In this section, you'll learn the limitations of Host-based Intrusion Detection Systems.
In this challenge, you'll shift your focus from host-based monitoring to network-based monitoring. In particular, you'll interface with Suricata, with a popular network monitoring tool. Earlier in the lab, you learned about Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Suricata is a tool that can act as an IDS and an IPS.
Suricata: SimpleHTTP Alert
In this challenge, you'll review the Suricata rule that triggered the SimpleHTTP alert. You'll also understand how this alert could correlate to malware hosting activity!
Suricata: Rule Creation
In this challenge, you'll learn how to leverage network events to create network-based rules. You'll then leverage this knowledge to create a rule that alerts on curl-based data exfiltration! Once you're done, you'll rerun the CookieMiner malware and see if the rule works!
Suricata: Subverting Rules
In this challenge, you will learn how rules can be subverted.
The Last Challenge
This is the last challenge of this lab, and your last chance to experience the environment before clicking finish lab, ending this small little world that flittered into existence just for you.
Provided environment for hands-on practice
We will provide the credentials and environment necessary for you to practice right within your browser.
Follow along with the author’s guided walkthrough and build something new in your provided environment!
Did you know?
On average, you retain 75% more of your learning if you get time for practice.
- Basic Linux knowledge