Hello, if you have any need, please feel free to consult us, this is my wechat: wx91due
COMP2216 Principles of Cyber Security 2023/24
Coursework on Cyber-Attack Analysis
Coursework: individual report on the analysis of a cyber-attack
Deadline : 3:59pm Monday 11th March 2024
(please note that submitting exactly at 4:00pm will result in a penalty)
Feedback: by Monday 29th April 2024
Weighting : 30% of module evaluation
Introduction
For this assignment,you will analyse a given cyber-attack using the kill chain model. You will also analyse the profile of the attacker.
Cyber-Attack description
Top secret documents revealing evidence of recent government misconduct have been publicly leaked, inciting citizens' anger and resulting in widespread chaos. These documents were stolen from the government agency GovVault.
A forensic analysis disclosed that the data breach occurred a few months before the public leak. The stolen documents were stored within GovVault's internal network, housed in a local file sharing application widely regarded as a leading enterprise-grade software solution trusted by numerous high-profile clients. Despite its exemplary security configuration and access control policies, the version deployed in GovVault's internal network contained a known Remote Code Execution (RCE) vulnerability, exploited in this attack to gain unauthorised access to the stolen top secret documents. Specifically, this RCE vulnerability could be exploited using specially crafted packets that, upon processing, triggered a buffer overflow condition, leading to the execution of arbitrary code with system-level privileges. The forensic analysis also revealed that the attackers gained a foothold inside GovVault's internal network via a backdoor injected into an application called SecMon, a well-known, high-standard security monitoring service widely utilised by high-profile enterprises and government agencies.
The investigation extended to SecProv, the software provider responsible for developing and maintaining SecMon. The forensic team traced the malicious SecMon version back to a software update uploaded to SecProv's internal code repository. The update was made using a legitimate account of a developer who was indeed working on SecMon and had full access privileges to the corresponding code repository. Further inquiries and investigations completely ruled out any voluntary involvement of the developer in the breach. However, a thorough analysis of the developer's workstation revealed an unusual configuration of the Remote Desktop Protocol (RDP) service, where notifications and logging had been disabled. Furthermore, the forensic team discovered that the credentials to access the developer's machine via RDP were rather weak and susceptible to a brute force attack. The forensic team continued their work under the assumption that the attackers breached the developer's workstation via the poorly secured RDP service, although they remained uncertain about the initial intrusion method. Therefore, the analysis was expanded to encompass SecProv's entire internal network. In doing so, they identified a separate backdoor, different from the one found within the GovVault’s internal network, installed on a machine hosting services provided by SecProv over the Internet. One of these services, a Customer Relationship Management (CRM) system, was found to be vulnerable to an RCE vulnerability distinct from the one exploited to access the local file sharing application in GovVault's internal network. The forensic team is still investigating this breach, operating under the assumption that the attackers exploited the CRM vulnerability to infiltrate SecProv's internal network.
They recently discovered a downloader script on the same machine, responsible for downloading the backdoor and modifying the operating system registry keys to ensure it ran everytime the system booted up. Additionally, they noted that it took four months from the initial intrusion to the upload of the malicious update to SecProv's internal code repository.
The government has not released any information regarding interactions or negotiations with the attackers. Furthermore, this attack has not been publicly claimed by any threat actor.
Task 1 - Kill Chain-based Analysis
The objective of this task is to analyse the cyber-attack described above using Lockheed Martin’s kill chain model of cyber-attack life cycle. Some attacks may require multiple iterations of the kill chain; if so, add a subsection for each additional phase, using the phase name and iteration number as the title (e.g., “Reconnaissance Phase #2”).
- First, determine the number of kill chain iterations needed to model this attack and list all phases it went through, choosing from Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command & Control, and Actions on Objectives.
- Then, describe what occurred in each phase in the appropriate subsection of the template (e.g., “Reconnaissance Phase,” “Weaponization Phase,” …).
- When describing a phase, focus solely on events within that phase; avoid mentioning events from prior or subsequent phases.
- If nothing occurred in a phase, explicitly state it and provide justification.
- If no information is available for a phase but you believe something must have occurred, make hypotheses and discuss them, clearly stating they are assumptions not directly based on the provided attack description.
- The description for each phase must not exceed 100 words. If over 100 words, only the first 100 will be considered.
Task 2 - Attacker Analysis
Consider the following cyber actor profiles: Cybercriminal, Nation State, and Hacktivist. For each, assess their suitability for the previously analysed attack, discussing both their alignment and misalignment in terms of motivations, attack strategy, and technical skills required.
• Regarding motivations, evaluate how the attack's impact aligns with typical motivations for each profile.
• The discussion on attack strategy should analyse the extent to which the attack vectors and techniques used match those commonly employed by each profile.
• The discussion on technical skills should assess how the attack’s sophistication and technical skill requirements compare with those typically seen in cyber-attacks launched by each profile.
The maximum length for each discussion (motivations, attack strategy, technical skills) for a cyber actor profile is 100 words. If exceeding 100 words, only the first 100 will be considered.
Marking
Module Learning outcomes
A2. Demonstrate knowledge and understanding of the cyber threat landscape, both in terms of recent emergent issues and those issues, which recur overtime.
A3. Demonstrate knowledge and understanding of the roles and influences of governments, commercial and other organisations, citizens, and criminals in cyber security affairs. B1. Critically analyse a cyber-attack and identify effective countermeasures.
Assignment Learning Outcomes (ALOs)
AS1. Analyse cyber-attacks by applying the kill chain model.
AS2. Examine the profile of the cyber actors behind a cyber-attack.
Marking Criteria
Your submission will be marked out of 100. The following criteria will be used.
|
Task |
Criteria |
ALO |
Marking scheme |
|
Task 1 |
Ability to apply the kill chain model to analyse a cyber-attack |
AS1 |
Up to 73 marks, awarded based on how many phases are (i) correctly identified, (ii) well- placed in the chain, and (iii) accurately described |
|
Task 2 |
Ability to examine a cyber actor profile |
AS2 |
Up to 27 marks, awarded based on the correctness and completeness of the discussion around why the proposed profiles fit the given cyber- attack in terms of motivations, attack strategy and technical skills required. |
|
File format, report length |
Submitted file is in PDF format, the report is compliant with the provided template and is not longer than 4000 words. If the report is more than 4000 words or the format is not PDF, a 10 marks penalty will be applied. If the report is corrupted or cannot be opened, 0 marks will be awarded for the coursework. |
- |
- |