First Lab
.
Exercise Title: Network Log Analysis for Suspicious Activity
Objective
To help learners identify, analyze, and interpret network log data to detect indicators of compromise (IoCs), unauthorized access, or policy violations.
Scenario
You are a cybersecurity analyst for an organization that recently noticed unusual network slowdowns. You have been asked to review a set of sample network logs to determine whether any suspicious activity is occurring.
Provided Data (Example Log Entries)
| Timestamp (UTC) | Source IP | Destination IP | Port | Protocol | Action | Bytes Sent | Bytes Received | Notes |
|---|---|---|---|---|---|---|---|---|
| 2025-10-08 09:00:15 | 10.0.0.25 | 192.168.1.15 | 443 | TCP | ALLOW | 250 | 980 | Normal HTTPS traffic |
| 2025-10-08 09:02:48 | 10.0.0.25 | 202.54.1.100 | 22 | TCP | ALLOW | 1500 | 60 | SSH connection initiated |
| 2025-10-08 09:03:02 | 10.0.0.25 | 202.54.1.100 | 22 | TCP | ALLOW | 1800 | 75 | Multiple login attempts |
| 2025-10-08 09:03:40 | 10.0.0.25 | 203.0.113.55 | 3389 | TCP | BLOCK | 200 | 0 | Unauthorized RDP attempt |
| 2025-10-08 09:04:05 | 10.0.0.60 | 10.0.0.25 | 445 | TCP | ALLOW | 350 | 240 | SMB file share |
| 2025-10-08 09:04:45 | 10.0.0.25 | 10.0.0.60 | 445 | TCP | ALLOW | 700 | 1500 | Large file transfer detected |
| 2025-10-08 09:05:10 | 10.0.0.25 | 198.51.100.70 | 80 | TCP | ALLOW | 2000 | 500 | Outbound HTTP session |
| 2025-10-08 09:06:55 | 10.0.0.25 | 198.51.100.70 | 80 | TCP | ALLOW | 2400 | 520 | Persistent outbound traffic |
Tasks
- Identify Suspicious Behavior
- Which connections or patterns appear unusual?
- Are there signs of brute-force attempts or data exfiltration?
- Determine Possible Indicators of Compromise (IoCs)
- List any IP addresses, ports, or activities that stand out.
- What do they suggest (e.g., port scanning, unauthorized access, malware communication)?
- Analyze Data Transfer Patterns
- Which logs show unusually high outbound traffic?
- Could these indicate data exfiltration?
- Correlate Events
- Sequence the events — what happened first, and what might it lead to?
- How do internal and external connections relate?
- Recommend Actions
- Immediate containment or monitoring steps.
- Policy or firewall rule adjustments to prevent recurrence.
Expected Observations
- The SSH traffic to external IP
202.54.1.100suggests possible brute-force activity. - The large file transfer over SMB may indicate lateral movement or data staging.
- The persistent outbound HTTP connection to
198.51.100.70could signal data exfiltration or a C2 (Command and Control) channel.
Follow-up Discussion
- What other logs would you want to review (e.g., authentication, firewall, DNS)?
- How would you validate whether this activity is malicious or legitimate?
- What would your incident report summary include?