After completing Unitec’s Diploma in Cybersecurity, you land a role with an IT Systems admin team at a medium-sized health provider in Auckland. One day, a colleague from HR informs you that they clicked
Assessment Submission Instructions:
- Upload your Part A and C (Team Report, Investigative document and Peer Evaluation) form to the Moodle link “Upload Part A here” and “Upload part C here”.
- Part B is a presentation and there is no need for an upload.
Scenario
Read the scenario give below carefully:
After completing Unitec’s Diploma in Cybersecurity, you land a role with an IT Systems admin team at a medium-sized health provider in Auckland.
One day, a colleague from HR informs you that they clicked on a suspicious DocuSign hyperlink in an email, and are now suspecting it might have been a phishing attempt. This occurred in April 2023, but they didn’t think anything of it until having been present at a recent Cyber TTX where these exact vectors were being discussed.
They admit to being distracted and not thinking twice about it as they were expecting a similar DocuSign email at that time, and it really didn’t cross their mind until now.
Since this occurred, they’ve noticed a performance lag in their endpoint (Laptop) and are concerned.
Actions:
You take immediate action by isolating the device and handing it over to your managed DFIR team for analysis.
The DFIR team completes a triage and shares three key artifacts for your investigation:
- The network PCAP file.
- The potential malware binary (In hashed format)
- The malicious email.
- The company’s CISO wants you to thoroughly investigate these artifacts, looking for any evidence/ Indicators of Compromise (IOCs), and report your suspicions in a formal report not exceeding 3000 words.
Once completed, you and your team need to brief the executive on the Cybersecurity principles affected by the malware (CIA-AAA), suggest mitigation principles (like POLP, DID, Zero Trust), and explain the frameworks you would adopt, following this investigation. Top of Form Bottom of Form
Seeking with your HTCS6701 Assignment 2? Deadlines Are Near?
Part A Task 1
[Total = 50 marks]
Instructions:
Commence an investigation with the three artefacts provided, looking for evidence of
malware existence and indicators of compromise:
Task 1 marks are awarded via the report in Task 2. There are 50 marks in total to be awarded
You will work in a team of 2 students to complete this task. If there is an odd number, the lecturer will approach those student(s) to ensure fairness.
In this task your team will analyse the three artefacts provided in order to locate evidence and/or Indicators of compromise (IOC’s) to prove or disprove the existence of malware on the end point.
These artefacts are:
1. The network Packet Capture (PCAP) file.
- The potential malware specimen (In hashed format only)
- The suspicious email.
- Using best practice and the skills taught to you during this paper, examine these artefacts:
- With the Suspicious email examination, examine the headers and obtain basic forensic information. Take notes and record the details.
- With the PCAP file, examine the content and correlate the information with that found in the email. Take notes and record details.
- With the Suspicious binary hash, use Virus Total and Any.Run to examine it. Report on the processes and beacons, IP addresses and domains called out to, Registry changes and what it actually does!
Task 2
Instructions:
Again, in your team, you must present your evidential findings from the three artefacts, in the form of investigative document/ report. The suggested structure for the document is as follows:
- A title page
- Table of Contents
- Introduction
- Part A (Task 1) analysis of the three artifacts and robust reporting of any indicators located.
- Conclusion
- References
- Appendices (any other relevant document)
- There are 50 marks in total, 10 marks for the report structure and logic and 40 marks for the investigation from Task 1.
- Total word count for this part of the assignment is 3000 words [+/-10%], excluding reference list, table of contents, or any other administrative sections.
Part B: Task 1 – Presentation
[20 marks]
Task 1
Instructions:
Once completed, you and your team need to brief the executive on three aspects:
- The Cybersecurity principles affected by the malware (CIA-AAA)
- Suggest 3 x mitigation principles (eg POLP, DID, Zero Trust),
- Explain the frameworks you would adopt, following this investigation.
- Your team will present on three topics, the presentation itself must not exceed 15 minutes in duration and all team members must be involved.
Topic 1 – Discuss how the malware impacted the Confidentiality, Availability and/or Integrity of the infosec System. Then consider the Authentication, Availability and Accounting of the network facing system.
Topic 2 – Discuss three potential mitigation principals, such as (but not limited to), Principal of least privilege, Zero Trust, Defence in Depth.
Topic 3 – Discuss the Security framework you consider should be adopted and explain why.
- You will apply personal and communication skills to present your analysis findings.
- You will not be marked individually, it’s a team effort so practice and take this seriously!
- Your presentation will be 10 minutes long allowing 5 minutes for each team member to speak, and additional question and answer time.
- You can prepare a visual presentation using Microsoft PowerPoint or similar software, however this is not mandatory.
- Your presentation will be recorded for marking and moderation purposes.
- Familiarise yourself with the attached observation checklist (page 9) to ensure you meet the requirements. Your lecturer will complete the attached observation checklist for each team member.
Part C: Peer Evaluation
Use this form to evaluate your peer. Write your name and the name of the person you are evaluating.
Peer Evaluation Form
| Evaluation Criteria | Team member | Comments |
| Regularly attends meetings | ||
| Demonstrates a cooperative and supportive attitude. | ||
| Contributes meaningfully to discussions. | ||
| Completes assigned tasks on time. | ||
| Prepares work in a quality manner. | ||
| Acceptable Y/N |
HTCS6701 Assessment 2 – Marking Scheme
| Marking Scheme | ||||
| Maximum Marks | Your mark | Comment | ||
| Part A | Task 2 | 50 | ||
| Part B | Task 1 | 20 | ||
| Part C | Peer evaluation | Nil | ||
| Total | 70 | |||
Marking Rubric – Part A Task 2
| Part A: Task 2 | Excellent | Good | Pass | Need to improve |
| Report formatting
[10 marks]
| A robust, complete and professional report with the correct headings and format as outlined [7.5-10 Marks]
| As per excellent, but one or two of the requirements is missing and/or relevant formatting aspects are not appropriately considered. | As per excellent, but two or three of the requirements are missing and relevant formatting aspects are not appropriately considered. [3-5 Marks] | Fails to provide an appropriate formatted and professional report. [1-3 Marks]
|
| Item 1: PCAP file examination and analysis (10 marks)
| Correctly deciphering the PCAP information and detecting at least three (3) IOC’s to support the argument [7.5-10 Marks] | Correctly deciphering the PCAP information and detecting at least two (2) IOC’s to support the argument [5-7.5 Marks] | Correctly deciphering the PCAP information and detecting at least one (1) IOC’s to support the argument [3-5 Marks] | Incorrectly deciphering the PCAP information and failing to detect evidence to support the argument [1-3 Marks] |
| Item 2: Suspicious email examination and analysis
(10 marks)
| Analysing email header and body information manually and checking the results via MXToolbox. Locating three (3) artifacts. [7.5-10 Marks] | Analysing email header and body information manually and checking the results via MXToolbox. Locating two (2) artifacts. [5-7.5 Marks]
| Analysing email header and body information manually and checking the results via MXToolbox. Locating one (1) artifact. [3-5 Marks] | Failing to analyse email header and body information manually and checking the results via MXToolbox and/or Locating no artifacts. [1-3 Marks] |
| Item 3: Suspicious binary examination and analysis
(20 marks) | Analysing Hashed values in Virus total and another sandboxed environment. After full analysis of all hashed values (they are from the same malware), describing in detail where the malware originated from, what variant the malware is, what processes it started, and did it have persistence. Discover the C2 server and report on the stages that the malware triggered (ie- Dropper calls to C2 server on [ip add] and spawns these processes [processes]. This allows for traversal of the system and discovery etc…actually describe what the malware is doing on the system. 15-20 marks | Analysing Hashed values in Virus total and another sandboxed environment. After full analysis of all hashed values (they are from the same malware), describing in detail where the malware originated from, what variant the malware is, what processes it started, and did it have persistence. Discover the C2 server and report on the stages that the malware triggered (ie- Dropper calls to C2 server on [ip add] and spawns these processes [processes]. This allows for traversal of the system and discovery etc…actually describe what the malware is doing on the system. Being slightly deficient in one of the areas listed above [10-15 marks] | Analysing Hashed values in Virus total and another sandboxed environment. After full analysis of all hashed values (they are from the same malware), describing in detail where the malware originated from, what variant the malware is, what processes it started, and did it have persistence. Discover the C2 server and report on the stages that the malware triggered (ie- Dropper calls to C2 server on [ip add] and spawns these processes [processes]. This allows for traversal of the system and discovery etc…actually describe what the malware is doing on the system. Being very deficient in the areas listed above. [5-10 marks] | Analysing Hashed values in Virus total and another sandboxed environment. After full analysis of all hashed values (they are from the same malware), describing in detail where the malware originated from, what variant the malware is, what processes it started, and did it have persistence. Discover the C2 server and report on the stages that the malware triggered (ie- Dropper calls to C2 server on [ip add] and spawns these processes [processes]. This allows for traversal of the system and discovery etc…actually describe what the malware is doing on the system. No identification of processes and IOCs relevant to this investigation [0-5 marks] |
Marking Rubric – Part B Task 2
| Part B: | Excellent | Good | Pass | Need to improve |
| CIA, AAA principals discussed in regard to malwares impact. [3 marks] | A robust, logical and correct analysis of the malwares impact across both the CIA triad and AAA networking. [3 Marks] | As per excellent, but analysis is missing some relevant considerations [2 Marks]
| As per excellent, but analysis of two or three of the relevant principals are not understood or explained correctly. [1 Mark] | Fails to provide an appropriate analysis and/or understanding of the security principals. [0 Marks] |
| Mitigations: Defence in Depth Principal of least privilege Zero Trust model and ‘Least privilege’ access controls Access control lists and Security policy and procedures [3 marks] | A robust, logical and correct analysis and understanding of three [3] of the mitigations impact with reducing harm from malware. [3 Marks] | A robust, logical and correct analysis and understanding of two [2] of the mitigations impact with reducing harm from malware.. [2 Marks]
| A robust, logical and correct analysis and understanding of one [1] of the mitigations impact with reducing harm from malware.. [1 Marks] | A lack of robust, logical and correct analysis and understanding of any of the mitigations impact with reducing harm from malware.. [0 Marks] |
| Cyber Security Frameworks (ISO, NIST etc) [3 marks]
| Good understanding and appreciation of a framework to enhance cyber security and how it could have prevented this attack. [3 marks] | Some understanding and appreciation of a framework to enhance cyber security and how it could have prevented this attack. [2 marks] | Sub-par understanding and appreciation of a framework to enhance cyber security and how it could have prevented this attack. [1 mark] | No understanding and appreciation of a framework to enhance cyber security and how it could have prevented this attack. [0 marks] |
| Presentation [11 marks] You will be marked as a team, not individually so make sure you practise this! |
[8-11 marks] |
