CS671 Spring 2022 Homework 10

Malware, Kill Chains, TTPs, Vulnerabilities

Dr. Greg M. Bernstein

Due Wednesday, April 20th, 2022 by 11:59PM, 50 points.

General Instructions

The goals of this assignment are to get more familiar with Malware, learn about adversary Tactics, Techniques, and Procedures (TTPs), and start on vulnerabilities.

Create and Use a new Branch hw10

We will create a new git branch called hw10 for use in this assignment. The branch you create must exactly match the one I’ve given you for you to receive any credit for this homework.

Prior to creating this new branch make sure your working directory is “clean”, i.e., consistent with the last commit you did when you turned in homework 8. Follow the procedures in GitHub for Classroom Use to create the new branch, i.e., git checkout -b hw10. Review the section on submission for using push with a new branch.

Use README.md for Answers

You will modify the README.md file in your repo to contain the answers to this homework.

Questions

Question 1. (10 pts) Malware Case Study

Read the following case studies/analysis: ProofPoint Analysis: TA575 Uses ‘Squid Game’ Lures to Distribute Dridex malware and Any.Run: Dridex.

(a) Initial Attack Mechanism?

This malware campaign is using an “evolved” form of the Dridex malware. What is the initial attack vector? Is “impersonation” being used? If so who is being impersonated? Why are people playing with squids?

(b) What is the malicious goal of Dridex?

(c) What mechanisms can Dridex use to steal information?

(d) What are the types of IoCs listed in the articles?

Question 2 (10 pts) CTI

References for this question: CrowdStrike:Threat Intelligence and Introduction to STIX.

(a) CTI and Sharing

What is (Cyber) Threat Intelligence? Why would defenders share it (in your own words?

(b) Tactical, Operational, and Strategic CTI

This question uses the classification scheme of CrowdStrike:Threat Intelligence. The consumption of IoCs into anti-virus and other systems constitutes what class of CTI use? What category of CTI would focus on TTPs? Trends in malware and adversary motives falls into which class of CTI.

(c) STIX

What does STIX stand for? What is STIX used for? Does STIX use a common data format? If so what is it? Can STIX deal with IoCs? If so how? Is STIX only for tactical CTI? Why or why not?

(d) STIX Example

Go to AlienVault: From Zero to Domain Admin and download the STIX2.1 file describing this attack. Click the “Actions” button on the upper right of the page and choose the appropriate download. Within this file how many “objects” with "type": "indicator" are there? What in general do these represent, i.e., from a CTI point of view. Find an indicator type object representing a URL value and show only that object here as syntax highlighted JavaScript code. For example here is a syntax highlighted IP address type indicator object:

{
            "created": "2021-11-02T13:06:29.000Z",
            "description": " / CC=US ASN=AS26277 PREMIANET",
            "id": "indicator--89ffbb25-c595-4721-9580-37adc389a7ec",
            "labels": [],
            "modified": "2021-11-02T13:06:29.000Z",
            "name": "OTX pulse_name=From Zero to Domain Admin",
            "pattern": "[ipv4-addr:value = '64.235.39.32']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "spec_version": "2.1",
            "type": "indicator",
            "valid_from": "2021-11-02T13:06:29.000Z",
            "valid_until": "2021-12-02T00:00:00.000Z"
        }

Question 3. APT and Kill Chain (10 pts)

(a) Ransomware and APT

In cybersecurity ransomware used to be considered a crude “smash and grab” type of criminal operation. Review a bit of Shining a Light on DARKSIDE Ransomware Operations, in particular the section on “Attack Lifecycle” and figure 3 on TTPs. Would you consider the “DARKSIDE” approach to ransomware an APT? Explain your reasoning.

(b) Cyber Kill Chain Weaponization

Explain and give an example of the weaponization step in the cyber kill chain model.

(c) Cyber Kill Chain Command and Control?

When we were studying Botnets we saw that C2 (command and control) servers and protocols were an primary component. Does command and control play any role in APT operations and/or the cyber kill chain? If so what and why?

(d) Courses of Action

In your own words explain with an example the following courses of action (humor is encouraged!):

  1. Discover
  2. Degrade
  3. Deceive

Question 4. (10 pts)

Understanding TTPs via the Mitre ATT&CK model. Review the case study DFIR: From Zero to Domain Admin

(a) Mitre ATT&CK Items

Which of the Mitre ATT&CK model high level tactics were discussed in the analysis? Note that the high level tactics are: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact.

(b) Malware Downloaded

What type of malware is Hancitor? Was any other malware downloaded in initial stages of the attack? If so what was it and how was it downloaded?

(c) Port Scanning

Was any port scanning used in this attack? If so why?

(d) Command and Control

Did Hancitor communicate with anything? If so over what protocol? What information was conveyed? Was there any other C2 communications? If so what programs were involved.

(e) Analysis Quick Questions

  1. Did the report have any YARA rules?
  2. What is Mitre ATT&CK T1018?
  3. What is Mitre ATT&CK T1518?

Question 5. (10 pts)

For parts (a)-(c) you will need to look at the CWE Top 25 list.