What You'll Learn
- Independently investigate a network intrusion scenario with minimal guidance
- Identify all attack phases from network detection data using EveBox and tshark
- Extract Indicators of Compromise (IOCs) from alert metadata and packet data
- Build a complete attack timeline from initial reconnaissance through data exfiltration
- Write a professional Network Forensics Analyst Report suitable for incident response handoff
Lab Overview
| Detail | Value |
|---|---|
| Lab Profile | lab-suricata |
| Containers | Suricata, EveBox, ttyd (browser terminal for tshark) |
| Estimated Time | 75–90 minutes |
| Difficulty | Advanced |
| Browser Access | EveBox (Web UI) + ttyd (terminal) |
| Pre-Loaded Data | Full Operation Wire Tap dataset — 49 alert groups, 47 signatures, associated PCAPs |
| Deliverable | A complete Network Forensics Analyst Report with IOCs, timeline, and recommendations |
Challenge Lab — Minimal Guidance. This lab provides the scenario and the expected deliverables but does NOT walk you through step-by-step. You must apply the skills from Labs 3.1–3.5 independently. If you get stuck, review the techniques from previous labs, but try to work through the investigation on your own first. This is how real SOC analysis works.
The Scenario
INCIDENT REPORT — INITIAL NOTIFICATION
TO: SOC Analysis Team
FROM: Security Operations Manager
SUBJECT: Network Intrusion Investigation — "Operation Wire Tap"
PRIORITY: HIGH
DATE: [today's date]
Our external threat intelligence partner has flagged suspicious network activity
originating from our IP address range. They report:
1. Outbound connections to a known C2 IP address (flagged in multiple threat feeds)
2. DNS queries matching a known DNS tunneling pattern
3. Evidence of data exfiltration through encoded channels
We have Suricata IDS alerts and packet captures from the timeframe in question.
Your assignment is to:
(a) Determine the full scope of the intrusion
(b) Identify all compromised systems
(c) Extract all Indicators of Compromise
(d) Build a complete attack timeline
(e) Provide actionable recommendations
You have full access to EveBox (network alerts) and tshark (packet analysis).
Deliver your findings as a formal Network Forensics Analyst Report.
—Security Operations Manager
Investigation Guidance
No step-by-step instructions are provided. Use the following investigation framework to structure your approach. The techniques you need are covered in Labs 3.1 through 3.5.
Phase 1: Initial Assessment
Begin by understanding the scope of the incident:
- How many alert groups are present?
- What is the severity distribution?
- What is the time window of activity?
- How many unique source and destination IPs are involved?
Phase 2: Alert Triage
Classify all alert groups. Focus on identifying:
- Which alerts represent genuine attack activity (True Positives)?
- Which are noise that can be safely deprioritized?
- Which alerts form connected chains from the same attacker?
Phase 3: Attack Chain Reconstruction
Map the True Positive alerts to attack phases:
- Reconnaissance: What scanning and probing occurred?
- Initial Access: How did the attacker gain their first foothold?
- Execution: What commands or payloads were executed?
- Persistence: How did the attacker maintain access?
- Command & Control: What C2 channels were established?
- Lateral Movement: Did the attacker move to other systems?
- Exfiltration: Was data stolen? Through what channel?
Phase 4: Deep Packet Analysis
Use tshark to examine key traffic flows:
- Extract payloads from exploitation attempts
- Analyze C2 beacon timing and content
- Examine DNS tunneling queries and responses
- Identify any additional activity not captured by Suricata rules
Phase 5: IOC Extraction
Compile all Indicators of Compromise:
- IP addresses (attacker infrastructure)
- Domain names (C2 and tunneling domains)
- File hashes (if extractable from packet data)
- Signatures/patterns (unique strings, user-agents, encoding methods)
- Behavioral indicators (beacon intervals, packet sizes, query patterns)
Phase 6: Report Writing
Compile your findings into the formal report structure defined in the deliverable section below.
Report Template
Your Network Forensics Analyst Report must include all sections below. The template provides structure but YOU must fill in the evidence, analysis, and conclusions.
════════════════════════════════════════════════════════════
NETWORK FORENSICS ANALYST REPORT
Operation Wire Tap — Incident Investigation
════════════════════════════════════════════════════════════
METADATA
────────
Report Date: [date]
Analyst: [your name]
Classification: CONFIDENTIAL
Case ID: OWT-[date]-001
Tools Used: EveBox, tshark (Wireshark CLI)
Data Sources: Suricata IDS alerts, network packet captures
1. EXECUTIVE SUMMARY
─────────────────────
[3-5 sentences summarizing: what happened, how severe it is,
what systems are affected, and what immediate actions are needed.
Write this LAST after completing the full investigation.]
2. SCOPE & METHODOLOGY
───────────────────────
Investigation Period: [start time] to [end time]
Data Analyzed: [number] alert groups, [number] unique signatures
Methodology:
- Alert triage and classification (TP/FP/INFO)
- Attack chain mapping to MITRE ATT&CK phases
- Deep packet analysis of key traffic flows
- IOC extraction and cross-referencing
3. FINDINGS — ATTACK TIMELINE
──────────────────────────────
[Chronological list of all attack events with timestamps,
evidence source, and description. Include both alert-level
and packet-level evidence.]
TIME | PHASE | EVIDENCE | DESCRIPTION
───────────|─────────────────|─────────────────|───────────────
[HH:MM:SS] | Reconnaissance | EveBox SID:xxx | [description]
[HH:MM:SS] | Initial Access | EveBox + PCAP | [description]
... | ... | ... | ...
4. FINDINGS — COMPROMISED SYSTEMS
──────────────────────────────────
[List each compromised system with: hostname/IP, how it was
compromised, what the attacker did on it, and current risk level.]
System: [hostname / IP]
Compromise Method: [how the attacker gained access]
Attacker Activity: [what was done on this system]
Current Risk: [CRITICAL / HIGH / MEDIUM]
Evidence: [specific alerts or packets]
5. INDICATORS OF COMPROMISE (IOCs)
───────────────────────────────────
[Complete IOC table for sharing with other security teams
and threat intelligence platforms.]
TYPE | INDICATOR | CONTEXT
──────────────|──────────────────────────────|────────────────
IP Address | [x.x.x.x] | [C2 server / scanner / etc.]
Domain | [domain.tld] | [tunneling / C2 / staging]
User-Agent | [string] | [attack tool signature]
Pattern | [beacon interval / size] | [C2 behavioral indicator]
DNS Pattern | [query pattern] | [tunneling encoding method]
6. MITRE ATT&CK MAPPING
────────────────────────
[Map each attack phase to MITRE ATT&CK techniques.]
TACTIC | TECHNIQUE | EVIDENCE
──────────────────|────────────────────────|──────────────────
Reconnaissance | T1046 Network Scanning | [your evidence]
Initial Access | T1190 Exploit Public | [your evidence]
Execution | T1059 Command Line | [your evidence]
... | ... | ...
7. VISIBILITY GAPS
──────────────────
[What attack activities were NOT detected by Suricata?
What additional data sources would improve detection?]
8. RECOMMENDATIONS
──────────────────
IMMEDIATE (within 24 hours):
1. [action]
2. [action]
SHORT-TERM (within 1 week):
1. [action]
2. [action]
LONG-TERM (within 1 month):
1. [action]
2. [action]
9. APPENDICES
─────────────
A. Full Alert Classification Sheet
B. Raw tshark Command Outputs
C. IOC Export (CSV format)
Evaluation Criteria
Your report will be evaluated on:
| Criterion | Weight | Description |
|---|---|---|
| Completeness | 25% | All attack phases identified, no major gaps |
| Accuracy | 25% | Correct classification of alerts, proper IOC extraction |
| Timeline Quality | 20% | Chronological ordering, timestamps, evidence sourcing |
| IOC Extraction | 15% | Complete, properly categorized, actionable IOCs |
| Report Quality | 15% | Professional format, clear writing, actionable recommendations |
Hints (Use Only If Stuck)
Hint 1 — Getting Started. If you do not know where to begin, start with the EveBox inbox. Sort by severity. The severity 1 alerts are your highest-priority investigation targets. Work outward from there.
Hint 2 — Building the Timeline. If your timeline feels incomplete, make sure you have checked: (a) scanning/recon alerts, (b) web application attacks, (c) DNS anomalies, (d) C2 beacon traffic, (e) internal lateral movement alerts. Each of these represents a different attack phase.
Hint 3 — IOC Extraction. For each True Positive alert, extract: the source IP, destination IP, any domain names, any specific strings or patterns in the payload. These are your IOCs. Do not forget behavioral IOCs like beacon timing intervals.
Deliverable Checklist
Before completing the lab, ensure your report includes:
- Executive Summary — 3-5 sentences covering scope, severity, and immediate actions
- Complete Attack Timeline — all phases with timestamps, evidence sources, and descriptions
- Compromised Systems List — each system with compromise method, activity, and risk level
- IOC Table — at least 8 IOCs across multiple types (IPs, domains, patterns, behaviors)
- MITRE ATT&CK Mapping — at least 5 techniques mapped with evidence
- Visibility Gap Analysis — what was missed and what would improve detection
- Recommendations — categorized by urgency (immediate, short-term, long-term)
Key Takeaways
- Real incident investigation requires combining multiple skills: triage, rule reading, DNS analysis, packet inspection, and report writing
- A professional forensics report transforms raw technical data into actionable intelligence for decision-makers
- IOC extraction and sharing enables other teams and organizations to detect the same threat actor
- MITRE ATT&CK mapping provides a standardized framework for communicating attack techniques
- The quality of your investigation is measured not just by what you found, but by how clearly you communicate it
What's Next
Congratulations on completing the Network Detection module. You have progressed from basic alert triage to full network forensics investigation. In the next module, you will shift focus to Threat Intelligence & IOC Management using MISP — learning how to collect, structure, and share the IOCs you have been extracting throughout these labs.
Lab Challenge: Network Forensics Challenge
10 questions · 70% to pass
You are assigned an incident investigation with minimal guidance. What should be your FIRST action when starting the investigation?
During your investigation, you find 5 True Positive alerts from the same source IP spanning reconnaissance, exploitation, and C2 phases. How should this be reported?
Your IOC table includes IP addresses, domains, and a user-agent string. What critical IOC type is missing that you should also extract?
You map the SQL injection attack to MITRE ATT&CK technique T1190 (Exploit Public-Facing Application). Under which tactic does this fall?
In your visibility gap analysis, you note that Suricata detected the C2 beacon but NOT the initial phishing email that started the attack. What type of gap is this?
Your recommendations section needs to include immediate, short-term, and long-term actions. Which action is appropriately categorized as 'immediate (within 24 hours)'?
When writing the executive summary, which approach is most appropriate for a professional forensics report?
During your investigation, you find an alert that you cannot confidently classify as TP or FP. What is the professional approach?
Your report identifies 12 IOCs. Before sharing them with external threat intelligence partners, what should you verify?
After completing your investigation and report, what is the most valuable follow-up action for your own professional development?
0/10 answered