Assess cyber security vulnerabilities and threats

Assignment Brief

This individual assignment contributes to the assessment of the following Intended Learning Outcomes of the unit:

1. Critically evaluate the emerging threat landscape introduced by various technologies and in different business sectors.
2. Critically evaluate Log Management and Security Information and Event Management (SIEM) systems.
3. Critically evaluate, manage and handle cyber security events and incidents.
4. Construct and critically evaluate policies and methods for information sharing, incident handling and Computer Security Incident Response Team (CSIRT) operations.

Part 1. Cyber Kill Chain and Indicators of Compromise (1750 words approx.) The seminal work by Hutchins et al. has influenced the development of methodologies for defending against APTs. In this part of the coursework, you will need to map the phases of the cyber kill chain on a threat of your choice and study how SIEM could assist the mitigation processes. More specifically, the steps of your study and sections of the essay should include the following:

1. Introduction and description of a specific threat. Pick any threat and after introducing it, explain what the criticality and impact can potentially be for an organization, by showing how it would affect one or more of the security goals (confidentiality, integrity, availability). For this question you can consider threat intelligence methodologies or frameworks such as ENISA’s Emerging Threats Landscape, MITRE’s ATT&CK Framework etc.
2. Mapping of the selected threat to the cyber kill chain. With the use of specific examples, technologies and attack vectors from the literature, show how the threat could follow the cyber kill chain stages. Some generic examples are shown in Tables 2,3,4 of the kill chain paper
3. Describe how a SIEM solution could provide intelligence in the different phases in order to detect the attempted (or successful) breach or attack. In doing this you should consider and identify the relevant Indicators of Compromise (IoC), tools as well as any presentation or visualization alternatives to allow the analyst and system administrator to identify the security related events.

Sample Answer

Cyber Kill Chain and Indicators of Compromise: A Case Study of Ransomware Threats

Introduction to the Threat: Ransomware

Ransomware has emerged as one of the most destructive and financially devastating cyber threats in recent years. It is a form of malicious software that encrypts a victim`s data, rendering it inaccessible, and demands payment (often in cryptocurrency) for decryption keys. Prominent examples include WannaCry, Ryuk, LockBit, and Conti. Ransomware is frequently delivered via phishing emails, exploit kits, or remote desktop protocol (RDP) attacks.

The impact of ransomware attacks on organisations can be severe. In 2021, the Colonial Pipeline attack disrupted fuel supplies across the United States. In the UK, the NHS was significantly affected by the WannaCry attack in 2017, leading to the cancellation of thousands of appointments and operations.

From a security goals perspective:

• Confidentiality is breached when attackers gain unauthorised access to sensitive files.

• Integrity is compromised when data is altered or encrypted without permission.

• Availability is most severely affected, as ransomware denies users access to critical systems and files.

Threat intelligence frameworks like MITRE ATT&CK and ENISA’s Threat Landscape Report identify ransomware as a growing Advanced Persistent Threat (APT), affecting sectors such as healthcare, education, logistics, and finance.

Mapping Ransomware to the Cyber Kill Chain

The Cyber Kill Chain, developed by Lockheed Martin, breaks down an attack into seven stages. Below is how ransomware typically aligns with each stage:

1. Reconnaissance

In this stage, the attacker collects information about the target network. This can involve scanning IP ranges, identifying vulnerable services, or gathering employee email addresses for spear-phishing.

Example: An attacker uses LinkedIn to identify IT staff and then targets them with personalised phishing emails.

2. Weaponisation

The attacker creates the ransomware payload, often embedding it within a document (e.g., a macro-enabled Word file) or an executable, ready to be delivered to the victim.

Example: Ryuk ransomware is weaponised as a Trojan, delivered through TrickBot or Emotet malware.

3. Delivery

This is how the malware reaches the victim. Common methods include:

• Phishing emails with malicious attachments or links.

• Compromised websites hosting exploit kits.

• Drive-by downloads.

Example: An employee clicks a link in a phishing email that downloads ransomware.

4. Exploitation

The ransomware exploits system vulnerabilities to execute code. It may also exploit human vulnerabilities like poor password hygiene.

Example: The attacker exploits an unpatched SMB vulnerability (like EternalBlue in WannaCry) to spread across the network.

5. Installation

The ransomware installs itself on the victim`s device and may attempt to disable antivirus and backup software.

Example: The malware encrypts data and deletes shadow copies to prevent recovery.

Continued...