diff --git a/Fall-2024/CS-3113/Assignments/5-Vulnerabilities-and-Attacks/Assignment.typ b/Fall-2024/CS-3113/Assignments/5-Vulnerabilities-and-Attacks/Assignment.typ new file mode 100644 index 0000000..60c1509 --- /dev/null +++ b/Fall-2024/CS-3113/Assignments/5-Vulnerabilities-and-Attacks/Assignment.typ @@ -0,0 +1,226 @@ +#set text(font: "Calibri", 11pt) +#show link: set text(blue) +#show cite: set text(blue) +#set page(margin: .5in, number-align: right + top, "us-letter") +#let solve(solution) = { + block( + inset: 3pt, + outset: 1pt, + stroke: blue + .3pt, + fill: rgb(0, 149, 255, 15%), + radius: 4pt, + )[#solution] +} + +#let solvein(solution) = { + let outset = 3pt + h(outset) + box( + outset: outset, + stroke: blue + .3pt, + fill: rgb(0, 149, 255, 15%), + radius: 4pt, + )[#solution] + h(outset) +} + +#let note(content) = { + block( + inset: 3pt, + outset: 1pt, + stroke: luma(20%) + .3pt, + fill: luma(95%), + radius: 4pt, + )[#content] +} + +#let notein(content) = { + let outset = 3pt + h(outset) + box( + outset: outset, + stroke: luma(20%) + .3pt, + fill: luma(95%), + radius: 4pt, + )[#content] + h(outset) +} + +#align( + center, + [ + #text(size: 1.2em, weight: "black")[ + CS-3113 Principles of Cyber Security + + 4: Vulnerabilities and Attacks + + Points: 50 points + ] + + #note()[#underline[Price Hiller] *|* #underline[zfp106]] + ], +) + +\ + +#show heading: set text(weight: "regular") +#show heading.where(level: 1): set text(fill: blue) +#show heading.where(level: 2): set text(fill: blue.lighten(30%)) +#show heading.where(level: 3): set text(fill: white.darken(60%)) + += Vulnerabilities and Attacks + +== Purpose +Explore the concepts of vulnerabilities and attacker behavior. This includes how vulnerabilities are tracked and evaluated; and how attacker patterns are identified. + +== Assignment + +Every few months (or even weeks) a new, critical vulnerability is found that requires a rapid response from hardware vendors, software vendors, IT staff, and many other individuals in the tech industry. However, while these grab headlines, there is a lot more going on every day that doesn't make the news. In this assignment, we will look more at the overall vulnerability landscape. + +In addition, we will look at attacker tactics and attacker identification by looking at the MITRE ATT&CK Framework and seeing how it is used to classify behaviors and identify an attacker. + +*This assignment should be individual effort. You may discuss the assignment with other students or individuals, but all answers must be your own work — or based on your own research/studying.* + +== Deliverables +A report using reasonable document settings for font, margins, etc. that contains answers/responses to the questions below. + +Include appropriate references as footnotes, endnotes, or a references section. +#pagebreak() + += Questions + +#enum( + [ + ==== *(15 points)* For this question, the goal is to discover the scale of vulnerabilities — especially critical ones — that cybersecurity professionals face. In order to do this, you will use the National Vulnerability Database found at: https://nvd.nist.gov/ Expand "General" on the sidebar, go to the "NVD Dashboard." + #enum( + numbering: "a)", + [ + *(3 points)* Provide the day of the week, date and time you are visiting the page + #solve[ + I am visiting the page on *2024-12-01 19:59*. + ] + ], + [ + *(6 points)* Capture a screenshot (similar to Figure 1) that shows: + #enum( + numbering: "i.", + [ + How many CVEs were Received "Today" and "This Week" (_*Note*_: This will be different for everyone based on what time and day you visit the page. A visit at 1:00 A.M. on Monday will have far lower numbers than an 11:00 P.M. visit Friday.) + ], + [ + The overall *CVSS V3 Score Distribution* showing the number of vulnerabilities for Critical, High, Medium, and Low. + ], + ) + #solve[ + #figure( + image("assets/nvd-dashboard.png", width: 70%), + caption: [_NVD Dashboard_], + ) + ] + ], + [ + *(3 points)* From the *CVSS V3 Score Distribution*, what percentage (_*to one decimal place - ex: 38.1% or 80.0%, NOT 23% or 14.573%*_) are _*critical*_ vulnerabilities? (Show your calculations) + #note[ + $ + "Critical Vulns" &= 24,402\ + "High Vulns" &= 64,479\ + "Medium Vulns" &= 64,882\ + "Low Vulns" &= 2,718\ + "All vulns added" &= 24,402 + 64,479 + 64,882 + 2,718\ + &= 156,481\ \ + + "Percentage of critical vulns" &= ((24,402) / (156,481)) * 100\ + &≈ #solve[15.5%] + $ + ] + ], + [ + *(3 points)* The values in the *CVSS V3 Score Distribution* are totals for the entire database. So, given your numbers from (b). part i, and (c) calculate approximately how many *Critical* vulnerabilities you expect for today and this week? (Show your calculations) + #note[ + - $425$ vulnerabilities reported this week + - $0$ vulnerabilities reported today + #solve[ + $ + "Expected critical vulnerabilities this week" &= 425 * 0.155 ≈ #solvein[66]\ + $ + $ + "Expected critical vulnerabilities today based on daily stats" &= 0 * 0.155 ≈ #solvein[0] + $ + #note[Alternatively, the critical vulnerabilities today could be calculated as the number of vulnerabilities in the week ÷ 7 × 15.5% so:] + $ + "Expected critical vulnerabilities today based on weekly stats" &= (425 / 7) * 0.155 ≈ 0\ + &= 60 5/7 * 0.155\ + &≈ #solvein[9] + $ + ] + ] + ], + ) + ], + [ + ==== *(15 Points*) For this question you will be looking at the MITRE ATT&CK® Framework + #enum( + numbering: "a)", + [ + *(6 points)* According to the ATT&CK Design and Philosophy paper found here: https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf what are the concepts/ideas behind ATT&CK? + #solve[ + ATT&CK sets out to provide common ways to classify attacks and defense measures in the cybersecurity world. Under section 4.1, the ATT&CK Design and Philosophy paper lays out the "...three conceptual ideas that are core to the philosophy behind ATT&CK...", those being: + + "It maintains the adversary's perspective;" + + "It follows real-world use of activity through empirical use examples;" + + The level of abstraction is appropriate to bridge offensive action with possible defensive countermeasures. + ] + ], + [ + *(3 points)* According to the ATT&CK 101 blog post found here: https://medium.com/mitre-attack/att-ck-101-17074d3bc62 what are "Tactics"? (2-3 sentences) + #solve[ + Straight from the post, "Tactics represent the "why" of an ATT&CK technique." Tactics are used to categorize play-by-play ("tactical") reasons for _why_ an ATT&CK technique was utilized. For example, a tactic is "#link("https://attack.mitre.org/tactics/TA0006/")[Credential Access]." @credential-access + ] + ], + [ + *(3 points)* According to the ATT&CK 101 blog post found here: https://medium.com/mitre-attack/att-ck-101-17074d3bc62 what are "Techniques"? (1-2 sentences) + #solve[ + Where Tactics represent the why, Techniques are _how_ a given tactical objective is achieved. For example, an adversary may leverage the technique "#link("https://attack.mitre.org/techniques/T1548/001/")[Abuse Elevation Control Mechanism: Setuid and Setgid]" @abuse-elevation-control-mechanism to achieve the tactics "#link("https://attack.mitre.org/tactics/TA0004")[Privilege Escalation]" @privilege-escalation and "#link("https://attack.mitre.org/tactics/TA0005")[Defense Evasion]." @defense-evasion + ] + ], + [ + *(3 points)* The blog post mentions "APT29" – according to MITRE, who has this group been attributed to? + #solve[ + APT29 "...has been attributed to Russia's Foreign Intelligence Service (SVR)." @apt29-mitre-attack + ] + ], + ) + ], + [ + ==== *(20 points)* For this question, you will be using the ATT&CK® Matrix for Enterprise found here: https://attack.mitre.org/ + #enum( + numbering: "a)", + [ + *(5 points)* How many techniques are there in the Command and Control (column) in the Matrix? + #solve[ + There are 18 techniques in the Command and Control column in the Matrix. + ] + ], + [ + *(5 points)* What is the MITRE definition of Command and Control? (2-3 sentences) + #solve[ + "Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses." @command-control + #note[I'm assuming you wanted the _exact_ definition provided by MITRE, hence the quote.] + ] + ], + [ + *(5 points)* What is the Technique ID for using Steganography to hide Command and Control traffic? (Your answer should include the sub-technique designation. So, in the format: TXXXX.XXX) + #note[ + The Technique ID for using Steganography to hide Command and Control is #solvein[`T1001.002`]. @steganography + ] + ], + [ + *(5 points)* What are the Mitigation ID number(s), and the name(s) of the Mitigations to protect against an attacker using the Steganography technique? + #note[ + The Mitigation ID number is #solvein[`M1031`] and the name is #solvein["Network Intrusion Prevention"] for protecting against Steganography. @network-intrusion-prevention + ] + ], + ) + ], +) + +#bibliography("bibliography.yml") diff --git a/Fall-2024/CS-3113/Assignments/5-Vulnerabilities-and-Attacks/assets/nvd-dashboard.png b/Fall-2024/CS-3113/Assignments/5-Vulnerabilities-and-Attacks/assets/nvd-dashboard.png new file mode 100644 index 0000000..1873c97 Binary files /dev/null and b/Fall-2024/CS-3113/Assignments/5-Vulnerabilities-and-Attacks/assets/nvd-dashboard.png differ diff --git a/Fall-2024/CS-3113/Assignments/5-Vulnerabilities-and-Attacks/bibliography.yml b/Fall-2024/CS-3113/Assignments/5-Vulnerabilities-and-Attacks/bibliography.yml new file mode 100644 index 0000000..585b47c --- /dev/null +++ b/Fall-2024/CS-3113/Assignments/5-Vulnerabilities-and-Attacks/bibliography.yml @@ -0,0 +1,67 @@ +apt29-mitre-attack: + title: "MITRE ATT&CK > APT29" + type: Web + date: 2017-05-31 + url: + value: https://attack.mitre.org/groups/G0016/ + access: 2024-12-01 + +abuse-elevation-control-mechanism: + title: "MITRE ATT&CK > Techniques > Abuse Elevation Control Mechanism: Setuid and Setgid" + type: Web + date: 2023-03-15 + url: + value: https://attack.mitre.org/techniques/T1548/001/ + access: 2024-12-01 + + +defense-evasion: + title: "MITRE ATT&CK > TACTICS > Defense Evasion" + type: Web + date: 2019-07-19 + url: + value: https://attack.mitre.org/tactics/TA0005 + access: 2024-12-01 + +privilege-escalation: + title: "MITRE ATT&CK > TACTICS > Privilege Escalation" + type: Web + date: 2021-01-06 + url: + value: https://attack.mitre.org/tactics/TA0004/ + access: 2024-12-01 + +credential-access: + title: "MITRE ATT&CK > TACTICS > Credential Access" + type: Web + date: 2019-07-19 + url: + value: https://attack.mitre.org/tactics/TA0006/ + access: 2024-12-01 + +command-control: + title: "MITRE ATT&CK > TACTICS > Command and Control" + type: Web + date: 2019-07-19 + url: + value: https://attack.mitre.org/tactics/TA0011/ + access: 2024-12-01 + +steganography: + title: "MITRE ATT&CK > Techniques > Steganography" + type: Web + date: 2020-03-15 + url: + value: https://attack.mitre.org/techniques/T1001/002/ + access: 2024-12-01 + + +network-intrusion-prevention: + title: "MITRE ATT&CK > MITIGATIONS > Network Intrusion Prevention" + type: Web + date: 2024-10-17 + url: + value: https://attack.mitre.org/mitigations/M1031/ + access: 2024-12-01 + +