In the previous class, you set up your SOC and monitored attacks from JobeCorp. Now, you will need to design mitigation strategies to protect VSI from future attacks.
You are tasked with using your findings from the Master of SOC activity to answer questions about mitigation strategies.
You will be using the Splunk app located in the Ubuntu VM.
Use the same log files you used during the Master of SOC activity:
Note: This is a public-facing windows server that VSI employees access.
- Several users were impacted during the attack on March 25th.
- Based on the attack signatures, what mitigations would you recommend to protect each user account? Provide global mitigations that the whole company can use and individual mitigations that are specific to each user.
- VSI has insider information that JobeCorp attempted to target users by sending "Bad Logins" to lock out every user.
- What sort of mitigation could you use to protect against this?
- Based on the geographic map, recommend a firewall rule that the networking team should implement.
- Provide a "plain english" description of the rule.
- For example: "Block all incoming HTTP traffic where the source IP comes from the city of Los Angeles."
- Provide a screen shot of the geographic map that justifies why you created this rule.
-
VSI has insider information that JobeCorp will launch the same webserver attack but use a different IP each time in order to avoid being stopped by the rule you just created.
-
What other rules can you create to protect VSI from attacks against your webserver?
- Conceive of two more rules in "plain english".
- Hint: Look for other fields that indicate the attacker.
In a word document, provide the following:
- Answers for all questions.
- Screenshots where indicated
Submit your findings in BootCampSpot!
© 2020 Trilogy Education Services, a 2U, Inc. brand. All Rights Reserved.