Using Log Data to Identify Indicators of Compromise Log data offer clues about a
ID: 3573368 • Letter: U
Question
Using Log Data to Identify Indicators of Compromise Log data offer clues about activities that have unexpected—and possibly harmful—consequences. The following parsed and normalized firewall log entries indicate a possible malware infection and data exfiltration. The entries show a workstation making connections to Internet address 93.177.168.141 and receiving and sending data over TCP port 16115.
id=firewall sn=xxxxxxxxxxxx time=”2013-04-02 11:53:12 UTC” fw=255.255.255.1 pri=6 c=262144 m=98 msg=”Connection Opened” n=404916 src=10.1.1.1 (workstation) :49427:X0 dst=93.177.168.141 :16115:X1 proto=tcp/16115 id=firewall sn=xxxxxxxxxxxx time=”2013-04-02 11:53:29 UTC” fw=255.255.255.1 pri=6 c=1024 m=537 msg=”Connection Closed” n=539640 src=10.1.1.1 (workstation) :49427:X0 dst=93.177.168.141 :16115:X1 proto=tcp/16115 sent=735 rcvd=442 id=firewall sn=xxxxxxxxxxxx time=”2013-04-02 11:53:42 UTC” fw=255.255.255.1 pri=6 c=262144 m=98 msg=”Connection Opened” n=404949 src=10.1.1.1 (workstation) :49430:X0 dst=93.177.168.141 :16115:X1 proto=tcp/16115 id=firewall sn=xxxxxxxxxxxx time=”2013-04-02 11:54:30 UTC” fw=255.255.255.1 pri=6 c=1024 m=537 msg=”Connection Closed” n=539720 src=10.1.1.1 (workstation) :49430:X0 dst=93.177.168.141 :16115:X1 proto=tcp/16115 sent=9925 rcvd=639
1. Describe what is happening.
2. Is the log information useful? Why or why not?
3. Research the destination IP address (dst) and the protocol/port (proto) used for communication.
4. Can you find any information that substantiates a malware infection and data exfiltration?
5. What would you recommend as next steps?
Explanation / Answer
1. Here affected Source computer is 10.1.1.1 and port number is 49430 which is a private port.
2. Destination IP address 93.177.168.141 belongs to Tbilisi,Georgia and owner of this IP is Caucasus Online LLC, One of the largest internet service provider of georgia.