2-Security Office.webp

After patching the firewall, you face a significant challenge: to determine what actions the threat actor took before their access was cut off. The attack could have allowed them to implant backdoors or manipulate critical firewall rules, creating vulnerabilities that might persist unnoticed.

The power plant is highly reliant on this firewall to maintain a secure operational environment. Any compromise could directly impact the plant's ability to maintain control and stability. The Server Room, where the firewall is housed, is the epicenter for coordinating this investigation.

Standing in front of the secured terminal, you take a deep breath, knowing that the next few hours will be crucial in uncovering the threat actor’s activity. The glow of the Palo Alto firewall console illuminates your focused expression, and the room hums softly with the ambient sounds of data streams and spinning drives. Your task is clear: sift through the firewall logs, analyze the connections, and ensure no trace of malicious activity persists.

You start by logging into the firewall’s web-based GUI, the Monitoring tab offering a window into real-time network activity. A session table populates with active connections and recent logs. You think to yourself: "I need to focus on the Traffic Logs first, see if any unusual connections stand out."

Your eyes scan the cascading data—IP addresses, application names, destination ports—all flashing before you. Patterns begin to emerge, and you take note of traffic between the plant’s network and an unfamiliar external server. "External IPs connecting after hours or during maintenance periods? Something’s not right."

Switching to the Threat Logs, you see flagged incidents categorized by their severity. Some warnings stand out for repeated brute-force login attempts from unfamiliar regions. "Repeated login attempts from foreign IPs? That looks like someone was probing for a way in."

The User Activity Logs reveal a list of accounts that accessed the firewall recently. You notice a new user account created only hours before the attack—a clear red flag. "A new user account created just before the attack? Time to dig deeper."

The System Logs provide insight into the firewall’s health and configuration changes. You see alerts indicating that rules were adjusted during a time window that coincides with suspicious activity. "Firewall rules adjusted along with the VPN vulnerability? That is how they got in and maintained persistence.”

Your findings take shape into a cohesive story: a sophisticated, targeted attack that allowed the actors to change access rules. You make a copy of the current configuration and adjust the suspicious rules allowing external access along with internal access outbound to suspicious IPs.

Question 7: What new Co-op Cyber Goal number deals with logging?

CTF sponsored by: