Scribd
Upload
9 views7 pages

Threat Analaysis Report July15

Uploaded by

Naty Dereje
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
9 views7 pages

Threat Analaysis Report July15

Uploaded by

Naty Dereje
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Threat Analysis Report

1. Executive Summary
This report provides a detailed analysis of Cybersecurity threats recorded in the "Threat log Jul 15"
file, covering incidents from July 15, 2025. The primary objective of this analysis is to identify
prevalent threat types, assess their severity, pinpoint common attack origins and targets, evaluate the
effectiveness of security actions, and uncover temporal patterns of malicious activities. The findings
indicate a significant volume of intrusion attempts, predominantly targeting common network
services through brute-force methods, with most incidents successfully blocked. Recommendations
for enhancing the security posture are also provided.

2. Methodology
The analysis was conducted by processing the "Threat log Jul 15" dataset. Key data points such as
'Threat Type', 'Severity', 'Attacker', 'Attack Target', 'Action', 'Threat Name', 'Application', 'Protocol',
and 'Time' ..etc were extracted and analyzed. Statistical methods, including frequency counts and
temporal aggregation, were applied to identify patterns and trends within the threat data.
3. Detailed Threat Analysis
3.1. Threat Type Distribution
The distribution of threat types reveals a clear dominance of intrusion attempts within the monitored
period.

Threat Type Count


Intrusion 2606
Botnet, Trojan horse, and worm 2

 Intrusion: Constitutes the overwhelming majority (99.9%) of recorded incidents, indicating


that the primary focus for defense should be on preventing and detecting unauthorized
access attempts.
 Botnet, Trojan horse, and worm: These types of threats are minimal in comparison,
suggesting either low prevalence or effective preliminary defenses against them.
3.2. Severity Levels
Threats are categorized by severity to help prioritize response efforts.

Severity Count
medium 2375
high 233
 Medium Severity: Represents the largest portion of threats, requiring consistent monitoring
and a structured response.
 High Severity: While fewer in number, these threats warrant immediate attention and
investigation due to their potential impact.

1
3.3. Top Attacker IP Addresses
Identifying the most frequent attacker IP addresses helps in understanding the origins of persistent
threats.

Attacker IP Count
196.188.236.13 797
8.8.8.8 267
4.2.2.2 251
197.156.127.57 171
196.191.131.64 148
196.189.152.79 107
196.188.236.10 90
196.191.244.66 56
213.55.84.10 43
196.189.189.108 43

The IPs 196.188.236.13, 8.8.8.8, and 4.2.2.2 are notably active, suggesting either persistent threat
actors or widespread automated attacks. Note that 8.8.8.8 and 4.2.2.2 are public DNS servers, and
their appearance might indicate DNS-related attack vectors or misconfigurations.

3.4. Top Attack Target IP Addresses


Understanding the most targeted systems helps in focusing defensive efforts.

Attack Target IP Count


192.168.1.186 518
196.189.21.65 106
196.189.21.82 101
196.189.21.84 100
192.168.1.4 98
196.189.21.81 89
196.189.21.75 86
192.168.1.11 84
196.189.21.64 75
196.191.244.141 66

Internal IPs, particularly 192.168.1.186, 192.168.1.4, and 192.168.1.11, are frequently targeted,
indicating attempts to compromise internal network assets.

3.5. Actions Taken Against Threats


The 'Action' column indicates the response taken by security systems.

2
Action Taken Count
Block 2109
Alert 499

 A high percentage of threats (over 80%) are being Blocked, which is a positive indicator of
effective automated defense mechanisms.
 The remaining threats resulted in an Alert, which requires human intervention or further
automated analysis to determine the appropriate response.
3.6. Most Prevalent Threat Names
A deeper dive into specific threat names reveals the common attack techniques.

Threat Name Count


Microsoft SQL Server Authentication Brute-force Attempt 1002
SMB Authentication Brute-force Attempt 851
Microsoft Windows SMTP Service MX Record Denial Of Service 518
ETERNALBLUE: Windows SMBv1 Exploit 172
Microsoft Windows SMBv1 CVE-2017-0147 Information Disclosure 56
Possible Memcached DRDoS Attack Attempt 3
Hacktool.BattlePong Denial of Service 3
TroDjan_Family Traffic Detected 2
SSL Certificate Signed Using Weak Hashing Algorithm 1

 Brute-force attempts against Microsoft SQL Server and SMB are the most dominant
threats, indicating a consistent effort to gain unauthorized access through credential
guessing.
 Exploits like ETERNALBLUE and CVE-2017-0147 are still present, highlighting the
importance of patching known vulnerabilities.

3.7. Applications and Protocols Involved


Understanding the applications and protocols targeted helps in securing specific services.

Application Count
SMB 1079
MS_SQLServer 1003

3
Application Count
DNS 518
NetBios_Name_Service 5
General_UDP 3

protocol count
TCP 2089
UDP 519

 SMB and MS_SQLServer are the most targeted applications, aligning with the brute-force
threat names.
 DNS related threats are also significant.
 TCP is the primary protocol used in these attacks, followed by UDP.
3.8. Temporal Analysis of Threats

Analyzing threat occurrences by hour reveals patterns in attack timing.

Hour of Day Number of Threats


0 83
1 7
2 30
3 32
4 29
5 28
6 30
7 56
8 102
9 384
10 316
11 230
12 106
13 85
14 181
15 406
16 200
17 67
18 59
19 27
20 38

4
Hour of Day Number of Threats
21 34
22 45
23 33

 The most active hour for threats is 15:00 (3 PM), with 406 recorded incidents. This peak
could indicate specific attack campaigns or automated scans running during business hours.
 There are also significant threat activities during 9:00 (9 AM) and 10:00 (10 AM).
3.9. Source Region Analysis

Source Region Count Threat Name Application


ETERNALBLUE: Windows SMBv1 Exploit/
Hacktool.BattlePong Denial of Service/ Microsoft
SMB/ MS_SQLServer/
Ethiopia 2084 SQL Server Authentication Brute-force Attempt/
NetBios_Name_Service
Microsoft Windows SMBv1 CVE-2017-0147
Information Disclosure
Microsoft Windows SMTP Service MX Record
United States 519 Denial Of Service/ Possible Memcached DRDoS DNS/ General_UDP
Attack Attempt
TroDJan_Family Traffic Detected/ SSL Certificate NetBios_Name_Service/
unknown zone 3
Signed Using Weak Hashing Algorithm MS_SQLServer
Bulgaria 1 Possible Memcached DRDoS Attack Attempt General_UDP
Ukraine 1 Possible Memcached DRDoS Attack Attempt General_UDP

Ethiopia accounts for the vast majority of observed threat occurrences (2084), indicating a
significant threat originating locally or from within the region. This is highly critical and suggests
either internal compromise, widespread local attacks, or a misconfiguration allowing internal
systems to appear as attackers. The types of threats from Ethiopia align with the overall dominant
threats: ETERNALBLUE, Hacktool.BattlePong DoS, and SQL Server brute-force.
The United States is the second highest source region with 519 occurrences, primarily involving
SMTP Service MX Record Denial of Service and Possible Memcached DRDoS Attacks, targeting
DNS and General_UDP. This highlights a different set of attack vectors from external sources.
"Unknown zones" and other countries like Bulgaria and Ukraine contribute fewer, but still relevant,
threats, mostly related to DDoS attempts.

3.10. Security Policy Efficacy

Security Policy Count Acttion

5
V7 App server Inbound-1 1590 Block
V7 App server Outbound-1 518 Block
V6 & Zabbix Inbound 497 Alert/1 Block
unknown policy 3 Alert

The "V7 App server Inbound-1" and "V7 App server Outbound-1" policies have the highest number
of occurrences, with all identified threats being "Blocked." This indicates that these policies are
actively mitigating a high volume of traffic, likely malicious, to and from the V7 application
servers. While the "Block" action is positive, the sheer volume (1590 and 518) suggests that these
servers are under constant attack or are experiencing significant malicious traffic attempts.
The "V6 & Zabbix Inbound" policy shows a mix of "Alert" and "Block" (497 occurrences, with 1
block explicitly mentioned). This suggests that while some threats are being blocked, a significant
portion are only being alerted, which could indicate a less stringent policy or specific conditions
under which blocking occurs. "Unknown policy" is only alerting, which is a concern and should be
investigated to correctly categorize and apply appropriate actions.

4. Conclusions and Recommendations


The threat analysis of the provided log data highlights a consistent and high volume of intrusion
attempts, primarily brute-force attacks against SMB and Microsoft SQL Server services. While the
majority of these attempts are being blocked, the continuous targeting indicates a persistent threat
landscape.
Recommendations:
1. Strengthen Authentication Mechanisms: Implement robust password policies, multi-factor
authentication (MFA), and account lockout strategies for all services, especially SMB and
Microsoft SQL Server, to counter brute-force attacks.
2. Regular Patch Management: Ensure all operating systems and applications, particularly
those exposed to SMB and SQL Server threats, are consistently updated with the latest
security patches to address known vulnerabilities (e.g., ETERNALBLUE, CVE-2017-0147).
3. Enhanced Monitoring and Alerting:
 Prioritize investigation of threats that trigger Alert actions to understand why they
were not blocked and to refine security policies as needed.
 Increase monitoring during peak threat hours (e.g., 9 AM - 10 AM and 3 PM) to
enable rapid response to emerging threats.
4. Network Segmentation: Implement network segmentation to isolate critical services like
SQL servers and sensitive internal networks, limiting the lateral movement of attackers if a
compromise occurs.

6
5. Traffic Filtering and IP Blocking: Review the top attacker IP addresses and consider
implementing temporary or permanent blocks at the perimeter firewall for persistent
malicious sources, after careful validation to avoid legitimate traffic disruption.
6. Application and Protocol Specific Hardening: Conduct in-depth security reviews and
hardening procedures for SMB, Microsoft SQL Server, and DNS services, as they are
frequently targeted.
7. Threat Intelligence Integration: Integrate threat intelligence feeds to proactively identify
and block known malicious IPs and patterns associated with the identified threat names.
By implementing these recommendations, the organization can significantly enhance its defensive
capabilities against prevalent and emerging cyber threats. Continuous monitoring, regular security
audits, and an adaptive security strategy are crucial for maintaining a resilient cybersecurity posture.

You might also like