The objective of this assignment is to gain knowledge and understanding of the security information and event management tool Splunk through research and practical experience. This understanding is to be demonstrated by submission of a formal technical report of a threat hunting exercise and the development of a Splunk dashboard.All assignment related data can be found in the botsv2 index (you must include “index=botsv2” in all your searches) on the http://splunk.ict.griffith.edu.au:8000 Splunk Enterprise server. Login using the following credentials if you have not logged into this server before.Username: sXXXXXXX Password: changemeIf you are trying to connect to the server from off campus, you must connect through a VPN first. Details of how to VPN into the Griffith Network can be found here: https://intranet.secure.griffith.edu.au/computing/remote-access/virtual-private-networkPlease note that the assignment data is much bigger and more realistic than your tutorial data, so you must limit your searches, otherwise you will be waiting for a long time for a response as well as slowing down everyone else.BackgroundFrothly is a small premium beer brewing company with intensions of making it big. New homebrew kits with Frothly proprietary recipes are due to launch later in the year. The FBI has heard chatter from a nation state sponsored hacking group that claim to have successfully compromised the Frothly network and exfiltrated sensitive data. As luck would have it Frothly’s Head of IT, Kevin Lagerfield, has just left the company. Your job is to investigate the breach to determine what was stolen or if a breach actually occurred.
Task 11. Amber Turing was hoping for Frothly to be acquired by a potential competitor which fell through, but visited their website to find contact information for their executive team. What is the website domain that she visited?2. Amber found the executive contact information and sent him an email. What is the CEO's name? Provide the first and last name.3. After the initial contact with the CEO, Amber contacted another employee at this competitor. What is that employee's email address?4. What is the name of the file attachment that Amber sent to a contact at the competitor?5. What is Amber's personal email address?6. What version of TOR did Amber install to obfuscate her web browsing? Answer guidance:Numeric with one or more delimiter.7. What is the public IPv4 address of the server running www.brewertalk.com?8. Provide the IP address of the system used to run a web vulnerability scan againstwww.brewertalk.com.9. The IP address from Question 8 is also being used by a likely different piece of software to attacka URI path. What is the URI path?10. What SQL function is being abused on the URI path from Question 9?11. What is Frank Ester's password salt value on www.brewertalk.com?12. What is user btun's password on brewertalk.com?13. What was the value of the cookie that Kevin Lagerfield's browser transmitted to the maliciousURL as part of a XSS attack?14. The brewertalk.com web site employed Cross Site Request Forgery (CSRF) techniques. What wasthe value of the anti-CSRF token that was stolen from Kevin Lagerfield's computer and used tohelp create an unauthorized admin user on brewertalk.com?15. What brewertalk.com username was maliciously created by a spear phishing attack?16. According to Frothly's records, what is the likely MAC address of Mallory's corporate MacBook?HINT: Her corporate MacBook has the hostname MACLORY-AIR13.17. What episode of Game of Thrones is Mallory excited to watch?18. What is Mallory Krauesen's phone number?19. Enterprise Security contains a threat list notable event for MACLORY-AIR13 and suspect IPaddress 5.39.93.112. What is the name of the threat list (i.e. Threat Group) that is triggering thenotable event?20. Considering the threat list you found in Question 19, and related data, what protocol often usedfor file transfer is actually responsible for the generated traffic?As part of the answer for each of these questions, your report must include:• A clear description of the reasoning for your answer.• A detailed description of the process that you followed and the searches that you used to obtainthe answer. It is expected that you will include screenshots in your description.7808ICT Assignment Specification 2CRICOS No. 00233E
Task 2Develop a Splunk dashboard for the Frothly data. The dashboard should include 5 panels with a variation of visualisations with at least one single value display. The dashboard should use the followingSplunkfunctions:• Chart• Timechart• Macros• Pivot• Eval• Search• Where• Stats• Count• TransactionAs well as showing the output of the dashboard, your report must include:• A clear description of the design of your dashboard, explanations of the searches used, and theimportance and purpose of each panel.• A detailed description of how you incorporated command functionality into the dashboard andthe reasoning for why the commands are required for the panel.SubmissionPlease submit your assignment via the 7808ICT Blackboard web site under the Assessment section. Reports may be submitted as one zip file or as a single file.The quality of the presentation of a formal technical report is as important as the quality of the technical content of the report in the profession. Your assignment will be assessed on:1. The body text of your report should be no more than 25 pages in length excluding appendices;2. The text of your report should be in 12-point Times New Roman or 11-point Arial font orsomething equivalent, and in single space;3. Page size is A4 with 2cm in margins on all sides;4. The report is suggested to be organised with executive summary within one page, table of contents, body text, and appendices;5. The report body text consists of your overall analysis of each question, description of how you went about completing each task and your conclusions.