Udacity Security Analyst Project 4: Intrusion Detection and Response
Project Description
The purpose of this project was to demonstrate skills in monitoring and logging systems as well as detecting and responding to intrusions for a fictitious company. Skills and technology showcased in the project include: Configuring and analyzing alerts for an Intrusion Detection System (Snort and Sguil); analyzing security logs and packet analyzers (tcpdump, Wireshark) to further investigate suspicious activity on the network; setting up a SIEM (Splunk) to collect and analyze data; using incident response playbooks to contain, document and recover from network attacks. The project was performed using Security Onion suite on a Linux OS. The below tasks were performed for the project:
Analyze Snort alerts from provided network traffic (pcap file) using Sguil. Determine which alerts are likely false positives and which ones are likely true positives (appear to represent malicious behavior). Log these in an incident ticket
Perform a DNS request on the network and capture only this DNS traffic using BPF filters in tcpdump
Further analyze true positive Snort alerts from Step 1 and related network traffic with Wireshark and host logs. Determine any signs of post-infection activity (other compromised hosts, lateral movement, data exfiltration, etc) and provide details in the incident ticket
Create a Snort rule to alert on activity discovered with Wireshark in the previous step. Test rule to verify it triggers correctly.
Use Splunk to collect logs, analyze data and create reports. A dashboard was created to discover the top user names with failed authentication in the logs during a certain time period and a report was created based off this data
Use incident response playbooks for the intrusions discovered in Step 1 to provide evidence, containment procedures and recovery steps. These were written into the incident ticket
Project Documents: