SOLUTION: Laboratory Exercises | My Assignment Tutor

CSI3351Laboratory ExercisesContentsDetails …………………………………………………………………………………………………………………………………..1Background ……………………………………………………………………………………………………………………………1Task ………………………………………………………………………………………………………………………………………1Report Structure …………………………………………………………………………………………………………………….2Additional Task Information …………………………………………………………………………………………………….2Assignment Submission …………………………………………………………………………………………………………..2Marking Key …………………………………………………………………………………………………………………………..3DetailsTitle: BOTSv3 Blue Team Member AnalysisValue: 40% of the final mark for the unitLength: max. 15 A4 pagesBackgroundThe Boss of the SOC dataset series is a popular set of datasets for security professionals withauthentic, real-world-like network events and incidents. They are self-paced, hands-on blue teamexercises. The third version of the Boss of the SOC dataset (BOTSv3) includes a cloud scenarioillustrating security issues organisations typically encounter when moving workloads to the cloud,such as Amazon AWS and Microsoft Azure, along with a challenging APT scenario. You can focus oneither or both.TaskAs part of workshop module 2, we investigated the APT scenario from the first version of the Boss ofthe SOC dataset (BOTSv1) using Splunk. In this assignment, you have to investigate the scenarioscaptured in the third version of the Boss of the SOC dataset (BOTSv3), but without having previousknowledge about the case. You have to write down the case in plain English, along with technicaldetails, visualise the attack series using the MITRE Attack Framework and the Lockheed Martin CyberKill Chain, and create a timeline of the critical events.One of the options is to write your report based on your understanding of the case according to yourinvestigative actions in an attempt to find answers to (some of) the associated CTF questions. Thesegive you good directions to start your work, and how to approach the investigation.Report Structure• Cover Page: unit code and title, assignment title, your name, student number, campus,tutor’s name• Table of Contents: an accurate reflection of the content within the document, generatedautomatically.• Summary (explanation of the case in plain English): overview of the report. How did youapproach the investigation? What did you do?• Technical Details: how do the scenarios you identified can be characterised? What did youfind?• Running Sheet: the Splunk commands executed during your investigation, with timestampsand explanations, in a chronological order (has to be repeatable).• Timeline of Events: a chronological order of events with timestamps representing the actionsthat resulted in the attack series described. Filter out unimportant events and include onlysecurity incidents that need to be highlighted (that are required to understand the case). Avisual representation is welcome.Additional Task Information• Start early and plan ahead, you may need to spend considerable time experimenting inSplunk for this exercise. If a command or approach failed to result in a successful outcome,you should still document it in your running sheet.• Each report will be unique and presented in its own way.• Scrutinise the marking key, and ask any questions you may have early!• Focus on the important events of the complex case and do not get lost in the details.• This task is not just about revealing what happened in the described case. Your approach toidentify crucial events and actual incidents, as reflected in your running sheet, is just asimportant.Assignment SubmissionThe submission must be a Microsoft Word document. You are only submitting one documentthrough Blackboard. You do not need an ECU assignment cover sheet. Do not submit more than onedocument, because these will not be assessed.Marking Key