Saturday, October 12, 2013

Daily Blog #112: Sunday Funday 10/13/13

Hello Reader,
          It's Sunday Funday time again! This week we are back to a scenario based challenge to spend your Sunday on. We've had a IR focused Forensic Lunch the last two weeks so why not a IR focused challenge this week.

The Prize:

  • A 128GB USB 3.0 Flash Drive

The Rules:
  1. You must post your answer before Monday 10/14/13 2AM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
 You are an internal responder for a hosting provider, almost all of your major systems are in a DMZ to allow customer access. An attacker has breached your network which is CentOS Linux based.You've detected his anomalous traffic to a foreign country as part of a netflow review and you are now worried about lateral movement from the database server you have found. Assuming there is netflow data and a default CentOS install across 10 DMZ based systems what would you do to determine lateral movement.