- Lab
-
Libraries: If you want this lab, consider one of these libraries.
- Security
Network Analysis with Arkime
In this lab, you have to act as a Security Operations Center (SOC) analyst at Globomantics, a global technology firm. Recently, the Globomantics threat intelligence team received reliable indicators of a coordinated attack targeting the engineering subnet. To support a forensic investigation without alerting the attackers, you have been tasked with deploying an offline network forensics platform. You will deploy a secure Arkime instance, ingest forensic packet captures (PCAPs) from the compromised segment, and hunt for evidence of Command and Control (C2) channels and data exfiltration..
Lab Info
Table of Contents
-
Challenge
Deploy Arkime for Enterprise-scale Packet Capture and Network Forensics Storage
The investigation begins with infrastructure setup. On the Ubuntu Server, you will install Arkime and Elasticsearch from pre-downloaded docker images and configure it to talk to a Elasticsearch backend. Once the services are active, you will verify connectivity to the Arkime Viewer, ensuring the platform is ready to ingest evidence.
-
Challenge
Conduct Deep-dive Network Investigations Using Arkime's Advanced Search and Filtering Capabilities Scenario
With the platform active, you need to load the evidence. You will start by importing PCAP file into Arkime. Then, you will learn to navigate the Arkime interface. You will customize your view to display specific metadata fields like source/destination ports and protocol types and use the SPI Graph to identify normal traffic versus potential anomalies.
-
Challenge
Analyze Application Layer Protocols to Detect Suspicious C2 Communications
Threat intelligence notify that the attackers are masking their Command and Control (C2) traffic as standard web browsing. Using Arkime’s search bar, you will filter for HTTP/HTTPS connections and analyze the metadata. You will look for specific anomalies such as a high frequency of connections to a single IP with short flow durations.
-
Challenge
Identify Automated Data Exfiltration Patterns and Large File Transfers (T1020, T1048)
The final phase of the investigation focuses on impact analysis. You will process a PCAP recorded during the suspected exfiltration window. You will query the dataset for legacy protocols like FTP, which are rarely used in this environment. By sorting connections of data transfer you will identify a massive outbound transfer. You will then drill into the packet payloads to view the filenames, confirming the exfiltration of sensitive Globomantics proprietary data.
About the author
Real skill practice before real-world application
Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.
Learn by doing
Engage hands-on with the tools and technologies you’re learning. You pick the skill, we provide the credentials and environment.
Follow your guide
All labs have detailed instructions and objectives, guiding you through the learning process and ensuring you understand every step.
Turn time into mastery
On average, you retain 75% more of your learning if you take time to practice. Hands-on labs set you up for success to make those skills stick.