Advanced Cyber Security Assignment
Answer ALL Questions
Answers will be awarded marks based on student’s justifications and respective criteria.
- a) You work for a development company that provides specialized software and firmware to financial services companies. Your company is transitioning from use of private, locally hosted network services to cloud-based solutions. In this context, you also want to review your security procedures and use of security tools and technologies, and threat intelligence capability specifically. Briefly discuss on your strategic, operational, and tactical requirements for threat intelligence.(12 marks)
b) As a relatively small company, with no dedicated Security Operation Center (SOC), what is the main risk from deploying a threat intelligence feed?(5 marks)
c) Insider threats can also be categorized as either intentional or unintentional. What types of controls address risks from unintentional insider threats?(8 marks)
- Elaborate how both inductive forensics and deductive forensics are used in assisting digital forensic investigations. Illustrate the relationship of both techniques with the help of diagram(s) to help further support your explanation.
- Refer to Ticket 111072 Translate FIVE (5) behavior of the raw data found in the ticket into Tactics (by referring to Mitre Att&ck Framework). For each of the Tactic, provide brief description of each the behavior that applies to the log that leads you to choose that specific Tactic.
Example:
|
Log |
Description |
Tactic |
|
PSHELL command |
(runs a command via powershell.exe) - Command and Scripting Interpreter: PowerShell |
Execution |
Ticket: 111072
Incident: Misty Mud
Date: 05/18/2021 11:22:33
MD5 = dcf574b977e291e159b3efeddc9e5075
SHA1 = bc50bfce0ad9753a6be7448e350a15c1b7f719cc
SHA256 = 18548a48f2c30070dc3982bb04ab004a9491aa5c1933ad73a84c0de1d816cd13
Filename = winspoo1.exe
Analysis notes:
C2 protocol is base64 encoded commands over https. The RAT beacons every 30 seconds requesting a command.
So far the following commands have been discovered and analyzed:
UPLOAD file (upload a file server->client)
DOWNLOAD file (download a file client->server)
SHELL command (runs a command via cmd.exe)
PSHELL command (runs a command via powershell.exe)
EXEC path (executes a program at the path given via CreateProcess)
SLEEP n (skips n beacons)
Sandbox execution artifacts for winspoo1.exe
Network traffic:
10.1.1.1:12442 -> 8.8.8.8:53 (query A www.m1tre.org)
8.8.8.8:53 -> 10.1.1.1:12442 (response A www.m1tre.org A 129.83.44.12)
10.1.1.1:24123 -> 129.83.44.12:443
129.83.44.12:443 -> 10.1.1.1:24123
10.1.1.1:24123 -> 129.83.44.12:443
129.83.44.12:443 -> 10.1.1.1:24123
10.1.1.1:24123 -> 129.83.44.12:443
129.83.44.12:443 -> 10.1.1.1:24123
10.1.1.1:24123 -> 129.83.44.12:443
129.83.44.12:443 -> 10.1.1.1:24123
10.1.1.1:24123 -> 129.83.44.12:443
129.83.44.12:443 -> 10.1.1.1:24123
File activity:
Copy C:\winspoo1.exe -> C:\Windows\System32\winspool.exe
Registry keys added:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winspool REG_SZ "C:\Windows\System32\winspool.exe"
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 18-1528-43.
4.Discuss whether it is illegal to access the dark web. Additionally describe THREE (3) reasons why do people use Dark Web.
