CSI3351
Laboratory Exercises
Contents
Details ..................................................................................................................................................... 1
Background ............................................................................................................................................. 1
Task ......................................................................................................................................................... 1
Report Structure ..................................................................................................................................... 2
Additional Task Information ................................................................................................................... 2
Assignment Submission .......................................................................................................................... 2
Marking Key ............................................................................................................................................ 3
Details
Title: BOTSv3 Blue Team Member Analysis
Value: 40% of the final mark for the unit
Length: max. 15 A4 pages
Background
The Boss of the SOC dataset series is a popular set of datasets for security professionals with
authentic, real-world-like network events and incidents. They are self-paced, hands-on blue team
exercises. The third version of the Boss of the SOC dataset (BOTSv3) includes a cloud scenario
illustrating security issues organisations typically encounter when moving workloads to the cloud,
such as Amazon AWS and Microsoft Azure, along with a challenging APT scenario. You can focus on
either or both.
Task
As part of workshop module 2, we investigated the APT scenario from the first version of the Boss of
the SOC dataset (BOTSv1) using Splunk. In this assignment, you have to investigate the scenarios
captured in the third version of the Boss of the SOC dataset (BOTSv3), but without having previous
knowledge about the case. You have to write down the case in plain English, along with technical
details, visualise the attack series using the MITRE Attack Framework and the Lockheed Martin Cyber
Kill Chain, and create a timeline of the critical events.
One of the options is to write your report based on your understanding of the case according to your
investigative actions in an attempt to find answers to (some of) the associated CTF questions. These
give you good directions to start your work, and how to approach the investigation.
�Report Structure
• Cover Page: unit code and title, assignment title, your name, student number, campus,
tutor’s name
• Table of Contents: an accurate reflection of the content within the document, generated
automatically.
• Summary (explanation of the case in plain English): overview of the report. How did you
approach the investigation? What did you do?
• Technical Details: how do the scenarios you identified can be characterised? What did you
find?
• Running Sheet: the Splunk commands executed during your investigation, with timestamps
and explanations, in a chronological order (has to be repeatable).
• Timeline of Events: a chronological order of events with timestamps representing the actions
that resulted in the attack series described. Filter out unimportant events and include only
security incidents that need to be highlighted (that are required to understand the case). A
visual representation is welcome.
Additional Task Information
• Start early and plan ahead, you may need to spend considerable time experimenting in
Splunk for this exercise. If a command or approach failed to result in a successful outcome,
you should still document it in your running sheet.
• Each report will be unique and presented in its own way.
• Scrutinise the marking key, and ask any questions you may have early!
• Focus on the important events of the complex case and do not get lost in the details.
• This task is not just about revealing what happened in the described case. Your approach to
identify crucial events and actual incidents, as reflected in your running sheet, is just as
important.
Assignment Submission
The submission must be a Microsoft Word document. You are only submitting one document
through Blackboard. You do not need an ECU assignment cover sheet. Do not submit more than one
document, because these will not be assessed.
�Marking Key
