Defensive Security Case Study
This case study summarizes a redacted Penn State malware investigation lab focused on suspicious traffic analysis, firewall log review, containment, spoofing indicators, packet capture review, malicious process identification, and defensive validation.
Content Type: Redacted Academic Lab / Defensive Security Case Study
This case study is based on academic lab work completed at Penn State. It has been rewritten and sanitized for portfolio use. It does not include raw screenshots, lab instructions, student identifiers, internal IP details, or step-by-step offensive procedures.
Overview#
This lab focused on investigating and neutralizing suspicious network activity caused by a malware-based attack in a controlled academic environment.
The objective was to identify the source of suspicious traffic, block malicious communication, investigate the affected host, determine whether spoofing was involved, locate the malicious process, and validate that the activity was neutralized.
Why This Lab Matters#
Malware investigations require more than simply seeing suspicious traffic.
A security analyst needs to move from alert or log evidence to source identification, host investigation, process review, containment, and validation. This lab helped reinforce that defensive workflow.
The case also demonstrated that traffic source information may be misleading when spoofing is involved. That makes correlation between firewall logs, packet captures, host-level commands, and process information important.
Environment and Concepts#
This lab involved concepts related to:
- Firewall log review
- Suspicious network traffic investigation
- Traffic blocking and containment
- Host investigation
- Packet capture review
- Source IP spoofing
- Process identification
- Malware process termination
- ARP scan behavior
- Defensive validation
My Role#
For this lab, I acted as the analyst responsible for investigating and containing the suspicious activity.
The work involved:
- Reviewing firewall logs for suspicious traffic
- Identifying traffic moving toward an unexpected network segment
- Blocking suspicious traffic
- Investigating the suspected source host
- Comparing IP and MAC address evidence
- Reviewing packet capture data
- Identifying evidence of spoofed source behavior
- Locating the malicious process
- Stopping the process in the lab environment
- Reviewing the malicious program behavior at a high level
Investigation Summary#
1. Identifying Suspicious Traffic#
The investigation began by reviewing firewall logs to identify traffic moving from an internal user network toward an unexpected destination network.
This step established the initial indicator that something abnormal was occurring and provided a starting point for containment and investigation.
2. Blocking Suspicious Communication#
After identifying suspicious traffic, the lab required blocking traffic toward the suspicious destination.
This represented a containment step: reducing exposure while the analyst continued investigating the root cause.
3. Investigating the Suspected Source#
The next step was to investigate the host believed to be generating the suspicious traffic.
This included reviewing host-level information and comparing network evidence against what was observed from firewall and packet data.
4. Reviewing Spoofing Indicators#
The lab showed that the apparent source information did not fully align across the investigation.
This raised the possibility that the traffic involved source spoofing. In a real investigation, this would be important because relying on one log source alone could lead the analyst to the wrong conclusion.
5. Packet Capture Review#
Packet capture data was used to gather more evidence about the suspicious traffic.
This helped move the investigation beyond surface-level firewall logs and supported a more complete understanding of what was happening on the network.
6. Identifying and Stopping the Malicious Process#
After host and network review, the lab focused on identifying the process responsible for the suspicious activity.
Stopping the malicious process represented the remediation step in the controlled lab environment.
7. Reviewing Malicious Behavior#
The malicious program was reviewed at a high level to understand its behavior. The lab identified ARP scan behavior, which helped explain the nature of the suspicious activity.
What This Lab Demonstrates#
This lab demonstrates hands-on academic exposure to:
- Defensive malware investigation
- Firewall-based traffic analysis
- Suspicious traffic containment
- Host-level investigation
- Packet capture interpretation
- IP/MAC evidence comparison
- Source spoofing analysis
- Malicious process identification
- Malware neutralization in a lab environment
- Communicating technical findings as an incident workflow
Lessons Learned#
The most important lesson from this lab is that incident response requires evidence correlation.
Firewall logs, packet captures, host-level observations, process data, IP addresses, and MAC addresses each provide part of the story. A good analyst needs to connect those pieces before making a conclusion.
The lab also reinforced the importance of containment. Blocking suspicious communication can reduce immediate risk while the analyst continues investigating the affected system.
Finally, the lab showed that malware behavior may not be obvious from one viewpoint. Host investigation and packet-level review can reveal details that firewall logs alone may miss.
What I Would Improve#
If I expanded this lab into a larger portfolio project, I would add:
- A simplified incident timeline
- A defensive investigation flowchart
- A list of key evidence sources
- A sanitized packet-analysis summary
- A containment and eradication checklist
- A short detection logic concept
- A mapping of the workflow to incident response phases
- A lessons-learned section focused on analyst decision-making
Portfolio Note#
This page is intentionally written as a sanitized case study. The original lab report is not published because it contains course metadata, lab screenshots, internal lab details, and raw procedural content.
The goal is to demonstrate defensive investigation, malware analysis workflow, containment thinking, and security operations reasoning without exposing unnecessary technical or academic details.