IY2840留学生代做、代写Threat Detection、代写R语言、R编程设计调试

日期：2020-02-26 10:16

IY2840 – Coursework 1: Threat Detection and Core

Concepts in Computer Security

Deadline: 27th Feb 2020. Each sub-question is worth 10 marks (out of 100). This is an

blind submission, and submissions are to be made in PDF format on Moodle. This coursework

counts for 10% of your grade on this module. Learning outcomes assessed are:

? Understanding of fundamental security concepts and independent problem solving.

? Understanding of application security, and how to assess vulnerabilities.

? Understanding of threat modelling and security justifications.

Description

This coursework is aimed to have you reflect on the fundamentals of computer security. To get

started, it is important to review the lecture material, the course text, but also to investigate

online. We are not after essays in this coursework. We are after concise and succinct responses

to each question, e.g.: use bulletpoints and sketches where appropriate. We expect a very

good submission to be less than 5 pages in length. Do share useful resources that you find

with others on the Moodle forum, but do not give any answers away. Note: All the work

you submit must be solely your own work. Submissions are routinely checked for

plagiarism.

Questions

1. Question 1: Vulnerabilities, Exploits and Attacks

(a) Investigate the Stuxnet case that was discussed in lecture. Calculate the Stuxnet

CVSS 3.1 base score (5 marks). Justify your assumptions and show your

calculations (5 marks). You can use the CVSS 3.1 calculator https://nvd.nist.

gov/vuln-metrics/cvss/v3-calculator to check that your results are correct.

(b) Assume that you are a SOC analyst working for a company with the industrial controllers

that are vulnerable to the Stuxnet exploit. Outline how the temporal

score is likely to change over time (5 marks) – assuming a patch is and isn’t

made available. What courses of action should you take in light of this?

Justify your answer (5 marks).

(c) Now, assume you are a SOC analyst working for a bank. They mainly use Linux

and Windows, but no Siemens industrial controllers. Outline how this impacts

the environmental score of Stuxnet for both organisations (5 marks per

organisation).

(d) “Shell shock” (CVE-2014-6271) and “Heart bleed” (CVE-2014-0160) are two widelyknown

vulnerabilities that took the security community by surprise in 2014. Reflect

on the two vulnerabilities for the same aforementioned bank scenario. Outline the

key actions you should take to combat attacks seeking to exploit those

vulnerabilities (5 marks). Create an attack tree that makes use of the two

vulnerabilities (5 marks). Make sure to describe AND/OR relationships in the

tree.

1

(e) Compare and contrast CVE, CVSS and ATT&CK as a table and review

their advantages and limitations. (5 marks) Justify how you might use all

of them (5 marks) in the aforementioned bank scenario to improve your organisation’s

overall security posture.

2. Question 2: Threat Detection

(a) It is often difficult to predict and determine real-world harms that arise from an attack

alerted in IDSs. Outline why this is the case (5 marks)? Justify your answer

and provide two concrete examples (5 marks).

(b) The following convention for misuse detection is for use in an intrusion detection

system. A misuse rule R is formed using the following notation:

alert, activity, source -> target, payload of interest

where an alert is generated if a packet or syscall is detected, originating from a source

which might be a process or a machine, targeting a specific process or machine, carrying

a specific payload. To be valid, a rule must instantiate all of the fields. You must

present five rules, each rule must be fully described in terms of what kinds

of intrusion it is intended to catch and why the rule will work (2 marks per

rule). You may use groups and lists. (Hint: you can use the SNORT documentation

for inspiration here, but note that you ought to be original and technically creative.)

(c) In lectures we discussed the CIA triad. One of the aspects of a system that we wish to

protect is its availability. Investigate the concept of a Distributed Denial of Service.

Briefly explain how DDoS attacks are conducted (3 marks); provide an

example vulnerability and weakness an attacker might exploit to recruit

more bots (3 marks); and outline potential harms (2 marks); Identify a

potential false-positive and false-negative threat detection issues that may

appear during a DDoS in threat detection (2 marks)?

(d) Outline how an attacker might plan (5 marks) for, and execute a DDoS attack

from a single Command and Control machine. The DDoS should be executed once

enough bots have been recruited. State your assumptions and create an attack

tree (5 marks) (note: make sure to include recruitment and execution of the attack).

(e) With the previous sub-question in mind and after conducting research online: Propose

a defence strategy for DDoS attacks: how you can make your organisation

more robust against DDoS attacks (5 marks)? Propose a strategy

to benchmark your defences (5 marks)?

JH February 2020

2