In this module

NF0.8 Northgate Engineering Scenarios

8 hours · Module 0 · Free

What you already know

If you've taken other Ridgeline courses, you know Northgate Engineering — the fictional organization whose incidents thread through the platform. If you're starting here, NE is a mid-sized engineering company with an M365 environment, on-premises servers, and a cloud presence. This sub introduces the five NE incidents that structure the network investigation modules, and shows how each teaches specific network forensics skills.

Operational Objective

Real investigations don't arrive as clean, single-protocol exercises. An attacker uses DNS to resolve their infrastructure, HTTP to deliver the payload, HTTPS to establish C2, SMB to move laterally, and DNS tunneling or HTTPS to exfiltrate. The investigation crosses every protocol in the course.

This sub introduces the five NE incidents that thread through modules NF3-NF14. Each incident is designed to teach specific network investigation techniques through a realistic, multi-protocol attack chain. Two incidents cross-reference the Practical IR course, two cross-reference the Linux IR course, and one is unique to this course. If you've completed those courses, you'll investigate the same incidents from the network perspective — a fundamentally different view of attacks you already know.

Deliverable: The five NE incidents with their attack chains, the network evidence each produces, the modules where each appears, and the investigation skills each teaches.

Estimated completion: 20 minutes

Figure NF0.8 — The five NE incidents mapped to attack phases and the network evidence each produces. Each incident is designed to teach specific protocol analysis and detection techniques. INC-NE-2026-0830 (the NF capstone) combines all techniques into a single multi-stage investigation.

INC-NE-2026-0227 — AiTM Phishing and BEC

Cross-references: Practical IR course (IR modules 3-5). Network evidence focus: DNS, TLS, HTTP, email protocols.

The attacker registered microsft-verify[.]com 48 hours before the campaign. The phishing email contained a link to this domain, which hosted an Adversary-in-the-Middle proxy that captured the user's M365 session token. The attacker used the stolen token to access Outlook, create inbox rules, and initiate a business email compromise targeting NE's finance team.

The network investigation techniques this incident teaches are DNS investigation (the domain registration trail, when it was first resolved by NE hosts, the WHOIS and passive DNS history), TLS analysis (the certificate on the phishing domain, the proxy's TLS fingerprint), HTTP analysis (the redirect chain from the phishing URL through the proxy to the legitimate M365 login page), and email protocol analysis (SMTP traffic showing the inbound phishing email).

This incident appears in NF3 (DNS), NF4 (HTTP/HTTPS), and NF7 (email protocols). If you've investigated this incident from the endpoint in the IR course, the network view reveals things the endpoint couldn't — the full redirect chain, the TLS fingerprint of the proxy, and the DNS timeline that shows when the domain was first queried by NE systems.

INC-NE-2026-0418 — Ransomware Pre-Encryption

Cross-references: Practical IR course (IR modules 7-9). Network evidence focus: SMB, C2 beacon detection, NetFlow.

The attacker compromised IT03-NGE (a helpdesk workstation) through a supply-chain attack on a legitimate IT tool. They deployed Cobalt Strike as the C2 framework, used PsExec for lateral movement to FIN01-NGE and FS01-NGE, staged 47 GB of data on the file server, exfiltrated via rclone to a Tor relay, then deployed LockBit ransomware across all three hosts.

The network investigation techniques this incident teaches are SMB/PsExec analysis (the lateral movement traffic pattern — service installation over named pipe, ADMIN$ share access), C2 beacon detection (Cobalt Strike's 60-second interval with 10% jitter, JA3 fingerprint, domain-fronted HTTPS), and NetFlow analysis (the 12.1 GB exfiltration visible as a volume anomaly in connection metadata even without payload inspection).

This incident appears in NF5 (SMB), NF9 (C2 detection), and NF10 (NetFlow). It's the most referenced incident in the course because it exercises the widest range of protocols and techniques.

INC-NE-2026-0402 — SSH Brute Force and Cryptominer

Cross-references: Linux IR course (LX modules 4-6). Network evidence focus: SSH, connection pattern analysis.

The attacker brute-forced SSH on a Linux web server, escalated to root, pivoted to two additional internal Linux hosts via SSH key reuse, and deployed a cryptominer that connected to mining pool infrastructure on non-standard ports.

The network investigation techniques this incident teaches are SSH analysis (brute force patterns in Zeek ssh.log — hundreds of auth_success=false followed by a single auth_success=true, from the same source IP), connection pattern analysis (the mining pool connections are persistent, to known mining pool IPs, on ports 3333/4444/8333), and lateral movement detection (SSH connections between internal Linux hosts that don't normally communicate via SSH).

This incident appears in NF6 (SSH and tunneling) and NF11 (network threat hunting).

INC-NE-2026-0720 — Container Escape and Kubernetes Compromise

Cross-references: Linux IR course (LX modules 14-16). Network evidence focus: API-based attacks, Tor egress.

The attacker exploited a vulnerable container in NE's Kubernetes cluster, escaped to the host, accessed the Kubernetes CA private key, and used it to generate certificates for cluster-admin access. Data was exfiltrated to a Tor hidden service.

The network investigation techniques this incident teaches are API-based attack detection (Kubernetes API server access patterns in conn.log and http.log — unusual client certificates, high-frequency API calls), and Tor egress detection (connections to known Tor relay IPs, distinctive TLS fingerprints, and the 9001/9030 port patterns that Tor relays use).

This incident appears in NF6 (SSH and tunneling) and NF10 (NetFlow analysis for the exfiltration volume).

INC-NE-2026-0830 — The Capstone (NF-Exclusive)

This incident exists only in this course. It's the capstone for NF14, designed to exercise every network investigation technique from every module.

The attacker compromises NE through a targeted phishing campaign with a weaponized document. C2 is established over HTTPS with domain fronting — the traffic appears to go to a legitimate CDN, but the actual destination is the C2 server. Lateral movement occurs via RDP and SMB. Data is collected from SharePoint and staged on an internal file server. Exfiltration uses DNS tunneling — data encoded in DNS queries to the attacker's authoritative DNS server.

The capstone provides only network evidence — Zeek logs, Suricata alerts, PCAP files, and NetFlow records. No endpoint data. The learner reconstructs the complete attack chain from the wire, identifies all compromised systems, measures the exfiltration volume, and produces the IR report using only the techniques learned throughout the course.

Guided Procedure — Map a Northgate incident to the modules that teach it

Step 1. Identify the attack techniques present in the incident. For INC-NE-2026-0227 (AiTM phishing), the techniques are: phishing delivery (SMTP), DNS resolution of the attacker proxy, TLS to the proxy, OAuth activity on Microsoft endpoints. For INC-NE-2026-0418 (ransomware), the techniques are: Cobalt Strike HTTPS C2, SMB lateral movement, RDP pivot, rclone exfiltration.

Expected output: A 4-8 item list of attack techniques per incident, each naming a specific protocol, tool, or network behavior.

If it fails: If your list is too short (2-3 items), you're thinking at the tactic level rather than the technique level. "Phishing" is a tactic; "AiTM proxy TLS session to attacker-controlled domain with Let's Encrypt certificate" is a technique. Go finer until each item maps to a specific network artefact.

Step 2. Map each technique to the NF module that teaches its investigation. Phishing delivery → NF7 (email protocols). DNS to attacker proxy → NF3 (DNS investigation). TLS to proxy → NF4 (HTTP/HTTPS and TLS). SMB lateral → NF5 (Windows protocols). Cobalt Strike C2 → NF9 (C2 detection). Rclone exfiltration → NF10 (NetFlow analytics). Multi-stage reconstruction → NF12 (network IR) and NF14 (capstone).

Expected output: A mapping table of technique → module. Each technique has one primary module; some map to two (a detection module plus an investigation module).

If it fails: If a technique doesn't cleanly map to one of NF3–NF14, you've found either a gap in the course coverage or a technique that sits in an adjacent course. Genuinely cross-course techniques (like M365 OAuth persistence) are covered in NF12 and NF14's capstone, not in a protocol-specific module. Flag genuine gaps for the course roadmap.

Step 3. Sequence the mapped modules in investigation order. For a multi-technique incident, the investigation order isn't the module-number order — you'd usually investigate in the attacker's kill-chain sequence: initial access (NF3 DNS, NF4 TLS, NF7 email) → establish (NF9 C2) → expand (NF5 SMB/RDP) → act (NF10 NetFlow exfil or NF3 DNS tunnel). The sequencing tells you which modules to prioritize when you're time-constrained.

Expected output: An ordered module list representing the investigation path through the incident. This is how you'd work the incident if you had the course modules open as reference material during a live investigation.

If it fails: If your sequence follows the module numbers rather than the attack chronology, you're sequencing for the course — which is valid for learning but wrong for investigation. The modules exist to be consulted out of order when an incident demands it. The mapping in Step 2 should survive any sequence the attacker imposes on you.

Decision point

You're planning your learning path through this course. You've completed the Practical IR course and you're starting Network Detection and Forensics.

Should you work through the modules in order (NF0 → NF1 → NF2 → ...) or jump to the modules that cover the NE incidents you've already investigated from the endpoint (NF5 for the ransomware SMB traffic, NF9 for the C2 detection)?

The recommended path is sequential. NF1 builds the sensor you'll use in every module. NF2 establishes the PCAP management skills used throughout. NF3-NF4 build the DNS and HTTP investigation foundations that every subsequent module assumes. Jumping to NF5 without the DNS and TLS analysis foundations from NF3-NF4 means missing the context that makes the SMB and C2 analysis meaningful.

However, if you already have a Zeek sensor deployed and you're comfortable with DNS and HTTP analysis, starting at NF5 and working forward is viable. The modules are designed to be self-contained in their protocol coverage — just ensure you've read NF0 for the methodology and NF1 for the lab setup.

Compliance Myth: "Fictionalised scenarios don't prepare you for real investigations"

The NE scenarios are fiction. The attack techniques are real. AiTM phishing, Cobalt Strike beacons, PsExec lateral movement, DNS tunneling, container escapes — every technique in every scenario is drawn from real incidents. The Cobalt Strike JA3 hash in the INC-NE-2026-0418 scenario is a real JA3 hash observed in production environments. The PsExec traffic pattern is byte-accurate to real PsExec deployments. The DNS tunneling encoding matches real dnscat2 traffic.

The fiction is the organization, the people, and the specific timeline. The network artifacts — the Zeek logs, the PCAP captures, the Suricata alerts — are technically accurate representations of what you'd see in a real investigation. The fiction provides a safe learning environment. The artifacts provide the investigation skill.

NF0.9 — Evidence Integrity and Legal Context. You know the incidents. NF0.9 covers the chain of custody, evidence integrity, and legal considerations that determine whether your network evidence is admissible and your monitoring is lawful.

Try it: Map attack phases to Zeek logs

Setup. Choose one of the five NE incidents described above.

Task. For each phase of the attack chain, write down which specific Zeek log (conn.log, dns.log, http.log, ssl.log, smtp.log, smb_files.log, ssh.log, files.log) would contain evidence of that phase.

Expected result. For INC-NE-2026-0418: Initial access → dns.log + ssl.log (C2 domain resolution and TLS fingerprint). C2 → conn.log (beacon pattern) + ssl.log (JA3 hash). Lateral movement → conn.log (SMB port 445 between internal hosts) + smb_files.log (PSEXESVC.exe deployment). Exfiltration → conn.log (12.1 GB to Tor relay) + dns.log (Tor relay resolution).

Debugging branch. If you can't map all phases: some phases may not produce distinct log entries. For example, "collection" (staging data on FS01-NGE) is an internal SMB file copy — visible in smb_files.log if a sensor covers the server VLAN, but potentially invisible if the only sensor is at the egress.

Checkpoint — before moving on

1. Name the five NE incidents and state the primary network evidence each produces. (§ All incident sections)

2. Explain how INC-NE-2026-0418 appears in the IR course (endpoint perspective) and the NF course (network perspective), and what additional evidence the network view provides. (§ INC-NE-2026-0418)

3. Describe the NF capstone incident's exfiltration method and why it requires DNS investigation skills from NF3. (§ INC-NE-2026-0830)

Operational Artifact — NE Incident Quick Reference

INC-NE-2026-0227 (AiTM/BEC): Phishing → token theft → BEC. Network: dns.log (phishing domain), ssl.log (proxy TLS), http.log (redirect chain), smtp.log (phishing email). Modules: NF3, NF4, NF7.

INC-NE-2026-0418 (Ransomware): Credential theft → Cobalt Strike → PsExec → rclone → LockBit. Network: conn.log (C2 beacon), ssl.log (JA3), smb_files.log (PsExec), conn.log (exfil volume). Modules: NF5, NF9, NF10.

INC-NE-2026-0402 (SSH/Cryptominer): SSH brute force → root → pivot → mining. Network: ssh.log (brute force), conn.log (mining pool connections). Modules: NF6, NF11.

INC-NE-2026-0720 (K8s Escape): Container exploit → host escape → CA key → Tor exfil. Network: http.log (K8s API), conn.log (Tor relay). Modules: NF6, NF10.

INC-NE-2026-0830 (Capstone): Phish → domain-front C2 → RDP/SMB → DNS tunnel exfil. Network: all evidence types. Module: NF14.

You've built the sensor and mapped the evidence landscape.

NF0 established why network evidence matters when every other source is compromised. NF1 built your Zeek + Suricata sensor with the 10 investigation query patterns. From here, every module teaches protocol-specific investigation against real attack scenarios.

DNS deep dive (NF3) — tunnelling detection, DGA analysis, passive DNS infrastructure mapping, and the INC-NE-2026-0227 AiTM phishing DNS trail
Protocol analysis (NF4–NF7) — HTTP/HTTPS, SMB lateral movement, SSH tunnelling, and email protocol investigation with Zeek metadata and PCAP
Detection and hunting (NF8–NF11) — Suricata rule writing, C2 beacon detection with JA3, NetFlow analytics, and proactive network threat hunting
NSM architecture (NF13) — production sensor deployment at 1–10 Gbps with Arkime, Security Onion, and enterprise storage planning
INC-NE-2026-0830 capstone (NF14) — multi-stage investigation using only network evidence: phishing → domain-fronted C2 → lateral movement → DNS tunnel exfiltration

Unlock the full course with Premium See Full Syllabus

Cancel anytime

← Previous Next →