assignment will require you to submit a word document and a powerpoint
slidedeck. For this assignment, we will build the profile of the APT
group, identifying likely related personas, victims, infrastructure,
tools, etc. using the Diamond model and then map the group’s tools,
techniques, and procedures (TTPs) to the Lockheed Martin Cyber Kill
Chain stages.this assignment has 2 parts.
IT 462 Homework #2: “Applying Cyber Threat Intelligence pt. 1”
This homework assignment builds on the work you have done earlier in the semester on APT threat groups.For this assignment, we will build the profile of the APT group, identifying likely related personas, victims, infrastructure, tools, etc. using the Diamond model and then map the group’s tools, techniques, and procedures (TTPs) to the Lockheed Martin Cyber Kill Chain stages. This assignment will require you to use several (at least 4) industry reports on the APT group you chose. Include citations in each of the deliverables including the specific page number where the information can be found.
A Powerpoint presentation on the APT actor using the Diamond Model (Slide 1: “APT X” summary and subsequent slides on each of the four quadrants) and how its TTPs map to each stage of the Kill Chain, as well as a Word document summarizing your findings (Section 1: “APT X”, Section 2: “APT X Mapping to Cyber Kill Chain”).
- Use at least 4 incident reports (i.e. individual reports on your APT actor like “Operation Troy”, Operation Blockbuster”, etc.) from cyber security vendors (FireEye/Mandiant, CrowdStrike, Symantec, Novetta, etc.) to fill in the diamond model with virtual personas, email addresses, domains, WhoIs registration records, infrastructures, malware, exploits, vulnerabilities, and victims.
- On subsequent slides, map the TTPs to each stage of the Cyber Kill Chain. If you are having trouble identifying how the TTPs map, I suggest looking over MITRE’s ATT&CK matrix.
- In a Word document, write up your findings, dedicating at least a paragraph to each of the points in the diamond model. Who organizationally is likely responsible for conducting these attacks, what is their end goal, what type of victim do they tend to target, how technologically savvy is the actor based on its tools and techniques, does the actor favor one type of attack or exploit over others, etc.
Applying Cyber Threat Intelligence pt. 2”
This homework assignment builds on Homework #2 where you identified core characteristics and TTPs of a specific APT group.For this assignment, the focus is to develop actionable signatures that would detect your APT actor on a network.
This assignment is to create signatures aka actionable detection measures for your APT group. I am expecting that you will develop unique signatures based on the information you provided in Homework #2, not ones lifted from the Internet; plagiarism of this sort will result in an immediate 0 for the assignment and will be recommend to the University for an honor code violation
- A Powerpoint slide or Word document containing YARA-based detection signatures for each stages of the Kill Chain. These YARA signatures must include all three sections; you are the author of the signature, so make sure that is reflected in the meta section. Since reconnaissance is often outside of the control of network defenders, you do not need to create a yara or network-based (Snort, Bro, etc.) signature for phase 1 of the Kill Chain.
- In cases where YARA signatures are not applicable, SIEM rules/heuristics would also be acceptable, so long as it is tailored to your APT group’s TTPs and not a generalized measure.
- Also, identify any other relevant mitigations that would prevent this attacker from being able to gain a foothold into the network based on the TTPs you identified in Homework #2 that we would need to be put in place in our network security appliances and across the enterprise.