Reference no: EM133786584
Advanced Cyber Threat Intelligence Report
Section 1: Incorporating Threat Intelligence into Incident Responses
In this section you will describe the importance of incorporating threat intelligence into the phases of incident response along with specifically where threat intelligence activities should be performed and what specific activities should be performed.
Section 2: Alien Vault OTX ExerciseResults
Using the lab instructions for the Alient Vault OTX exercise, respond to each of the following questions:
1a. What is the name, category, count, and feature count of the malware with largest circle in the dashboard view?
1b. Pick one of the related pulses for the malware you selected and list the ID of the pulse, the total number of IOCS and type and count for each. Also, provide a screenshot of the results.
1c. For the same pulse you selected in part b, show the threat infrastructure screenshot along with the ID of pulse, and a table with the specific breakdown of counts for each country.
1d. Use the Browse->Indicators tab to provide a count for the IPv4 and IPv6 IOCs. In your response provide the exact count of IPv4 and IPv6 IOCs at the time of your query. Which count is larger between the IPv4 and IPv6? Explain why one has significantly more counts than the other.
1e. Use the Browse->Indicators tab to search the role of Ransomware. What IOC type makes up most of the Ransomware IOCs for this query?
f1. How many pulses has the user Meta Defender contributed? (Hint: /api/v1/pulses/user/{username}, You will need to use your OTX-API-KEY to retrieve this result.)
f2. What is the slug string for the Bitcoin Address indicator type. (Hint: the API will list the indicator, types, descriptions, slugs and other information)
f3. Have there been any malware samples analyzed by AlienVault Labs which have been observed connecting to microsoft.com? If yes, then list one malware detected and the date of the detection.
f4. When does the SSL certificate for webapps.umgc.edu expire? (Hint:
Based on the result, the umgc certificate was issued on 4th of may 2021. According to ISRG, 2020, an SSL certificate usually expires 12 months or 13 months depending on the time from the issuance date by the issuing Certificate Authority. Since September 2020, all major CAs, including DigiCert and Let's Encrypt, have a maximum validity for an SSL certificate set at approximately 13 months . However, some expire after 90 days, but it all depends on the issuer and the type of certificate in question.
Section 3: Use Threat Intelligence Tools
3.1 Cisco Talos
a. Which continent has the least amount of email reports? List the continent's name and provide a screen capture of that continent.
b. Use the zoom feature to zoom into the closest malware report to the area in which you live. Provide a screenshot showing the IP address, domain name, last day volume and email type.
c. From the main talos page, search for mail.umgc.edu. Using the results answer these questions:
1. Who is the network owner for mail.umgc.edu?
2. What is the current web reputation for mail.umgc.edu?
3. When does the domain expire for umgc.edu (Hint: use the WhoIstab)
d. Use the email & spam filter to determine which 3 countries send out the most spam. (Hint: select top 100 countries and the spam option.
e. Use the Vulnerability reports option to select recent (within the last 12 months) vulnerability that has a CVSS score of 10. Drill down into the data and provide the name of the vulnerability, the CVE-number, and the summary. Study the vulnerability and summarize how you would use this information to attack an organization if they hadn't patched or updated their system.
3.2 Nmap exercise
a. What were the IP addressesfor each of the sites you scanned?
• umgc-tomcat9.azurewebsites.net -
• umgc-juiceshop.azurewebsites.net -
• umgc-web-dvwa.azurewebsites.net -
• Your UMGC VLE Windows Desktop -
• Your UMGC VLE Kali Desktop -
b. How many ports were scanned for each site?
• umgc-tomcat9.azurewebsites.net -
• umgc-juiceshop.azurewebsites.net -
• umgc-web-dvwa.azurewebsites.net -
• Your UMGC VLE Windows Desktop -
• Your UMGC VLE Kali Desktop -
c. Which ports were discovered as being open for each site?
• umgc-tomcat9.azurewebsites.net -
• umgc-juiceshop.azurewebsites.net -
• umgc-web-dvwa.azurewebsites.net -
• Your UMGC VLE Windows Desktop -
• Your UMGC VLE Kali Desktop -
d. For the ports that were discovered to be open, what service runs on each port. Note, you only need to list each port once since the service will be same.
e. What were the names of the operating system for each site scanned?
• umgc-tomcat9.azurewebsites.net -
• umgc-juiceshop.azurewebsites.net -
• umgc-web-dvwa.azurewebsites.net -
• Your UMGC VLE Windows Desktop -
• Your UMGC VLE Kali Desktop -
f. Share a screenshot of the topology map resulting from the scans. Use the fishhook display.
g. What advantages do you see from a Cybersecurity defensive perspective for running an Nmap scan on your networked assets? Explain why scans should be run on a regular basis.
3.3 Maltego exercise
Note this a group project. Be sure to record which members completed each question. Also, be sure to discuss the results with your team before submitting so everyone is on board with the results.
a. Under the machines entity option, Perform a Level 1 (L1) Footprint for the umgc.edu. For the web.umgc.edu domain, what are the outgoing IP addresses? Look at one of the ending nodes listed as Microsoft-MSN-AS-Block. What do you think this does or represents? How could you use this information to help you better understand the domain you are analyzing?
b. Run the "To DNS Name (interesting...)" transform under DNS from Domain group for umgc.edu and microsoft.com. How many DNS names are returned for umgc.edu? How many for Microsoft.com? Why do they return the same number of results?
c. Run the "To DNS Name - NS" transform under DNS from Domain group for umgc.edu and microsoft.com. What are the names servers listed for umgc.edu? What are the name servers listed for Microsoft.com? Explain what a name server does for an organization?
d. Run the "To DNS Name - MX" transform under DNS from Domain group for umgc.edu and microsoft.com. What are the MX servers for umgc.edu? What are the MX servers for Microsoft.com? Explain the purpose of an MX server.
e. Run the "To Email address from whois" transform under Email address from Domain group for umgc.edu and microsoft.com. Are there any overlap in the results from umgc.edu and Microsoft. Describe the differences between the two results.
f. Run the "To Phone numbers" transform under Domain Owner Detail group for umgc.edu and microsoft.com What is the 800 number listed for Microsoft? What number is listed for umgc.edu? What is the WhoIs registry and why is it important? Find the WhoIs and/or ICANN registry sites and compare the results obtained from Maltego.
g. What happens when you attempt to run the To DNS Name (attempt...) from the DNS from Domain group for umgc.edu and microsoft.com. What is an A record and why is it important?
h. What happens is you attempt to conduct a Level 1 (L1) Footprint on umgc-tomcat9.azurewebsites.net or umgc-web-dvwa.azurewebsites.net? Explain the possible reason for the results.
3.4 VirusTotal exercise
a. Use the results from the Cisco Talos web site to cross check a URL and IP address that was shown as malware. List the URL and IP address. Describe your test case and show screen shots of the Talos and the VirusTotal website results. Do the two sources provide the same results? If not, what do you think might have caused the discrepancy?
b. Pick a random file with no sensitive information in it on your Desktop and use a tool to generate its SHA-256 hash. Note, you can use powershell on Windows with the command Get-FileHashpathto/filename, or you can upload the file to https://md5file.com/calculator to generate the hash. Enter the resulting file hash into the Search window of the VirusTotal web site. Provide a screenshot of the results. Were the results as expected?
c. Run domain checks for three (3) different vendors of your choice into the VirusTotal web site. Show screenshots of the results. Look carefully at the categories and popularity score in the details section of the report. Compare and contrast the 3 vendors you selected on this information. The report details may be useful to describe some of the data and information displayed in the output.
d. Using the Relations tab on the output from the umgc.edu domain to compare the subdomains listed in VirusTotal to those listed in the community edition of Maltego. How many total domains does umgc.edu have listed in VirusTotal? Note, you can display additional subdomains in VirusTotal by clicking on the ... option at the end of the subdomains section.
3.5 Google Dorks exercise
a. Another useful Google Dork is the map: command. Use it to find maps Tangier Sound and Camp CampArifjan? Show screenshots of the results of your Dorking for each map search. Where is Tangier Sound located? In what country is Camp Arifjan located? Is there a Food Court Zone in Camp Arifjan? If so, how did you determine this?
b. Set a timer on your desktop for 10 minutes using Google Dorks. Show the screenshot of your timer. What happens when the time expires?
c. The default web page for an initial web page for Apache2 running on Ubuntu has the following text in the title: "Apache2 Ubuntu Default Page: It works". How would you use this information to provide a list of sites that are using Ubuntu and have the default Web site for Apache2 still running. Show your Google Dork command and the results of running your command with a screenshot. How is this information useful in an ethical hacking or OS-INT gathering situation?
d. Use the Google Dorking command "define:" to compare definitions of "Google Dorking" from 3 different sites. Based on the site results, provide a paraphrased definition for "Google Dorking" using the results from your query.
e. Use Google Dork commands to search the umgc.edu for xlsx extensions. Are xlsx documents present on the website? Show the command you used to search and the results in a screenshot for your report.
Section 4: Final IOC Exercise
a. A department in your organization has asked permission to have access to several web sites that currently appear to be blocked. The sites include: mars.umgc.edu, linuxhint.com, financereports.co, creativebookmark.com. Use Threat Intelligence tools to make a recommendation for each site. Be sure to justify using data and screenshots from the tools your decision.
b. An employee in your organization has had issues with their computer and is concerned if they may have a virus. Several files were uploaded to a safe sandbox for processing and analysis. The following SHA-256 hashes were submitted. Use appropriate tools to determine if any of the files should be quarantined.
• b4bd56a2aebe3f5e020c5421e01c2d16804c25da673ecb125b074a94581cecfe
• d893a28a885344f46e74f3131d5ae3b3ecd2f5d29571afb124f556db86da40f3
• 5dc84570905973f2719578179596e36b4e29f2343ca360aeff730aacf7e37ed0
• D94BB76D6A8FBA54D6579A6265F6EAE66E905B8667D1B33080D28A2F7D068C0D
• 456A194F501984067435393729294ECC02E75973C011F1E765EEB3FC6C23CBE4
For any hashes that are flagged as malware or malicious, provide more details to include a description of the specific threat, the virus or threat name, and the most recent attack date.
c. Your IT staff is short-staffed and need some assistance generating SHA-256 hashes for several files. This work is to verify the safety of the files in terms of malware but also for downloads processes so those using your organization's data can confirm the hashes are identical. Use appropriate SHA-256 tools to generate the hashes for the following attached files:
• 2022-2023catalog.pdf
• courseplanner.pdf
• samplecoverletter.pdf
After you generate the SHA-256 hashes, use a threat intelligence tool to verify there are no issues with malware.
For your report, list the SHA-256 results for each file along with a note stating if any issues were reported from the hash analysis. Provide screenshots verifying your malware analysis for each hash analysis.
d. Finally, in 4-6 paragraphs summarize your experience using threat intelligence tools. From your experience, discuss strengths and weaknesses for each tool used. Discuss your future envisioned use and tools that might be considered. For example, does it make sense to invest in commercial threat intelligence tool that uses multiple OS-INT and other sources, providing real-time alerts and visualization capabilities? If so, which tools might be good choices and why?