Programming
Web Vulnerabilities Cyber Threat Intelligence & Incident Response Report

Question Description

please see the attachment below >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Unformatted Attachment Preview

Cyber Threat Intelligence and Incident Response Report This template leverages several models in the cyber threat intelligence domain (such as the Intrusion Kill Chain, Campaign Correlation, the Courses of Action Matrix and the Diamond Model) to structure data, guide threat intel gathering efforts and inform incident response actions. If you’re not familiar with this approach, read the following papers: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains and The Diamond Model of Intrusion Analysis. This framework is discussed in depth in the SANS Institute course FOR578: Cyber Threat Forensics. Incident Name Report Author Report Date Revision Dates and Notes Executive Summary Describe in up to three paragraphs your key observations and takeaways related to the intrusion. Explain the adversary’s tactics, techniques and procedures. Outline the most significant courses of action taken to defend against the adversary when responding to the intrusion. The remainder of the report should substantiate this summary. The Adversary’s Actions and Tactics Summarize in one paragraph the adversary’s actions and tactics, as well as the effects that the intrusion had on the victims. This section of the report overlays the intrusion kill chain’s phases over the diamond model vertices to capture the core characteristics of the malicious activities. Description of the Adversary Describe observations and indicators that may be related to the perpetrators of the intrusion. If possible, highlight the attributes of the adversary operator and the adversary’s potential customer. Outline potential motivations and identifying elements. Categorize your insights according to the corresponding phase of the intrusion kill chain, as structured in the following table. Page 1 of 9 Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives The Adversary’s Capabilities Describe the adversary’s capabilities in terms of tactics, techniques and procedures (TTPs). Address the tools and tradecraft employed by the intrusion perpetrators, such as exploits backdoors, staging methods and situational awareness. Categorize your insights according to the corresponding phase of the intrusion kill chain, as structured in the following table. Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives The Adversary’s Infrastructure Describe the infrastructure, such as IP addresses, domain names, program names, etc. used by the adversary. Categorize your insights according to the corresponding phase of the intrusion kill chain, as structured in the following table. Page 2 of 9 Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives The Victims and Affected Assets Describe the victims affected by the adversary’s actions. Address applicable victim identifiers such as people and organization names. Also outline the affected victim assets, such as networks, systems and applications. Categorize your insights according to the corresponding phase of the intrusion kill chain, as structured in the following table. Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives Course of Action During Incident Response Summarize in one paragraph the steps you’ve taken when responding to the various phases of the intrusion chain. The section below should describe your actions in greater detail. Page 3 of 9 Discover Describe in the following table the steps you’ve taken to determine what the adversary has done so far as part of the intrusion, as determined based on the analysis of logs, network packer captures, forensic data and other sources. Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives Detect Describe in the following table the measures you’ve put in place to identify the adversary’s future activities related to the applicable intrusion phase. Explain how you defined and deployed indicators and signatures, additional sensors or instrumentation, security event data monitors, etc. Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives Page 4 of 9 Deny Describe in the following table the measures you’ve implemented to block the adversary from taking the malicious actions, staying within the context of the intrusion phase described in this report. For instance, did you block specific IPs at the perimeter firewall, patch targeted vulnerabilities, block emails that matched specific patterns, etc.? Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives Disrupt Describe in the following table the measures you’ve established to interfere with the adversary’s attack in progress to cause it to fail. For instance, did you use an intrusion prevention system or firewall to terminate the adversary’s active network connections, quarantined suspicious files, distributed updated antivirus signatures, etc.? Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives Page 5 of 9 Degrade Describe in the following table the actions you’ve taken to slow down or otherwise degrade the attack in progress. One example of such measures might be to configure the network equipment to rate-limit the connections attributed to the adversary. Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives Deceive Describe in the following table the steps you’ve taken to misinform the adversary in the context of the applicable intrusion phase. Deception might involve planting fake assets that might interest the intruder, redirecting the adversary’s network connections, fooling malware into believing the targeted system is already infected, employing honey tokens, etc. Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives Page 6 of 9 Destroy Describe in the following table the offensive actions you’ve taken against the adversary to reduce their ability to carry out the intrusion. Such steps are generally unavailable to private individuals or firms outside of specific law enforcement or military organizations, although coordination and intelligence sharing with these organizations is within scope of this section. Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives Intrusion Campaign Analysis If applicable, summarize in one paragraph the relationship between the intrusion discussed earlier in the report and other related intrusions that, when taken together, form a campaign. Mention the indicators and behaviors shared across the intrusions within the campaign. Outline the commercial, geopolitical or other factors that might have motivated the adversary’s activities. Other Intrusions in the Campaign Describe other incidents or intrusions that share commonalities with the intrusion discussed earlier in the report. Explain whether the shared attributes indicate a low/medium/high likelihood that the intrusions form a larger campaign. Provide internal and external intrusion names or other relevant identifiers. Include references to related internal and external documents. Clarify when the intrusions occurred. Page 7 of 9 Shared Intrusion Attributes Specify the key indicators and behavioral characteristics that are consistent across intrusions within the campaign. Categorize the attributes according to the kill chain phase when they were exhibited and their relevance to the adversary description, attack infrastructure, capabilities (tactics, techniques and procedures) and the affected victims. Wherever possible, account for Adversary, Infrastructure, Capabilities and Victim in each applicable phase of the kill chain. Adversary Infrastructure Capabilities Victim Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives Campaign Motivations Outline the likely motivation for the adversary’s activities across the intrusion campaign, including the relevant commercial, geopolitical or other factors. If practical, offer substantiated theories regarding the attribution of the campaign to specific individuals, groups or nation states. Third-Party References Provide references to third-party data about the intrusion discussed in this report, the campaign that it is a part of or the associated adversaries. Page 8 of 9 This report is based on the template created by Lenny Zeltser. The template is distributed according to the Creative Commons Attribution license (CC BY 4.0), which basically allows you to use this material in any way, as long as you credit the author for the original creation. The contents build upon the concepts and terminology defined by Eric M. Hutchins, Michael J. Cloppert and Rohan M. Amin’s paper Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains and Sergio Caltagirone, Andrew Pendergast, and Christopher Betz’s paper The Diamond Model of Intrusion Analysis. It also incorporates the insights from SANS Institute’s course FOR578: Cyber Threat Forensics as taught by Michael J. Cloppert and Robert M. Lee. Page 9 of 9 Complete Slide lecture Read a cyber threat vulnerability blog from the following sources: The Hacker News Dark Reading Motherboard Security Magazine CSO Online (CSO Magazine) AlienVault (AT&T) Use the cyber threat intelligence report template format. https://zeltser.com/cyber-threat-intel-and-ir-report-template/ Answer questions based on what should be in the report to alert your SOC and Organizations Infrastructure Stakeholders. 1. What are some advisories of interest, articles, and blog posts that may be used as primary sources of information? 2. If your organization runs Windows 8 and Internet Explorer 10, should you be concerned? 3. According to NIST, what is the CVSS score (out of 10+10+10 or 30)? Does that make you more concerned or less? 4. According to the Adobe Security Bulletin, what are the adverse effects of this malware? 5. Which release or releases are the vulnerable ones? 6. What are some ways to detect whether a computer has been infected by this vulnerability? 7. What are the two ways your users can get the update? 8. Based on your CSIRT policies, how will you communicate about this incident to your users? 9. What other useful information did you learn along the way that you can share? Say: Now let’s review the answers to your questions. 2. 1. What are some advisories of interest, articles, and blog posts that may be used as primary sources of information? 3. Wait for student responses then emphasize: Create a small timeline, a table of facts or events sorted by date, with your findings. 4. Emphasize that URLs that can be perused include the following, but you can call out a few of these in class. The entire list is in the Resource Guide under “Vulnerability Research Links.” http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html 5. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0311 6. https://helpx.adobe.com/security/products/flash-player/apsa15-01.html 7. https://helpx.adobe.com/security/products/flash-player/apsb15-03.html 8. https://blog.coresecurity.com/2015/03/04/exploiting-cve-2015-0311-a-use-after-free-in-adobeflash-player/ 9. https://www.fireeye.com/blog/threat-research/2015/01/a_different_exploit.html 10. http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2015-0311-flash-zeroday-vulnerability/ 11. http://research.zscaler.com/2015/01/malvertising-leading-to-flash-zero-day.html 12. Say: 2. If your organization runs Windows 8 and IE 10, should you be concerned? 13. Wait for student responses then emphasize: Per the above, yes. 14. Say: 3. According to NIST, what is the CVSS score (out of 10+10+10 or 30)? Does that make you more concerned or less? 15. Wait for student responses then emphasize: The CVSS score for this is 30 out of 30 so very high risk and impact. However, you must consider the effect on your organization. If you don’t run Flash a CVSS score of 30 is irrelevant. 16. Say: 4. According to the Adobe Security Bulletin, what are the adverse effects of this malware? 17. Wait for student responses then emphasize: According to the bulletin: “Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-bydownload attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below. 18. Say: 5. Which release or releases are the vulnerable ones? 19. Wait for student responses then emphasize: From Adobe Support: A critical vulnerability known as CVE-2015-0311 exists in Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh. 20. Say: 6. What are some ways to detect whether a computer has been infected by this vulnerability? 21. Wait for student responses then emphasize: Several symptoms of this infection are (A) Many pop-ups and advertisements (B) Browser redirects automatically (C) Allows in other malware (D) Steals data (E) Disable functions on various applications (F) Random system crashes. 22. Say: 9. What other useful information did you learn along the way that you can share? 23. Wait for student responses then emphasize: This is freeform. In addition to getting insights from the class you may also have your own comments. A few notes: be cautious with vendors and applications which often have security issues and updates; you can’t ban them from your organization but you can pay special attention to them. ...
Purchase answer to see full attachment

Final Answer

Hi,I have uploaded the paper, in case of any revision, I am right here. Do not hesitate to contact me for edits. Cheers

Outline
Cyber Threat Intelligence
Incident Response Report


Cyber Threat Intelligence and Incident Response Report
This template leverages several models in the cyber threat intelligence domain (such as the Intrusion Kill
Chain, Campaign Correlation, the Courses of Action Matrix and the Diamond Model) to structure data,
guide threat intel gathering efforts and inform incident response actions. If you’re not familiar with this
approach, read the following papers: Intelligence-Driven Computer Network Defense Informed by
Analysis of Adversary Campaigns and Intrusion Kill Chains and The Diamond Model of Intrusion Analysis.
This framework is discussed in depth in the SANS Institute course FOR578: Cyber Threat Forensics.

Incident Name

The WannaCry Ransomware Attack

Report Author

Student Name

Report Date

31-March-2019

Revision Dates and Notes

Executive Summary
In May 2017, a ransomware worm known as WannaCry infected a number of computer
networks around the word. The cyberattack targeted windows computers by encrypting f iles on
the hard drive to prevent the user from accessing them, then demanded bitcoin payment for
decryption. It targeted important high-profile systems by exploiting windows vulnerabilities. The
attack is suspected to have been perpetrated by the Lazarus Group which has links with the North
Korean government.
The ransomware is made up of multiple components in a single self-contained program
that can extract other applications within itself. Once the ransomware has been launched, it
attempts to access a hard-coded URL, before proceeding to find files in the system and encrypt
making them inaccessible by the user. The worm then displays a ransom demand for bitcoins to
decrypt the files. According to cybersecurity experts, the vulnerability exploited by the
ransomware lies in Windows implementation, Server Message Block protocol. The main purpose
of the protocol is to aid communication between different network nodes and such, the worm
could trick the implementation using special packet to execute arbitrary code. According to
credible sources, the vulnerability was first discovered by the U.S National Security Agency who
instead of reporting, created an exploit known as ‘EternalBlue.’ Later, the same exploit was
Page 1 of 10

stolen by another group of hackers known as Shadow Brokers who released it to the public.
Although Microsoft had already developed a patch, most systems were still vulnerable.
WannaCry did not immediately begin to encrypt file after infecting a computer but rather
it tries to access the ‘Kill Switch’ or URL. Th ransomware shuts itself down if it succeeds in
accessing the domain. The main reason for this was to make code analysis difficult for security
researchers. Nevertheless, it was noted that the vulnerability patch was already even before the
attack. It was the ignorance of the users that contributed to the massive impact of the attack. The
only remedy for infected systems that had not been patched was to restore data from a safe
backup.

The Adversary’s Actions and Tactics
The WannaCry Ransomware was able to spread very fast because it had been combined
with a normal malware that allowed the it have work-like capabilities to propagate itself different
systems. Although some security r...

GeniousCoach (4033)
UC Berkeley

Anonymous
Solid work, thanks.

Anonymous
The tutor was great. I’m satisfied with the service.

Anonymous
Goes above and beyond expectations !

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Brown University





1271 Tutors

California Institute of Technology




2131 Tutors

Carnegie Mellon University




982 Tutors

Columbia University





1256 Tutors

Dartmouth University





2113 Tutors

Emory University





2279 Tutors

Harvard University





599 Tutors

Massachusetts Institute of Technology



2319 Tutors

New York University





1645 Tutors

Notre Dam University





1911 Tutors

Oklahoma University





2122 Tutors

Pennsylvania State University





932 Tutors

Princeton University





1211 Tutors

Stanford University





983 Tutors

University of California





1282 Tutors

Oxford University





123 Tutors

Yale University





2325 Tutors