ISYS6002: Assessment 2 task update
ISYS6002 | Assessment 2 1
| Task: | Case Study |
| Unit Objectives: LO1, LO2, LO3, LO4 | |
| Due Date: Weight: |
Friday Week 6, 11:59 pm 50% |
Description:Machine Learning Assignment 2
This assessment item has been designed to assess
your knowledge and practical skills you have
acquired as you progress through the unit. You
should begin preparing for this assessment from
week 1. The Case Study is multifaceted and
challenging. You will be required to consult
additional task resources on MySCU as you
progress through each step of this assessment.
Task Background:
You are a cybersecurity professional employed with
one of the ‘big 4’ consulting companies (e.g., Deloitte,
EY, PWC, KPMG) working with a portfolio of clients
from different sectors (e.g., banking, education,
government, retail). You will be required to provide
professional cybersecurity advice to these clients.
You will be advised as to your client by your tutor.
Your clients all have significant online presence and
many work in a high-risk environment. The threats of
cyber-attacks are ever present, and the need to
secure electronic data, online ordering and billing
services, customer and employee data,
communications with customers; all aspects of their
business, is critical for your clients ongoing viability.
As part of your engagement with any client you have
asked them to respond to some general questions (a
‘cyber audit’), in order to scope how this company is
initially viewing cyber security. You will need to
professionally report on your questions to the client
and any answers you have been provided. You will
also need to address the following client
requirements.
Tasks
1. Cyber audit
In addition to your own cyber audit questions that you were
expected to develop, in the appendix of this document are
client responses to other questions posed. You must identify
any issues concerning unaddressed C.I.A matters and/or any
issues needing attention after considering these answers, and
include them in your report.
2. MITRE ATT&CK
EXERCISE
As the cybersecurity consultant for your client, you have been
tasked with a MITRE ATT&CK threat intelligence exercise
regarding an APT of interest and potential impact to the client.
There is incomplete information on this APT group and you are
to use your acquired knowledge, skills and independent
research abilities to complete a MITRE ATT&CK Navigator
exercise selecting relevant tactics and techniques.
Objectives and Evolution:
GoldRekt is believed to be a nation state threat group that
conducts cybercrime for the financial benefit of its country.
The group is reported to have been operating as early as 2005,
is still active, and may be associated with the Sandworm
Team, ATP28, ATP29 and FIN4. As a nation state group
hunting financial profit for their government, their strategic
objective over time appears to be cyber espionage (e.g.,
information interception for strategic decision making) and the
monetisation of compromised targets such as compromise of
ATM infrastructures with legacy systems, installation of
malicious point of sale malware (e.g., BlackPOS) and the sale
of credit cards on the dark web.
Target Sectors:
The group have targeted other nations’ government agencies,
intelligence agencies, third-party government entities for cyber
espionage objectives and banking, finance, medical and retail
for cyber crime and monetization objectives.
Operations, Tactics, and Techniques (note: these are
incomplete, and you must propose others to complete an
ATT&CK Navigator exercise):
Only some of the tactics and techniques for GoldRekt have
been identified. Based on the information given you will need
to propose more using the MITRE ATT&CK framework and
tools, presenting on an ATT&CK Navigator spreadsheet.
GoldRekt is known for their patience and persistence on initial
access, often exploiting a third-party of the ultimate target via
phishing (T1566.001), remote access and public-facing
applications (T1133, T1190), where they ultimately use
malicious Point of Sale (POS), such as BlackPOS, and other
malicious software to compromise the end target (T1101.002)
for cyber-crime objectives. When conducting cyber espionage
activities, the group are known to conduct sophisticated DNS
and BGP attacks to hijack and interpret large amounts of
internet traffic for traffic analysis, decryption and other
forensics methods (T1410).
ISYS6002: Assessment 2 task update
ISYS6002 | Assessment 2 1
Figure 1: EXAMPLE ONLY!
3. Digital Forensics and Incident
Response (DFIR) Analysis Exercise
This task makes use of Autopsy, AccessData FTK Imager and
AccessData Registry Viewer to examine the Windows registry
hives containing critical data within a digital forensics and
incident response (DFIR) investigation. You have a suspected
‘insider threat’ in your client organisation and as a
cybersecurity consultant with threat hunting and DFIR skills
you have been asked to do the job. The Windows Registry is
the central repository of configuration settings for Windows.
Some of the following activities and questions may require you
to do some simple research to better understand how the
“hives” within Windows collectively work together.
Decompress and extract the HiveImage1.img file from the
HiveImage1.7z file provided in the shared drive. Please note
that the compressed file is approximately 820MB in size and
the decompressed file exceeds 6GB in size. Ensure you have
sufficient persistent storage availability prior to proceeding
with this task.
Tasks:
• Has the Denise Robinson account ever been used to
logon to the computer? What is Denise Robinson’s
email?
• How many times has the jfriday account been used
to logon to the computer?
• How many user accounts are disabled?
• Name two SID values that would suggest that an
account was created automatically during the initial
operating system installation?
• The Key Properties pane provides a date and time as
to when a user account last had its password
changed. Is this true or false?
• How many hives does the Windows Registry contain?
• What is the name of the computer that you are
investigating?
• What time zone has this Windows computer been set
to?
• What is the benefit of being able to extract the serial
numbers of previously connected USB devices?
• How many mounted devices on this system have
assigned drive letters?
• What information is stored in the Enum folder?
ISYS6002: Assessment 2 task update
ISYS6002 | Assessment 2 1
Appendix – client responses
Why is your company implementing cybersecurity?
“We believe that reducing cyber risk should be the main
deliverable of the company’s cyber security strategy and
outcome of the risk assessment decided by senior
management. At a technical level, this should include the
necessary actions to be implemented to establish and
maintain an agreed level of cyber security. Company
employees, suppliers, equipment manufacturers, and servicing
technicians do introduce a significant cyber security risk for
the company’s commercial operations. Making all
stakeholders aware of and implement all aspects of cyber
security all the time will be a critical aspect of the company’s
cyber security operations.”
How is your company addressing cyber security policies and
procedures?
“In this case the Board of Directors (BoD) has made cyber
security a priority for the company offices and has tasked the
management to formulate a strategy starting with a Cyber
security Committee to communicate with the BoD, study cyber
security ‘best practices’, provide recommendations, and
implement approved actions. Approval of a strategy and a
budget are a must and shall be addressed at the highest
management level of the company.”
What are your general thoughts, and what are you doing
towards cyber security prevention and defence strategies?
“All managers will have basic knowledge of cyber security. We
will ensure that they become more knowledgeable and can be
of a great assistance by providing proper instruction to them.
We expect to perform Penetration Tests and Vulnerability
Assessments routinely across the organisation.”
Describe how a cyber security event may be handled?
“The IR team will be responsible to handle a cyber security
incident.”
Describe how you will be using antivirus. Will office devices
be updated with a USB, auto update from the anti-virus
provider (e.g., cloud) or using an updating service?
“The Antivirus, firewalls, and ISP content filtering is at a
sufficient level of cyber security.”
How will the company address controlling and monitoring
safe internet use?
“Training all personnel on good cyber security practices and
cyber security awareness is recommended.”
Describe how you would backup and restore the company’s
network?
“there will be a defined person responsible for maintaining
backups, and policy and procedure for the backup.”