Skip to main content
All Projects

MSc Cybersecurity — Robert Gordon University

Network Intrusion Investigation & SIEM Monitoring

May 2024
CybersecuritySIEMSecurity OnionIncident ResponseSOCIDSForensics

Deployed and operated Security Onion SIEM to investigate a simulated ransomware intrusion. Performed IDS packet analysis and log forensics, traced the infection vector to a spear-phishing campaign, and produced a professional incident report with remediation recommendations.

Overview

This project formed part of the MSc Cybersecurity programme at Robert Gordon University. It simulated a real SOC analyst engagement: a ransomware intrusion had occurred across a corporate network, and the task was to investigate it using Security Onion SIEM — identifying what happened, how it happened, and what should be done to prevent recurrence.

Problem

A simulated organisation had experienced a ransomware infection. Network traffic captures and system logs were available. The task: determine the infection vector, trace the attacker's lateral movement, and produce an incident report suitable for a security operations team.

Approach

Security Onion was deployed and configured to ingest the available network captures and log sources. The investigation followed a structured methodology:

  1. IDS alert triage — reviewed Security Onion's automated IDS alerts to identify priority events
  2. Packet analysis — examined network traffic captures to reconstruct the communication timeline
  3. Log forensics — correlated system event logs with network activity to identify the affected hosts and user accounts
  4. Infection vector identification — traced the initial compromise back to a spear-phishing email delivering a malicious attachment
  5. Lateral movement mapping — documented how the attacker moved from the initial foothold to other systems

Technologies Used

  • Security Onion — SIEM, IDS, and network security monitoring platform
  • Zeek (formerly Bro) — network traffic analysis
  • Suricata — IDS rule-based alerting
  • Kibana — log search and visualisation within Security Onion
  • Wireshark — deep packet inspection for specific traffic flows

Findings

  • Infection vector: spear-phishing email with a malicious Office document delivering a payload via macro execution
  • Initial compromise: single workstation; attacker established persistence via scheduled task
  • Lateral movement: credential harvesting used to authenticate to two additional hosts
  • Ransomware execution: triggered from a compromised admin account after lateral movement

Deliverables

Professional incident report documenting: timeline of events, technical findings, affected systems, infection vector analysis, and a prioritised set of remediation recommendations including email filtering controls, macro execution policies, privileged account monitoring, and network segmentation improvements.

Key Learnings

Security Onion as an integrated SIEM and IDS platform provides the visibility needed to investigate a multi-stage intrusion systematically. The critical skill is not operating the tool — it is knowing how to move from alert to context to narrative. A list of IDS hits is not an incident report; correlating those hits with log evidence and network flows to tell a coherent story of what happened is the actual analytical work of SOC investigation.