1. Description Threat detection is the practice of analysing the entirety of a security ecosystem to identify any malicious activity that could compromise the network. If a threat is detected, then mitigation efforts must be enacted to properly neutralise the threat before it can exploit any present vulnerabilities. It is widely accepted that robust threat detection requires both a technical and a human element. The technical element consists of a combination of technologies including: Endpoint, Network and Security event threat detection tools. The human element requires security analysts to analyse data for trends, patterns and behaviours. Also, to investigate logs and reports to determine if anomalous data indicates a potential threat or a false alarm. In this coursework, you are required to act as a security analyst to determine the type and nature of a potential threat that has been detected. You will be provided with a virtual machine containing security monitoring and intrusion detection data from an open-source network intrusion prevention system (Security Onion) as evidence on which to base your analysis. The data provided is as follows: - Security Onion IDS Alerts; - Threat events available in Squil and Kibana; - Associated pcap files can be viewed using wireshark. Your task, as a security analyst, is to analyse the data and determine which threat has been detected by Security Onion, recording a brief synopsis of the threat to allow for further analysis of the threat and activity. Secondly, you are required to produce a report providing a detailed analysis of the threat you have identified. 4 There are two deliverables for this coursework as described below: Deliverable 1: IDS Threat Detection Form (in Microsoft Word) containing information you consider relevant such as, but not limited to: 1.1. Threat occurrence. - date/Time of threat; - brief description of the threat detected; - type/nature of threat; - expected severity of threat; - contact details of person (You) investigating the threat; 1.2. Specific details of threat. - devices/IP addresses affected; - timeline of threat activity; - alerts raised; - packets captured. Your form should be a maximum of two pages, professionally structured, and written to a technical audience, including: o Title; o Information grouped into appropriate sections; o Structured into Tables/Form layout; o Capture all relevant information described above in 1.1, 1.2; o Ability to be catalogued into a threat response system or business process. Deliverable 2: Executive Report (in Microsoft Word) containing: 1.1. Analysis of the identified threat based on: - background of the threat using existing literature; - process of infection and propagation; - impact on systems and/or the Internet; - detection and/or mitigation methods. 1.2. Findings from deliverable (1). - description of methodology used to investigate the threat; - analysis and discussion of findings; 5 - discuss the legal and ethical issues arising through the deployment of an IDS and collection of corresponding data. - 1.3. Recommendations. - reflect on work in 1.1 and 1.2; - provide recommendations of how detection of the threat could be improved. Your report should be professionally structured, and written to a technical audience, including: o Title page; o Contents page; o Executive Summary; o appropriate information for 1.1, 1.2 and 1.3 above (2500 words max); o concluding remarks; o a list of references. Note: The two deliverables for this coursework will be combined and grade calculated using the grid on page eight.

Attachments:

network-secur....docx