Academic Project Report - M.Sc. IT IMS & CS (Integrated)
Gujarat University | Batch 2022-2023
A comprehensive study on Security Operations Center (SOC) implementation, Network Security Monitoring, and defensive cybersecurity operations with practical incident response demonstrations.
This project demonstrates defensive cybersecurity operations from a Security Operations Center perspective, focusing on threat detection, investigation, and incident response using enterprise-grade NSM tools and frameworks.
- β SOC Implementation: Four-tier operational model (Triage β Investigation β Threat Hunting β Management).
- β Network Security Monitoring: Full deployment of Security Onion with IDS/IPS, SIEM, and packet analysis.
- β Threat Intelligence: Integration of MISP, CVE/CWE databases, YARA rules, and threat feeds.
- β Real Incident Analysis: Complete investigation of Remcos RAT malware infection.
- β Vulnerability Assessment: OpenVAS scanning with CVSS v3.1 risk scoring.
- β Industry Standards: NIST frameworks, MITRE ATT&CK, OWASP best practices.
Core Problem Addressed: Human error accounts for 95% of security breaches (IBM Study). This project demonstrates detection and response capabilities to mitigate threats that bypass traditional security controls.
Focus Areas:
- Security Operations Center workflows (Tier 1-4 operations)
- Network Security Monitoring and packet analysis
- SIEM deployment and log correlation
- Threat intelligence integration and IOC management
- Vulnerability assessment and risk management
- Real-world incident investigation and response
This project demonstrates proficiency in:
- Network Security Monitoring: Packet capture analysis, session tracking, traffic correlation.
- SIEM Operations: Log aggregation, query development, alert correlation, dashboard creation.
- Incident Response: Alert triage, investigation workflows, IOC extraction, timeline reconstruction.
- Threat Intelligence: MISP platform, threat feeds, IOC sharing, reputation checking.
- Vulnerability Management: OpenVAS scanning, CVSS scoring, risk assessment.
- Malware Analysis: File hashing, behavioral analysis, C2 detection.
- IDS/IPS: Snort/Suricata rule development, signature tuning, false positive reduction.
- Defensive security operations and SOC workflows
- Network traffic analysis and anomaly detection
- Threat hunting and proactive defense
- Security information and event management (SIEM)
- Vulnerability assessment and risk management
- Incident response and forensic investigation
- Security tool deployment and configuration
- Technical documentation and incident reporting
- Risk assessment and impact analysis
- Compliance frameworks (NIST, OWASP, MITRE ATT&CK)
- Threat intelligence research and analysis
- Offensive vs Defensive Security
- InfoSec Color Wheel and team structure
- CIA Triad framework
- Core Security Problem: Human error analysis (skill-based vs decision-based)
- Vulnerability Management: Lifecycle, CVSS v3.1 scoring, CVE/CWE databases
- Risk Management: NIST SP 800-30 framework, risk assessment procedures
- Threat Management: IOCs, IOAs, threat intelligence lifecycle
- Tools Implemented: OpenVAS, YARA, LOKI, MISP
- SOC Model: Four-tier operations (T1: Triage, T2: Investigation, T3: Hunting, T4: Management)
- Data Types: Full packet capture, session data, transaction logs, alert data, statistical analysis
- Alert Sources: Snort, Suricata, Zeek, OSSEC
- SIEM Platform: ELK Stack (Elasticsearch, Logstash, Kibana)
- Tools & Workflows: Sguil, Wireshark, NetFlow, Cisco Talos Intelligence
- Real-world investigation of Remcos RAT infection (March 19, 2019)
- Multi-tool correlation analysis
- IOC extraction and documentation
- Remediation recommendations
| Tool | Category | Purpose |
|---|---|---|
| Security Onion | NSM Platform | Integrated security monitoring suite |
| Snort 2.9 | NIDS | Signature-based intrusion detection |
| Suricata | NIDS | Multi-threaded IDS with GPU support |
| Zeek (Bro) | NSM | Behavioral analysis and protocol parsing |
| OSSEC/Wazuh | HIDS | Host-based intrusion detection |
| Tool | Category | Purpose |
|---|---|---|
| Elasticsearch | Search Engine | Log indexing and search |
| Logstash | Data Pipeline | Log collection and normalization |
| Kibana | Visualization | Dashboards and data exploration |
| Sguil | Alert Console | IDS alert management and correlation |
| Wireshark | Packet Analysis | Deep packet inspection |
| Tool | Category | Purpose |
|---|---|---|
| MISP | TIP | Threat information sharing platform |
| Cisco Talos | Threat Feed | File reputation and IOC verification |
| VirusTotal | File Analysis | Malware scanning and reputation |
| YARA | Pattern Matching | Malware signature detection |
| LOKI | IOC Scanner | Host-based IOC detection |
| Tool | Category | Purpose |
|---|---|---|
| OpenVAS | Vulnerability Scanner | Network vulnerability discovery |
| GVM | Management | Greenbone Vulnerability Manager |
| CVSS Calculator | Risk Scoring | Vulnerability severity rating |
- VMware Workstation 16 Pro: Virtualization for isolated lab
- TryHackMe: Hands-on cybersecurity training rooms
- Kali Linux 2021: Penetration testing distribution
βββββββββββββββββββββββββββββββββββββββββββ
β Security Onion Server β
β β
β βββββββββββ βββββββββββ ββββββββββ β
β β Sguil β β Kibana β β Squert β β
β βββββββββββ βββββββββββ ββββββββββ β
β β
β ββββββββββββββββββββββββββββββββββββ β
β β Elasticsearch Cluster β β
β ββββββββββββββββββββββββββββββββββββ β
β β
β βββββββ βββββββββββ ββββββββ βββββββ β
β βSnortβ βSuricata β β Zeek β βOSSECβ β
β βββββββ βββββββββββ ββββββββ βββββββ β
βββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββ
β TAP/SPAN Port β
ββββββββββββββββββ
β
βΌ
ββββββββββββββββββ
β Enterprise β
β Network β
ββββββββββββββββββ
Hardware/Virtualization:
CPU: 8+ cores (16+ recommended)
RAM: 16GB minimum (32GB recommended)
Storage: 500GB+ SSD (1TB+ for production)
Network: 2+ NICs (management + monitoring)
Software Stack:
Platform: Security Onion 2.x (Ubuntu 20.04)
NIDS: Snort 2.9.x, Suricata 6.x, Zeek 4.x
HIDS: OSSEC 3.x / Wazuh 4.x
SIEM: Elasticsearch 7.x, Logstash 7.x, Kibana 7.x
Analysis: Wireshark 3.x, tcpdump
Vulnerability: OpenVAS 21.x
Threat Intel: MISP 2.4.x
Management Network: 192.168.1.0/24
ββ Security Onion: 192.168.1.100
Monitored Network: 10.0.90.0/24
ββ Windows Host: 10.0.90.215 (Bobby-Tiger-PC)
ββ DNS Server: 10.0.90.9
ββ Domain Controller: 10.0.90.2
Monitoring: eth1 (promiscuous mode)
Four-Tier Operation Structure:
Tier 4: Management
ββ Incident coordination
ββ Stakeholder communication
ββ Business impact assessment
Tier 3: Threat Hunting
ββ Proactive threat detection
ββ Advanced forensics
ββ Hunt hypothesis testing
Tier 2: Investigation
ββ Alert escalation handling
ββ Multi-stage attack analysis
ββ SIEM query development
Tier 1: Triage & Automation
ββ Real-time alert monitoring
ββ Known threat remediation
ββ Automated response workflows
Data Collection Types:
| Type | Description | Retention |
|---|---|---|
| Full Packet Capture | Complete network conversations | 7 days |
| Session Data | Connection metadata (5-tuple) | 30 days |
| Transaction Logs | HTTP, DNS, SSL, SMB protocols | 90 days |
| Alert Data | IDS/IPS signature matches | 1 year |
| Statistical Data | Behavioral analytics | Real-time |
Alert Sources:
- Snort: 50,000+ community rules (GPL, ET, VRT)
- Zeek: Behavioral detection and protocol analysis
- Suricata: Multi-threaded signature matching
- OSSEC: Host-based file integrity and log monitoring
Elasticsearch:
- Log indexing and search engine
- RESTful API for queries
- Distributed NoSQL architecture
Logstash:
- Data ingestion and normalization
- Multi-source log collection
- Field parsing and enrichment
Kibana:
- Real-time dashboards
- Custom visualizations
- Saved searches and filters
Sguil:
- Alert correlation console
- Event categorization
- Pivot to packet captures
Snort Rule Example:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (
msg:"ET TROJAN Remcos RAT Checkin";
flow:established,to_server;
dsize:<500;
content:"|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|";
depth:11;
fast_pattern;
content:"|da b1|";
distance:2;
within:2;
threshold:type limit, seconds 30, count 1, track by_src;
classtype:trojan-activity;
sid:2025637;
)
Detection Capabilities:
- Signature-based detection (Snort, Suricata)
- Behavioral analysis (Zeek)
- Protocol anomalies
- File extraction and analysis
- C2 communication detection
MISP Platform:
- Event tracking and IOC management
- Taxonomies: MITRE ATT&CK, TLP, PAP
- API integration with SIEM
- Automated IOC sharing
Threat Feeds:
- Cisco Talos Intelligence
- Emerging Threats ruleset
- CVE/CWE vulnerability databases
- VirusTotal file reputation
- AbuseIPDB IP reputation
OpenVAS Scanning:
- Network service discovery
- Version detection and CVE mapping
- Authenticated scans
- Compliance auditing
CVSS v3.1 Scoring:
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Metrics:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Impact Metrics:
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Score Ranges:
None: 0.0
Low: 0.1 - 3.9
Medium: 4.0 - 6.9
High: 7.0 - 8.9
Critical: 9.0 - 10.0
Custom Malware Detection:
rule RemcosRAT_Pattern {
meta:
description = "Detects Remcos RAT binary patterns"
author = "SOC Analyst"
date = "2019-03-19"
strings:
$hex1 = { 1b 84 d5 b0 5d f4 c4 93 c5 30 c2 }
$hex2 = { da b1 }
$string1 = "Remcos" nocase
$string2 = "remcos_pro" nocase
condition:
(uint16(0) == 0x5A4D) and // MZ header
filesize < 2MB and
all of ($hex*) or any of ($string*)
}Integration:
- LOKI IOC scanner for host scanning
- Valhalla rule feed for latest signatures
- Custom rules for organization-specific threats
1. Alert Generation
ββ Snort/Suricata: Signature match
ββ Zeek: Behavioral anomaly
ββ OSSEC: Host activity alert
β
2. Triage (Tier 1)
ββ Review in Sguil console
ββ Check alert count/correlation
ββ Validate: False positive?
ββ Decision: Escalate or close
β
3. Investigation (Tier 2)
ββ Pivot to Wireshark (packets)
ββ Query Kibana (logs)
ββ Extract IOCs (IPs, hashes, domains)
ββ Check reputation (Talos, VT)
ββ Build attack timeline
β
4. Analysis (Tier 3)
ββ Identify malware family
ββ Map to MITRE ATT&CK
ββ Assess impact/scope
ββ Document findings
β
5. Response & Remediation
ββ Isolate affected systems
ββ Update IDS rules
ββ Share IOCs via MISP
ββ Create incident report
Network Traffic
β
TAP/SPAN Port
β
Security Onion Sensor
ββ Snort/Suricata β IDS Alerts
ββ Zeek β Session/Transaction Logs
ββ tcpdump β Full Packet Capture
ββ OSSEC β Host Logs
β
Logstash (Normalization)
β
Elasticsearch (Storage/Indexing)
β
Kibana / Sguil (Analysis & Visualization)
Incident Timeline - March 19, 2019
01:45:03 - Initial Compromise
ββ HTTP GET to 209.141.34.8
ββ Download: test1.exe (disguised as image)
ββ SHA256: [documented in report]
01:45:15 - Malware Execution
ββ File: Win32 Trojan Agent (Remcos RAT)
ββ C2 communication on port 2404
ββ Encrypted traffic (RC4)
01:47:15 - Secondary Payload
ββ HTTP GET to 217.23.14.81
ββ Download: F4.exe
ββ Identified: Win.Dropper.Cridex
01:48:00 - Data Exfiltration
ββ Keylogger activity detected
ββ Outbound to C2 servers:
β’ 190.146.112.216
β’ 31.22.4.176
β’ 115.112.43.81
02:15:00 - Lateral Movement Attempt
ββ EternalBlue SMB exploit probes
ββ Target: Domain Controller (10.0.90.2)
Investigation Tools:
| Tool | Purpose | Findings |
|---|---|---|
| Sguil | Alert correlation | 12 related alerts, CNT=8 |
| Wireshark | Packet analysis | Extracted test1.exe and F4.exe |
| Kibana | Log visualization | HTTP requests, DNS queries |
| Cisco Talos | File reputation | Confirmed malware hashes |
| Zeek | Transaction logs | File details, HTTP metadata |
IOCs Extracted:
Malicious Files:
β’ test1.exe - SHA256: [hash]
β’ F4.exe - SHA256: [hash]
C2 Infrastructure:
β’ 209.141.34.8:80
β’ 217.23.14.81:80
β’ 190.146.112.216:2404
β’ 31.22.4.176:443
β’ 115.112.43.81:443
Domains:
β’ toptoptop1[.]online (flagged by VirusTotal)
Network Indicators:
β’ Non-standard C2 port: 2404
β’ Encrypted traffic patterns
β’ SMB exploit attempts (EternalBlue)
Remediation Actions:
- β Isolated infected host (10.0.90.215) from network
- β Blocked C2 IPs at firewall
- β Deployed Snort rule for Remcos detection
- β Updated malware signatures in AV
- β Shared IOCs via MISP
- β Conducted full network sweep for lateral movement
This project follows the NIST CSF five-function structure:
1. Identify
ββ Asset management, risk assessment
2. Protect
ββ Access controls, security policies
3. Detect
ββ IDS/IPS, SIEM, anomaly detection
4. Respond
ββ Incident response, mitigation
5. Recover
ββ Recovery planning, lessons learned
Techniques Observed in Case Study:
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Drive-by Compromise | T1189 |
| Execution | User Execution | T1204 |
| Persistence | Registry Run Keys | T1547 |
| Defense Evasion | Obfuscated Files | T1027 |
| Credential Access | Input Capture (Keylogging) | T1056 |
| Discovery | System Information Discovery | T1082 |
| Lateral Movement | Exploitation of Remote Services | T1210 |
| Collection | Automated Collection | T1119 |
| Command and Control | Standard Non-Application Port | T1571 |
| Exfiltration | Exfiltration Over C2 Channel | T1041 |
- Authorized Testing: All demonstrations in controlled lab (TryHackMe, Security Onion)
- No Harm: Purpose-built vulnerable environments only
- Responsible Disclosure: Focus on defense and remediation
- Educational Purpose: Academic research and learning
- NIST Special Publication 800-30 (Risk Assessment)
- NIST Special Publication 800-150 (Threat Information Sharing)
- CVSS v3.1 Specification
- MITRE ATT&CK Framework
- OWASP Top 10
- Security Onion: https://securityonion.net/
- Elasticsearch: https://www.elastic.co/
- Snort: https://www.snort.org/
- Zeek: https://zeek.org/
- MISP: https://www.misp-project.org/
- OpenVAS: https://www.openvas.org/
- Cisco Talos Intelligence: https://talosintelligence.com/
- VirusTotal: https://www.virustotal.com/
- CVE Database: https://cve.mitre.org/
- CWE Database: https://cwe.mitre.org/
- Exploit Database: https://www.exploit-db.com/
- TryHackMe: https://tryhackme.com/
- Cisco NetAcad: https://netacad.com/
- Cisco Cyber Operations Documentation
- Red Team Journals
- Ethical Hacking and Countermeasures v11
- NIST Cybersecurity Publications
This is an academic research project completed for the M.Sc. IT IMS & CS program at Gujarat University. The study demonstrates defensive security operations through controlled lab environments.
Academic Details:
- Institution: Gujarat University
- Program: M.Sc. IT IMS & CS (Integrated) - Semester 7
- Mentor: Prof. Nirali Chavda
- Submission: December 31, 2022
β
Authorized Testing: All demonstrations conducted in isolated lab environments
β
No Unauthorized Access: Testing performed on TryHackMe rooms and personal VMs
β
Educational Purpose: Focus on defensive security and incident response
β
Responsible Research: No exploitation of production systems
- Lab environment may not reflect enterprise-scale SOC operations
- Limited threat hunting dataset (based on publicly available samples)
- Tool versions reflect 2022 deployment (may have updates)
- Case study uses documented malware from TryHackMe exercises
Derick Dmello
M.Sc. IT IMS & CS (Integrated)
Gujarat University
Connect:
- GitHub: @mello-io
- LinkedIn: dmelloderick
A comprehensive academic project demonstrating Security Operations Center implementation, Network Security Monitoring, and defensive cybersecurity operations with real-world incident response.
This academic project report is submitted for educational purposes as part of the M.Sc. IT IMS & CS program at Gujarat University.
Copyright Β© 2026 Derick Dmello. All rights reserved.
Keywords: Cybersecurity SOC Security-Operations Network-Security-Monitoring Incident-Response SIEM ELK-Stack Threat-Intelligence IDS-IPS Malware-Analysis Vulnerability-Management Security-Onion Snort Zeek MISP YARA OpenVAS CVSS NIST MITRE-ATTACK