Detailed Report on Suspicious Networks Intrusion on Top Gear Industries

Verified

Added on 2023/06/13

AI Summary

This report explains the suspicion of intrusion of Top Gear systems as reported by Head of Engineering at Top Gear Industries, whereby schematics of their new project codenamed ‘’Swordfish’’ had been mysteriously deleted and replaced with a digital calling card. Furthermore, they discovered a number of their servers had been infected with malware. The report contains three parts mainly Analysis, Report findings and Conclusion.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Detailed report on suspicious networks intrusion on Top gear industries
Abstract
This document entails to explain suspicion of intrusion of Top gear systems as reported by Head of Engineering
at Top Gear Industries, whereby schematics of their new project codenamed ‘’Swordfish’’ had been
mysteriously deleted and replaced with a digital calling card. Furthermore, they discovered a number of their
servers had been infected with malware. To make matters worse, log files from affected servers had been
deleted. Fortunately, Top Gear Industries had installed an advanced Wireless Intrusion Detection System
(WIDS) just for the Engineering Department which collects all wireless traffic and saves it in a secure location
for further analysis. Upon further analysis it was discovered that the WIDS was not involved in the attack and
was not compromised
The use of Wireshark aided immensely on gathering of facts and conclusive documentation after analysis of the
live packet capture of handed over. The document contains three parts mainly Analysis, Report findings and
Conclusion.
1. Analysis
According to the human resource the suspect by the name Flynn Griffen was reported to have resigned
immediately after the incident had occurred obviously raising suspicion. On that regard the investigation
was focused on gathering evidence on the suspect such as by,
1) Conducting an investigation on the Websites accessed by the suspect on the time period.
By using the payload from the live packets, the source ip and destination ip determined
 From which computer they originated and the destination address of the data by use of packet
sniffing. Using Wireshark basically: Go to Statistics | HTTP | Load Distribution and type http.
host. Now look at the "HTTP Requests by HTTP Hosts’ This shows you detailed traffic description
coming to and from your network.
 Investigations on the kind of media accessed by the suspect were done again using Wireshark
whereby to Determine how much data has been downloaded from the suspect client PC
through TCP protocol and through port 445 (Default port used by SMB/SMB2).
o Basically to see which files are downloaded from the Core Server via UNC, go in
Wireshark > File > Export Objects > Choose SMB/SMB2 this shows
 "Packet num": which is the reference of the packet (It will tell you which client
IP is concerned if you go on this packet number)
 "Hostname" / “Filename": It gives you the root of the shared drive concerned
and the rest of the path
 "Content Type": This shows the full size of the file to be downloaded and also
the percentage downloaded during the trace
Using the above techniques, it could now be easier to determine whether for all websites, files
downloaded and videos accessed, any of those were involved in hacking. Furthermore, whether the
suspect was involved and aware of the intrusion and data theft at the company. On that regard it can
now be determined:
 As to how the suspect gained access to the FTP server.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Detailed report on suspicious networks intrusion on Top gear industries
o If the suspect downloaded any media it must have been over FTP hence captured over
by the log file of the server, since ideally you use an FTP client to log on an FTP server,
basically during an FTP session the address username and password are required to as
protocol this data is stored out at the log file embedded in the server.
NB: FTP is an acronym for File Transfer Protocol. As the name suggests, FTP is used to
transfer files between computers on a network. You can use FTP to exchange files
between computer accounts, transfer files between an account and a desktop
computer, or access online software archives. ("Use FTP to transfer files", n.d.)
The FTP log is a text record of all manner of activities that go one during a n FTP session.
o This information with addition to the port number can be used to pin down the client at
that session.
o On printing the log file, the log simply shows my client connecting to the server logging
in the server and asking for a list of files in the main directory through various
commands, of which raise further suspicion. Here is an excerpt of the log file
Status:Connecting to ftp.Topgear.org ...
Status:Connected with ftp.Topgear.org.
Response:220 ProFTPD 1.2.4 Server (ProFTPD) [109.41.xx.xxx]
Command:USER Griffen01
Response:331 Password required for Griffen01.
Command:PASS **********
Response:230 User Griffen01 logged in.
Status:Connected
Status:Retrieving directory listing...
Command:PWD
Response:257 "/users/Griffen" is current directory.
Command:LIST
Response:150 Opening ASCII mode data connection for file list.
Response:226 Transfer complete.
Status:Directory listing successful
 On detailed examination of the entire document the suspect is seen to be primarily focused on
the “swordfish” project according to the commands in the time period of the log file .For
instance the command :
Command:LIST *Sword fish

Detailed report on suspicious networks intrusion on Top gear industries
Response:150 Opening ASCII mode data connection for file list.
The client sends a command requesting access to a specified file the server again sends
back requested response, such suspicious commands are found all through the log
entries.
 On the question as to whether the suspect was working alone or as part of a team, further cross
examination of the live packet feed using Wireshark indicates a significant number of packets
intended to a PC that does not exist anymore in the network sent by the file server
o
So again why is the file server with the ip address 11.x.x.3is sending NBNS queries
(NetBIOS Name Service) to the host PAUL-XP asking for his IP address?
WireShark shows us packets sent from the file server to the specific host, but it can’t tell
which routine or service running in the file server that is responsible for this traffic.
Now to find this program or service we used Process Monitor from SysInternals tool. So I
started the capture for a few seconds, then I did a search on the string “PAUL-XP”. In the
result we can see the process name at the origine of the query, in this case it’s
spoolsv.exe. Next we applied a filter to have only the traces related to spoolsv.exe
On applying the filter, we can see also the spoolsv.exe process accessing the “TGCU\
Printers\Connections\, PAUL-XP, Microsoft XPS Document Writer” registry key. This
means that there is a connection to the printer “Microsoft XPS Document Writer” on the
host PAUL-XP. It can be verified by opening printer’s location in the control panel.

Detailed report on suspicious networks intrusion on Top gear industries
 Regarding email spoofing enquiries from the Human Resource department indicated
scams in the form of phishing, whereby the department suffered an email attack
impersonating the CEO, requesting a copy of the ‘’swordfish’’ program sent to him in
word format after copying the massage to the manager as well. This can be categorized
as whaling.
2. Report Findings
 After conducting research on websites accessed by the suspect by use of Wireshark the payload
on the data showed the suspect had visited a number of competitor websites in the recent time
period. This not only excites suspicion but also makes it more clear on the suspects intent. This
can be illustrated by the IP addresses on the live capture stored on the server which indicates
the particular traffic having emanated from the suspects computer
 Investigations on the kind of media accessed by the suspect was traced on the via TCP on the file
server, this indicated traces of confidential files uploaded on the client’s computer that had
been later deleted, for instance a file containing the names and basic information of the team
put up to develop the ‘Swordfish ’program as well as various employee email address info was
downloaded from the client computer.
This kind of data is particularly useful in email spoofing. Email spoofing is the creation of email
messages with a forged sender address for the purpose of bluffing the recipient into providing
money or sensitive information.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Detailed report on suspicious networks intrusion on Top gear industries
The suspect as well tried to access training videos which were luckily archived and encrypted ,
this was done suspiciously with intent to gain access to videos on the product .
 An FTP (File protocol server) by default stores log files, this log files provide a record of anything
that happens on the FTP during the session.
According to the log file excerpt got from the FTP the client accessed the server a number of
times for instance the client sends a command to the server requesting access to all filenames
with the tag ‘Swordfish’ obviously with intent to have information on the intellectual property.
There are several commands that a client can send to an FTP server to find out information,
switch directories, or request files. In the sample log the client’s main aim was information
regarding the swordfish project. (Smith, Greenbaum, Douglas, Long & Gerstein, 2005)
It could however not be possible to determine the extent of information requested from the
client, since all the other affected servers had their log files deleted.
 The log file accessed at the engineering department shows traces of IP addresses that emanated
outside the network. Such ip addresses raised suspicion as to how such sessions on the FTP
were authenticated. On further investigation it was noticed presence of third party applications
on the suspect’s computer, although it could not be established how the apps might have been
used ,this was a breach of security measures on the institutions policy .
o Evidence as to whether it could have been an inside job or a team including outsider’s
indicates presence or aid from a team of hackers as well because
1. There were reports on loss of bandwidth especially during the midday and early
evening, as a result, normal functions that need an Internet connection slowed
down significantly.
2. Strange requests recorded on the server whereby along similar lines, users all of
a sudden start receiving requests from strange programs asking for permission
to access your network. This is almost always proof that your server has been
hacked.
3. File size especially the mail queue had increased again provides clear proof that
there was a spamming attack on the network .This was recorded on the mail fail
server at the engineering department.
4. Files were lost and some all of a sudden became encrypted. Files cannot be
encrypted by anyone that does not have authentication from the server. As a
result, files that appear encrypted is a clear indication that the network is
compromised. This as well as edited information on files such as dates, user-ids,
or inventory trackers were easily recognized as inaccurate.

Detailed report on suspicious networks intrusion on Top gear industries
 From the suspect’s Computer it was discovered that there were two email by te name
joe@yahooo and mms@rockejtmail that the client communicated with during the incident time
period which again confirms suspicion of an organized syndicate of hackers for the job.
Conclusions and Recommendations
 The investigation finds significant evidence all indicating involvement by the suspect as well as
aid from a team of outsiders this can be used to take further legal actions or necessary measures
as may be outlined by the management.
 Various recommendations on regard to security polices however need to be implemented with
haste .This is include but not limited to
o Authentication should be a two-factor authentication for users to gain successful
access.
o Consider adding time and location of access as additional authentication factors
o Deploy all updates from vendors to your software immediately.
o Follow appropriate change control procedures every time configurations are changed or
updated.
o Initiate behaviorally-driven training and metrics to measure the results of your
awareness programs.
o Create comprehensive access governance policies to ensure users have the minimum
degree of necessary access.

Detailed report on suspicious networks intrusion on Top gear industries
References
1. Use FTP to transfer files. Retrieved from https://kb.iu.edu/d/aerg
2. Smith, A., Greenbaum, D., Douglas, S., Long, M., & Gerstein, M. (2005). Genome Biology, 6(9), 119.
http://dx.doi.org/10.1186/gb-2005-6-9-119

1 out of 7

+13062052269

info@desklib.com

Detailed Report on Suspicious Networks Intrusion on Top Gear Industries

Contribute Materials

Secure Best Marks with AI Grader

Secure Best Marks with AI Grader

Related Documents

CSG 5308 - Wireless Security Assignment 01

Wireless Security: Analysis of a Hacking Incident in an Organization