7808ICT Threat Intelligence Cycle Assignment Sample

Cyber Security Management - Question 1

This question concerns Splunk.

a) What is the Splunk search command that will produce the following chart over time for the botsv2 index of the top five DNS servers used by Frothly? You must also omit the null and other values. Describe how you would display this visualisation.

Individual clicks made by a user when interacting with a website are associated with each other using session identifiers. You can find session identifiers in the stream:http sourcetype. The Frothly store website session identifier is found in one of the stream:http fields and does not change throughout the user session.

Index="botsv2" sourcetype="stream:http " Frothly

|fillnull DNS

|stats count by DNS

|sort – desc | head 5

b) Which user ID experienced the most logins to their account from different IP address and user agent combinations on the Frothly store website? Explain your process and reasoning for your answer. Hint: The user ID is an email address.

1.) I will write Regex to extract UserID from Email Address using eval command

2.) Will use Stats count by IP address UserID

c) Several user accounts sharing a common password is usually a precursor to undesirable scenario orchestrated by a fraudster. Which password is being seen most often across users logging into http://store.froth.ly? Explain your process and reasoning for your answer.

Will list out with stats count with user and password strength by filtering http://store.froth.ly

Will see top 5 using sort desc and head 5 , password most often seen user stats

The following scenario concerns question 2-4.

The Greenslopes Private Hospital south of Brisbane is a general hospital specialising in cancer and cardiac care with over 500 beds. IT systems are at the essential of the smooth functioning of the hospital with a complex shared patient database at its core. With several large buildings within the hospital and outpatient’s facility the IT network has several hundred endpoints. While the hospital boasts over 2500 healthcare workers, there are only two staff (you are one of them) in its Security Operations Centre.

Two days ago, one of the Greenslopes Hospital outpatient clinics was infected with ransomware which quickly also infected part of the central patient database. This has caused disruptions in patient care and planned surgeries. Hospital management is concerned as the ransom deadline is approaching and decisions on whether to pay the ransom are yet to be made. The following questions are related to this scenario.

Cyber Security Management - Question 2

This question concerns Threat Intelligence.

a) Demonstrate your knowledge of the Threat Intelligence Cycle by describing how you would use it to manage threat intelligence at Greenslopes Hospital.

For GreenSlopes Hospital, we will following these steps :

1.) Prepare

2.) Protect

3.) Detect

4.) Respond/Recover

Prepare:

we have first prepare Sources in 3 ways:

1.) Internal Sources

2.) Technical Sources

3.) Human Sources

Threat Hunting team will create hypothesis and pass to operation team to investigate.

Protect:

Operation team will collect the data using investigating tools and technique

And do the enrichment and analysis.

Detect:

Through intelligence we deduct and uncover patterns

Respond:

Appropriate threat response to be taken and update response workflow based on TTPs.

b) Show your understanding of different levels of Cyber Threat Intelligence by describing how threat intelligence at each of these levels may be used by Greenslopes Hospital.

Level 1: Guarded

Threat Research team will start with Preparing Questionnaire for Hospital that might be including technical questions/organization questions/ hypothesis.

Example like: Advance Persistence Threat (PII,Intellectual Property, information)

Level 2: Elevated

Operation team will start with minimum data collection find how and query the procedures

Level 3: High

For SOC/NOC Managers and Threat Analytics will be aggregating events and they will plan conduct and sustain attack that will operational

Level 4. Critical:

Where from CISO/CIO and Risk officer will take decisions

c) Sources of Cyber Threat Intelligence are important. Describe three (3) sources of threat intelligence that would be relevant to Greenslopes Hospital in this scenario and give examples of how these sources of threat intelligence may be used to benefit Greenslopes Hospital.

1.) Patient Experience and operational Efficiency

2.) Medical Device Monitor

3.) Compliance /Operations/privacy Control

For Greenslopes Hospital, these 3 sources will be very important , because these are like building blocked of any hospital and all information will be relay on these.

Lets go with one by one :

Patient Experience and operational Efficiency : this will showing us as review of our services for Patients experience and it will also helpful for checking operational effectiveness.

Medical Device Monitor : this will helpful for critical and high level of intelligence and monitoring

Compliance /Operations/privacy Control

Cyber Security Management - Question 3

This question concerns Threat Hunting.

a) Describe the Threat Hunting Maturity model with respect to Greenslopes Hospital. For each level describe how Greenslopes Hospital can implement processes to meet that level of maturity.

We will first make team :

Threat Hunting Team(Analyst )

Operational Hunting Team

Research Hunting team

These team will be follow Maturity model

HMM1 :Minimal :

When any threat approach to hospital, Analyst will be advising extract key indicators

HMM2 :Procedural :

gathering data about malware that is trying to download or display advertisements on hospital network

HMM3 :Innovating :

Research team Will do data analysis procedures and collect very high level of routine data and detect malicious activities using behavioural techniques

HMM4: Leading :

As soon as we deduct the key factors , we will automate it at different level of networking.

b) The ransomware infection in the Greenslopes Hospital IT network must be stopped. Demonstrate your knowledge of the Threat Hunting Loop by describing how it can be used to find the ransomware in the Greenslopes Hospital systems. You can add reasonable assumptions to provide details to explain the Threat Hunting Loop.

Threat hunting team will create hypothesis and pass to operational team, they will using tool like splunk and do the analysis on different phase like statics analysis ,dynamic analysis and hybrid analysis

After then research team check signature /Remote IPs ,that be identify nature of threat and it can be stop at multiple level of network layer.

c) Describe how Greenslopes Hospital can implement the Pyramid of Pain.

It can be divided into 2 part :

1. Behavioural based detection using TTP/tools/Artifacts

Example : Patient Experience and operational activity can be monitor at different level

2. Automation of traditional indicators using domain name/hash values/Ip address

Example : Compliance /Operations/privacy Control

Cyber Security Management - Question 4

This question concerns Cyber Security Maturity Models and Metrics.

a) Demonstrate your understanding of the CMMI model and explain what maturity level you believe that Greenslopes Hospital achieves in this model?

CMMI capability maturity model has 5 levels

Level 1 is Initial – the process cannot be incalculable, very less controllable and it is reactive

Level 2 is managed – It is reactive and the processes are characterized for projects

Level 3 is defined - It is a proactive level and processes are characterized by the company

Level 4 is quantitively managed – in this level the processes are measurable and can be controlled

Level 5 is optimizing – this level is focused on the improvement of the process

According to my perspective Level 1 maturity model is the suitable level for the given scenario because the greenslopes patients are already infected with the ransomware and it was quickly infected the central patient database which is very difficult to control after affecting. As the database was infected the planned surgery time table was getting disrupted.

b) Demonstrate your understanding of the C2M2 model. Identify three model domains that would be relevant to the Greenslopes Hospital scenario and explain why you have selected these. For each domain model give an example of how you would determine the maturity indicator level in the Greenslopes Hospital scenario.

Cyber security capability maturity model it provides the descriptive guidance, the abstraction is high level so the greenslopes organizations can be interpreted by various types, sizes and structures.

The three model domain that is relevant to the greenslopes hospital that is

1) Threat and vulnerability mamnagement

2) Risk management

3) Information sharing and communication

c) Greenslopes Hospital have limited time and budget. Determine two critical security metrics relevant to the current scenario that should be regularly monitored and defend your choice to management.

1) Excutive vulnerability matrix

2) Threat agent

3) attack vectors

4) critical impact and

5) organisational impact

Remember, at the center of any academic work, lies clarity and evidence. Should you need further assistance, do look up to our Computer Science Assignment Help