This assignment is worth 35% of the total assessment for 7808ICT. It is individual work. While you can discuss the assignment with your peers, your submission should be your own work. You should provide evidence of your own work incorporated in your submission (e.g. screenshots with your login name showing).
The objective of this assignment is to gain knowledge and understanding of cyber security information and event management through research and practical experience. This understanding is to be demonstrated by the submission of a technical report investigating potential cyber incidents and strategic documents recommending governance, policy and procedures.
Frothly is a small premium beer brewing company with intensions of making it big. Competition in the brewing industry has become intense. Other companies are looking to get intellectual property from Frothly by whatever means possible. It looks like the previous web scan was only the beginning.
Your job now is to investigate the possible breach to determine what was stolen or if a breach occurred. The Chief Information Officer is also concerned about cyber security practice and management within the organisation and has asked you to provide a review of these processes and procedures in line with recent relevant vulnerabilities.
All assignment related data can be found in the botsv2 index (you must include “index=botsv2” in all your searches) on the http://splunk.ict.griffith.edu.au:8000 Splunk Enterprise server. Login using the same credentials you have been using for the tutorials. If you have not logged in before use the following credentials and change your password.
sXXXXXXX is your Griffith username. When you log in for the first time you will be prompted to change your password (which you will need to remember). Once you have reset the password, use your new password for subsequent logins.
IMPORTANT: If you are trying to connect to the server from off campus, you must connect through a VPN first. Details of how to VPN into the Griffith Network can be found on the Virtual Private Network for Griffith webpage.
Please note that the assignment data is much bigger and more realistic than your tutorial data, so you must limit your searches, otherwise you will be waiting for a long time for a response as well as slowing down everyone else.
This assignment consists of two tasks that should be addressed and submitted in the same document.
Task 1: Splunk Based Incident Investigation
Frothly competitors are looking to take intellectual property from them, and the Chief Information Officer believes that they may try to compromise online Frothly systems. The following questions are related to possible attack on the Frothly computer systems. As part of the answer for each of these questions, your report must include:
A clear description of the reasoning for your answer.
A detailed description of the process that you followed and the searches that you used to obtain the answer. It is expected that you will include screenshots in your description.
Provide a list of suspicious IP addresses that attempt to make an unauthorized web connection to Frothly systems. Only list connections that have a duration of longer than 1 minute.
Identify and display the US states that contribute the most client registrations on the Frothly web site. Which states have the most unauthorised web connections?
Which web pages are directing Frothly’s customers to their web site? Identify the top external websites that contribute the most referrals to the Frothly web site and display the number of referrals in a table?
The server running www.brewertalk.com experienced temporary unavailability. When did this happen and for how long?
This temporary unavailability was caused by a vulnerability scanner which was running a web vulnerability scan against www.brewertalk.com. Provide the range of ports that were scanned by this vulnerability scanner?
An important file is transferred from Kevin Lagerfield’s laptop. What is this important file?
Kevin Lagerfield claims that this file was stolen from his computer because he received a warning a few weeks ago. Is there any evidence to agree or disagree with his claim?
Frank Ester claims that his password on http://www.brewertalk.com/ was leaked. Frank lets you know his password is Aa12345. Is there evidence that this password was extracted?
The leak of passwords is caused by the misuse of the updatexml SQL function. Apart from updatexml function, an attacker also misuses another function for reconnaissance purposes. What is this function?
Metrics and Visualisation:
Develop a Splunk cyber security related dashboard for the Frothly data. The dashboard should include 4 panels with a variation of visualisations with at least one single value display. The dashboard should use at least the following Splunk functions:
Custom Field Extraction
As well as showing the output of the dashboard, your report must include:
A clear description of the design of your dashboard, explanations of the searches used, and the importance and purpose of each panel.
A detailed description of how you incorporated command functionality into the dashboard and the reasoning for why the panel shows important cyber security information.
Task 2: Strategic Planning
In March 2021, significant new vulnerabilities were discovered in Microsoft Exchange software. Frothly originally installed an on-premises licence for Microsoft Exchange when it was incorporated 10 years ago and is heavily invested in its operation. The Chief Information Officer has come to you to recommend how Frothly should proceed. There is an expectation that you will provide recommendations for Frothly processes and policies with examples related to the recent Microsoft Exchange vulnerabilities
Threat Intelligence (Your response for this section should be limited to 6000 characters including spaces)
Demonstrate your understanding and knowledge of Threat Intelligence by recommending policies and processes for obtaining, developing, and analysing threat intelligence related to the recent Microsoft Exchange vulnerabilities specific to Frothly.
Threat Hunting (Your response for this section should be limited to 6000 characters including spaces)
Demonstrate your understanding and knowledge of Threat Hunting by recommending procedures for hunting threats and identifying indicators of compromise that are a result of the Microsoft Exchange vulnerabilities specific to Frothly.
Playbook Development (Your response for this section should be limited to 6000 characters including spaces)
Demonstrate your understanding and knowledge of Incident Response Playbooks by describing an incident playbook for the Microsoft Exchange vulnerabilities specific to Frothly.
Security Orchestration and Automated Response (Your response for this section should be limited to 6000 characters including spaces)
Demonstrate your understanding and knowledge of Security Orchestration, Automation and Response by describing processes and policies for providing an automated response to the Microsoft Exchange vulnerabilities specific to Frothly. Specific tools can be recommended, but you need to describe how these are configured and how they are expected to provide the automated response.
Maturity Model (Your response for this section should be limited to 6000 characters including spaces)
Frothly have determined that they will use C2M2 as a metric for measuring and improving their cyber security stance. Demonstrate your understanding and knowledge of C2M2 by describing which domains of the C2M2 audit process would be relevant for the Microsoft Exchange vulnerabilities specific to Frothly. Describe the self-assessment process for each relevant domain and where the maturity level for each practice and objective could be set.
Reports may be submitted as a single PDF or DOCX file.
The quality of the presentation of a formal technical report is as important as the quality of the technical content of the report in the profession. Your assignment will be assessed on:
The body text of your report should be no more than 25 pages in length excluding appendices.
The text of your report should be in 12-point Times New Roman or 11-point Arial font or something equivalent, and in single space.
Page size is A4 with 2cm in margins on all sides.
The report is suggested to be organised with executive summary within one page, table of contents, body text, and appendices.
The report body text consists of your overall analysis of each question, description of how you went about completing each task and your conclusions as well as statements for relevant Lessons Learned.
You must cite/reference original work, author(s) etc.
Citation and referencing should conform to APA (American Psychological Association) format both in the body of your paper and its attached reference section.
The Griffith Referencing tool will provide you with valuable assistance in making sense of referencing rules and requirements for academic writing. Examples are provided in the most commonly used referencing styles.
APA referencing guide – Murdoch
This rubric provides you with the criteria to which your assessment will be marked as well as information as to how you might achieve the best possible marking outcomes.
Please review the marking rubric before you commence work on this assessment task. Ensure that you have addressed the relevant criteria outlined in the rubric when completing the assessment task.