Lakshan Sameera

Undergraduate

Security Operations - Network Intrusion Analysis and Detection for DevonCinema

Security Operations & Network Intrusion Analysis for DevonCinema

Category: Blue Team | Network Forensics | Intrusion Detection
Timeline: January 2025
Tools Used: Wireshark, Snort, VirusTotal
🔗 Project Report

This project involved a simulated incident response engagement focused on analyzing and mitigating a targeted cyberattack on the DevonCinema network. The investigation used advanced network forensics techniques and intrusion detection systems to uncover malicious activities, reconstruct the attack timeline, and propose a resilient, multi-layered defense strategy.

🧩 Project Overview:

A suspicious increase in network activity triggered a security review within the DevonCinema infrastructure. Through deep packet inspection, custom rule-based intrusion detection, and indicators of compromise (IoC) correlation, this project dissected an incident involving unauthorized downloads, Command-and-Control (C2) behavior, and lateral movement attempts—ultimately simulating a real-world compromise involving Remote Access Trojans (RATs).

🔍 Key Achievements & Technical Contributions:

1. Advanced Network Traffic Analysis

Conducted full inspection of captured .pcap files using Wireshark, leveraging both graphical and protocol-layer analysis.
Identified suspicious activity including:
- Unusual HTTP GET requests downloading .exe payloads.
- Encrypted outbound connections suggestive of C2 beaconing.
- SMB and RPC traffic spikes consistent with lateral movement techniques.
Extracted file hashes from payloads and validated against VirusTotal, confirming the presence of Remcos RAT.

2. Intrusion Detection with Custom Snort Rules

Deployed Snort IDS in a lab environment to detect network-based intrusions.
Authored custom Snort signatures targeting:
- Malicious HTTP user-agent strings
- Unusual ICMP patterns (used for covert signaling)
- Indicators of C2 traffic over SSL/TLS
Validated detections by replaying .pcap traffic and correlating alerts with known IoCs.
Confirmed repeatable detection of the Remcos C2 communication through both payload and metadata inspection.

3. Infection Attribution & Incident Response Planning

Pinpointed the infected host as 10.0.90.215 through traffic correlation and endpoint behavior.
Identified the timeline of compromise — including initial access, payload retrieval, RAT installation, and C2 communications.
Developed a detailed incident report documenting:
- Attack vectors
- Payload behavior
- Affected hosts
- Risk impact
Aligned analysis with the NIST Incident Handling Guidelines (800-61 Rev.2) to provide structured response actions.

💡 Recommendations & Defensive Strategy:

Immediate Actions:
- Isolate infected endpoint(s) and revoke external C2 access.
- Remove Remcos artifacts and rotate compromised credentials.
Infrastructure Improvements:
- Deploy an enterprise-grade IDS/IPS system across ingress and egress points.
- Integrate packet inspection and flow monitoring with a SIEM solution for better visibility and correlation.
- Enforce least-privilege principles, hardened endpoint configurations, and robust patching schedules.
Long-Term Mitigation:
- Launch cybersecurity awareness training targeting phishing and social engineering resistance.
- Implement automated alerting and playbooks to support faster detection and response.
- Schedule regular network traffic baselining and anomaly detection routines.

🧠 Skills Demonstrated:

Deep understanding of packet-level analysis and intrusion patterns
Creation and tuning of Snort IDS rulesets
Forensic investigation techniques for network-based attacks
Threat intelligence integration using tools like VirusTotal
Application of incident response frameworks (NIST) in simulated environments
Technical writing and structured incident reporting

📌 Outcome & Impact:

The project successfully simulated a real-world Blue Team investigation, reinforcing core competencies in network forensics, threat detection, and incident response planning. The result was a professional-grade report with actionable insights that could significantly reduce detection and response time in similar real-world scenarios.

This project showcased not only technical skills in IDS configuration and forensic analysis, but also the ability to translate raw network data into operational security decisions, a critical skill in any Security Operations Center (SOC) or Blue Team role.

Showcase Your Work, Get Noticed!

Your projects deserve the spotlight! Share your best work, inspire others, and open doors to new opportunities. Whether you're a student or a pro, this is your stage to shine.

Get visibility from recruiters & peers
Build your portfolio & personal brand
Connect with like-minded developers

Let's put your work in front of the right people!

Similar Projects

Cyber Security

NmapOpenVASMetasploit FrameworkWHOISKali LinuxMeterpreter

Penetration Testing Simulation for Securing Organizational Systems (Penetration Testing - Ethical Hacking)

Penetration Testing Simulation for Securing Organizational Systems Conducted an in-depth penetration test and vulnerability assessment on a simulated...

View Project

Cyber Security

FTK ImagerAutopsyVolatilityKernel PST ViewerWiresharkMXToolboxvirusTotallinuxWindows

Comprehensive Digital Forensics Report for Cybersecurity Incident Response (Digital Forensics)

🧩 Digital Forensic Investigation into Unauthorized Data Exfiltration at ABC Company Coursework : PUSL3133 – Digital Forensics & Malware Analysis ...

View Project

Cyber Security

OSSEC HIDSMetasploitKali LinuxWindows 7 SP1UbuntuOSSEC Web UIEternalBlueeventViewer

🛡️🔓 OSSEC HIDS: Detecting the EternalBlue (MS17-010) Exploitation (Security Operations - OSSEC HIDS (Host Based Intrusion Detection System) )

🛡️🔓 OSSEC HIDS: Detecting the EternalBlue (MS17-010) Exploitation Category : Blue Team & Red Team | Host-Based Intrusion Detection | Exploit Simula...

View Project

Cyber Security

Azure SentinelPowerShellipgeolocation.ioWindows Event ViewerVisual Studio CodeGitHubKQL

🌐 Azure Sentinel (SIEM) Lab: Real-Time RDP Attack Detection with PowerShell (Cloud Security - Blue Teaming Security Operations )

🌐 Azure Sentinel (SIEM) Lab: Real-Time RDP Attack Detection with PowerShell Category : Blue Team | SIEM | Threat Monitoring | Automation Timeline ...

View Project

Cyber Security

PythonPowerShellC#socketOpenCVPyAutoGUIrequeststhreadingip-apiWiresharkVMwareWindows 10Kali LinuxVisual StudioGitHub

🧠 Reverse Shell – Remote Administration Tool (RAT) (Hacking Tool - Offensive Security )

🧠 Reverse Shell – Remote Administration Tool (RAT) Category : Red Team | Remote Access | Malware Simulation | Ethical Hacking Timeline : June 2024...

View Project

Cyber Security

C#.NET Framework 4.5+Visual StudioWindows APISystem.Net.MailIP Geolocation APIGitHubWindows OSmacintoshpyautoguisocket``threading``cv2``numpy`

🧠 Key Logger with Email Notifications: A Comprehensive Cybersecurity Monitoring Tool (KeyLogger - Offensive Security Tool )

🧠 Key Logger with Email Notifications: A Comprehensive Cybersecurity Monitoring Tool Category : Red Team | Offensive Security | Malware Simulation ...

View Project