IY2840 Threat Detection and Core


IY2840 – Coursework 1: Threat Detection and Core
Concepts in Computer Security
Deadline: 27th Feb 2020. Each sub-question is worth 10 marks (out of 100). This is an
blind submission, and submissions are to be made in PDF format on Moodle. This coursework
counts for 10% of your grade on this module. Learning outcomes assessed are:
• Understanding of fundamental security concepts and independent problem solving.
• Understanding of application security, and how to assess vulnerabilities.
• Understanding of threat modelling and security justifications.
Description
This coursework is aimed to have you reflect on the fundamentals of computer security. To get
started, it is important to review the lecture material, the course text, but also to investigate
online. We are not after essays in this coursework. We are after concise and succinct responses
to each question, e.g.: use bulletpoints and sketches where appropriate. We expect a very
good submission to be less than 5 pages in length. Do share useful resources that you find
with others on the Moodle forum, but do not give any answers away. Note: All the work
you submit must be solely your own work. Submissions are routinely checked for
plagiarism.
Questions
1. Question 1: Vulnerabilities, Exploits and Attacks
(a) Investigate the Stuxnet case that was discussed in lecture. Calculate the Stuxnet
CVSS 3.1 base score (5 marks). Justify your assumptions and show your
calculations (5 marks). You can use the CVSS 3.1 calculator https://nvd.nist.
gov/vuln-metrics/cvss/v3-calculator to check that your results are correct.
(b) Assume that you are a SOC analyst working for a company with the industrial controllers
that are vulnerable to the Stuxnet exploit. Outline how the temporal
score is likely to change over time (5 marks) – assuming a patch is and isn’t
made available. What courses of action should you take in light of this?
Justify your answer (5 marks).
(c) Now, assume you are a SOC analyst working for a bank. They mainly use Linux
and Windows, but no Siemens industrial controllers. Outline how this impacts
the environmental score of Stuxnet for both organisations (5 marks per
organisation).
(d) “Shell shock” (CVE-2014-6271) and “Heart bleed” (CVE-2014-0160) are two widelyknown
vulnerabilities that took the security community by surprise in 2014. Reflect
on the two vulnerabilities for the same aforementioned bank scenario. Outline the
key actions you should take to combat attacks seeking to exploit those
vulnerabilities (5 marks). Create an attack tree that makes use of the two
vulnerabilities (5 marks). Make sure to describe AND/OR relationships in the
tree.
代写IY2840留学生作业、代做Threat Detection作业
(e) Compare and contrast CVE, CVSS and ATT&CK as a table and review
their advantages and limitations. (5 marks) Justify how you might use all
of them (5 marks) in the aforementioned bank scenario to improve your organisation’s
overall security posture.
2. Question 2: Threat Detection
(a) It is often difficult to predict and determine real-world harms that arise from an attack
alerted in IDSs. Outline why this is the case (5 marks)? Justify your answer
and provide two concrete examples (5 marks).
(b) The following convention for misuse detection is for use in an intrusion detection
system. A misuse rule R is formed using the following notation:
alert, activity, source -> target, payload of interest
where an alert is generated if a packet or syscall is detected, originating from a source
which might be a process or a machine, targeting a specific process or machine, carrying
a specific payload. To be valid, a rule must instantiate all of the fields. You must
present five rules, each rule must be fully described in terms of what kinds
of intrusion it is intended to catch and why the rule will work (2 marks per
rule). You may use groups and lists. (Hint: you can use the SNORT documentation
for inspiration here, but note that you ought to be original and technically creative.)
(c) In lectures we discussed the CIA triad. One of the aspects of a system that we wish to
protect is its availability. Investigate the concept of a Distributed Denial of Service.
Briefly explain how DDoS attacks are conducted (3 marks); provide an
example vulnerability and weakness an attacker might exploit to recruit
more bots (3 marks); and outline potential harms (2 marks); Identify a
potential false-positive and false-negative threat detection issues that may
appear during a DDoS in threat detection (2 marks)?
(d) Outline how an attacker might plan (5 marks) for, and execute a DDoS attack
from a single Command and Control machine. The DDoS should be executed once
enough bots have been recruited. State your assumptions and create an attack
tree (5 marks) (note: make sure to include recruitment and execution of the attack).
(e) With the previous sub-question in mind and after conducting research online: Propose
a defence strategy for DDoS attacks: how you can make your organisation
more robust against DDoS attacks (5 marks)? Propose a strategy
to benchmark your defences (5 marks)?
JH February 2020
如有需要,请加QQ:99515681 或邮箱:99515681@qq.com 微信:codehelp

上一篇:python ddos攻击器


下一篇:如何选择高防服务器?