The Badge Archive

Fulfills Step 4 of GSUSA Ambassador Cybersecurity Investigator badge requirements.

Info Needed for the badge requirements: Security log files keep track of all security-related events in a network. Cybersecurity experts study these logs to spot anything unusual and understand how an attack occurred. By analyzing these files and solving the case, scouts learn ways to better protect their city from future attacks.

Items Needed

• Briefing Card #6 from VTK Briefing Cards 6-7 by GSUSA (print and cut out ahead of time)
• VTK Internal Memo by GSUSA (one for scouts to share)
• VTK Server Security Log by GSUSA (one set for scouts to share)

Instructions

Step Four: Investigating the Cyber Attack

1. The city is currently facing a ransomware attack that has encrypted data and disrupted services across departments. Investigators have identified a hacker network involved in the attack, along with their usernames and associated IP addresses. To aid the investigation, two key documents—a police chief’s memo and a server security log—have been released. Scouts must analyze these documents to determine: Which department was attacked, Who the attacker was, and What actions they took on the network.
2. Give the scout playing the mayor (from Steps 1-3) the Briefing Card #6, the Internal Memo, and the Server Security Log. The mayor gathers all city departments and reads the information on Briefing Card #6 to everyone.
3. Scouts review the Internal Memo and Server Security Log together. Using the logs and IP addresses, scouts work to find out:
   • Which department was hacked.
   • Who the hacker was.
   • What changes they made to the system.
4. Let scouts work independently, even if they initially struggle to connect the clues. This is part of the process. If needed, provide the following tips to guide them, one at a time, every five minutes:
   • After 5 minutes, Look for unusual activity in the log—anything that stands out—and match it to the affected department.
   • After 10 minutes, Use the IP addresses given to see which hacker accessed the server and what they did.
   • After 15 minutes, Focus on log activity between 3:00 and 7:00 p.m.
5. Once scouts solve the mystery, confirm their findings with the solution:
   • Which department was attacked. (Parks and Rec Department)
   • Who the attacker was. (NtA_GR8Daisy)
   • What they did to the network. (Likely gathered information at 16:20:59, and attacked at 18:06:03)