Completed a job simulation involving the role of a cybersecurity generalist, specializing in fraud detection and prevention for Commonwealth Bank's Cybersecurity team.
Developed skills in building data visualization dashboards using Splunk to uncover patterns and insights in historical customer data, aiding in fraud detection.
Demonstrated the ability to respond effectively to cybersecurity incidents, including notifying relevant teams, collecting information, containing and stopping attacks, and aiding in recovery efforts.
Enhanced security awareness expertise by designing infographics promoting best practices for secure password management, following Australian Cybersecurity Centre advice.
Acquired practical experience in penetration testing, assessing the security of web applications, identifying vulnerabilities, and providing recommendations for remediation to bolster cybersecurity defenses.
Splunk Basics
Data Analysis
Data Visualisation
Cyber Security
Incident Triage
Detection and Response
Data Protection
Password Security
Compliance Knowledge
Penetration Testing
Creative Thinking
Problem Solving
Background information
In this task, you will be stepping into the role of a cybersecurity consultant here at Datacom. One of our leading tech corporation clients has fallen prey to a sophisticated cyberattack by a notorious Advanced Persistent Threat (APT) group known as APT34. The attack, believed to be sponsored by a foreign government, has left the organisation's network compromised, and valuable customer data and intellectual property has been stolen.
Your mission is to conduct initial research on this APT group, APT34, and assess the extent of the breach's impact on the organisation's information security. But fear not, for you will be provided with all the necessary tools required to understand cybersecurity concepts and principles, including cyberthreats, attack methods, and the importance of confidentiality, integrity and availability of information. In addition, you will also be familiarised with APT34's tactics, techniques and procedures (TTPs) and the common vulnerabilities they exploit to gain access to networks.
The objective of this task is to help our client conduct an initial investigation into APT34 and evaluate the potential impact of the attack on the organization. As a result, you will need to produce a comprehensive report documenting your findings and outlining key recommendations for improving the organisation's cybersecurity posture.
As you delve deeper into the world of cybersecurity, you will come to appreciate the critical role it plays in protecting organisations against cyberthreats. With the ever-increasing reliance on technology and the internet, cybersecurity has become a vital aspect of any organisation's operations. It is no longer a question of whether an organisation will be targeted but rather a question of when. This task provides you with an excellent opportunity to learn and gain practical experience in the cybersecurity field while making a positive impact on our client's security posture.
Background information
Your initial research on the APT group is a crucial step because it helps to identify the potential attackers and their methods, motives and targets. Understanding the TTPs of APT34 helps identify specific vulnerabilities and attack vectors that could be exploited.
This has laid a solid foundation for the next task, which is to conduct a comprehensive risk assessment for the client. The client has a fence around the perimeter of its property and a padlock on its entrance gate to prevent unauthorised access. However, the leadership team is concerned about potential risks and vulnerabilities that could compromise the security of its information and systems. They require a comprehensive risk assessment to identify potential security threats and vulnerabilities in their system or network.
As a cybersecurity consultant, you understand that conducting a risk assessment is an essential component of any effective cybersecurity strategy. This involves identifying, evaluating and prioritising potential security threats and vulnerabilities to determine the level of risk and develop a plan to mitigate those risks. During the risk assessment, you will need to identify the assets that need to be protected, define the risk matrix and identify potential risk scenarios. You will assess the risk ratings for each scenario, both with and without existing measures in place. Finally, you will provide a risk assessment report to the client summarising your findings and recommendations for mitigating risks and improving the institution's security posture.
The goal of the risk assessment is to help the client prioritise and implement appropriate security measures to mitigate and minimise risks. This will ensure the confidentiality, integrity and availability of their information and systems, as well as protect their reputation and financial resources. Ultimately, your work will help the client comply with regulatory and legal requirements and standards and provide peace of mind knowing that their security is being handled by a knowledgeable and experienced cybersecurity expert.
Background information
Task 1 - APT breach: Analysing the impact on information security
As a cybersecurity professional, you will be expected to utilise various Open-Source Intelligence (OSINT) tools and techniques to gather information on APT34. You can find some OSINT tools in the resources section; however, feel free to conduct your own individual research.
You will also need to apply the MITRE ATT&CK Framework, a standardised tool used to identify and categorise cyberthreats, to develop a comprehensive defence strategy to protect the client's networks and systems against future attacks. You should answer the following questions in your research:
1. What is their history?
2. Which nation/state are they associated with?
3. Do they target specific industries?
4. What are their motives?
5. What are the TTPs they use to conduct their attacks?
6. What security measures could the client implement to defend against cyberattacks conducted by this APT?
Your ultimate goal is to communicate your findings and recommendations effectively to the client's leadership team, providing actionable insights that can improve the corporation's security posture. Submit your findings in the text submission box below.
Here are some resources to help you:
This is a widely used tool to categorise and identify cyberthreats. Students should familiarise themselves with the framework and understand how to apply it to develop a comprehensive defence strategy.
News and Other Resources: Students should stay up-to-date with the latest cybersecurity news and resources to gain a better understanding of the evolving cybersecurity landscape and new threats.
Research on APT34 (Advanced Persistent Threat Group 34)
1. History of APT34:
APT34, also known as "OilRig," "Helix Kitten," and "Oiman," is a cyber espionage group that has been active since at least 2014. It is known for conducting prolonged and targeted cyber espionage campaigns, with its primary focus on Middle Eastern and North African (MENA) regions. APT34 typically targets organizations with high-value data, focusing on sectors critical to economic and political structures. This group is considered highly capable and sophisticated, often using spear-phishing campaigns and leveraging zero-day vulnerabilities.
2. Nation/State Association:
APT34 is widely believed to be affiliated with the Iranian government. The group's activities align with Iran's strategic interests, particularly in cyber espionage aimed at enhancing geopolitical influence and gathering intelligence on adversaries.
3. Targeted Industries:
APT34 has been known to target various sectors, including:
Financial institutions
Government agencies
Energy companies
Telecommunications firms
Critical infrastructure (oil and gas industry)
These industries are critical for both geopolitical strategy and economic stability, which makes them prime targets for espionage.
4. Motives:
APT34βs motives are aligned with geopolitical goals:
Intelligence gathering for national security
Economic espionage to gain insight into foreign policies and business practices
Sabotage for political and diplomatic leverage
Strengthening Iran's competitive edge by acquiring intellectual property and sensitive information
5. Tactics, Techniques, and Procedures (TTPs):
APT34 uses a variety of sophisticated TTPs to conduct its attacks, many of which can be mapped to the MITRE ATT&CK framework. Here are some of the group's known TTPs:
Initial Access:
Spear-phishing emails (often using social engineering tactics to target specific individuals).
Watering hole attacks (compromising websites frequented by targets).
Execution:
Use of malicious PowerShell scripts to execute payloads.
Persistence:
Establishing persistence through the use of backdoor Trojans like "POWBAT," "TONEDEAF," and "ThreeDollars."
Compromising legitimate accounts within a network to maintain long-term access.
Privilege Escalation:
Exploiting vulnerabilities (such as CVE-2017-11774, a Microsoft Outlook vulnerability) to elevate privileges within targeted systems.
Credential Access:
Utilizing credential-dumping tools like Mimikatz to extract credentials from compromised systems.
Command and Control (C2):
Communication with C2 servers through HTTP and HTTPS, often disguising malicious traffic as legitimate.
Exfiltration:
Data exfiltration through encrypted channels or direct upload to cloud services, such as Dropbox or Google Drive.
APT34βs operations are stealthy, using legitimate services and credentials to avoid detection, making their attacks harder to detect using traditional security measures.
6. Security Measures for Defense:
To defend against APT34 and similar threat actors, organizations should implement the following security measures:
Email Security and User Awareness:
Strengthen email security systems to detect and block spear-phishing attacks.
Conduct regular employee awareness training to identify phishing attempts and report suspicious activities.
Network Segmentation and Zero Trust:
Segment critical assets from other network areas, limiting lateral movement in case of a breach.
Apply a Zero Trust architecture where users and systems are verified constantly before being granted access.
Vulnerability Management:
Patch known vulnerabilities in critical software promptly, particularly those in widely used platforms such as Microsoft Outlook and web applications.
Endpoint Detection and Response (EDR):
Deploy EDR solutions to detect malicious activities, including PowerShell abuse and privilege escalation.
Use behavioral analysis to detect anomalies that may signal APT34βs tactics.
Multi-Factor Authentication (MFA):
Enforce MFA on all accounts, especially those with administrative privileges, to prevent credential abuse.
Threat Hunting and Incident Response:
Actively engage in threat hunting to detect signs of persistence and hidden backdoors in the network.
Develop an incident response plan that includes isolation and remediation of infected systems as soon as malicious activity is detected.
Network Traffic Analysis:
Monitor network traffic for irregular patterns that may indicate data exfiltration or C2 communication with external servers.
Use encrypted channels for legitimate communications to avoid being compromised by actors who might monitor traffic.
By incorporating these defenses, the client can significantly reduce the risk of APT34 compromising their systems.
Task 2 - Cybersecurity risk assessment
In this task, you will be documenting the client's risk position using the padlock analogy as an example. The client wants you to help them define the context, assess their risk matrix and identify potential risk scenarios.
To complete this task, you will need to:
1. Define the context β Identify the assets that need to be protected. This could include sensitive information, customer data, financial information or any other critical assets that are important to the client.
2.Define the risk matrix β Define the likelihood, consequence and risk rating for each potential risk scenario. The likelihood is the probability of the risk scenario occurring, while the consequence is the severity of the potential impact. The risk rating is a measure of the overall risk posed by the scenario, calculated by multiplying the likelihood and consequence.
3. Define three risk scenarios β Identify the specific risks that the client is trying to protect their assets from. For example, a cyberattack, natural disaster or employee negligence.
4. Assess risk rating for each risk scenario β Calculate the inherent risk rating for each scenario, assuming there are no measures in place to reduce the risk (without fence and padlock in place).
5. Assess risk rating for each risk scenario with existing measures β Calculate the current risk rating for each scenario taking existing measures in place to reduce the risk into consideration (with fence and padlock in place).
6. Assess risk levels for each risk scenario with additional measures β Identify any additional measures that could be put in place to further reduce the risk. Calculate the target risk rating for each scenario with these additional measures in place.
7. Create a risk assessment report for the client that summarises the risk assessment findings, the risk mitigation strategy and any recommended measures for implementation.
You will need to use the "Risk Assessment Template" provided in the Resources section below to complete this task.
Resources:
An example of a risk scenario could beβ¦
A cyberattack aimed at stealing sensitive information. The likelihood of such an attack could be rated as high, given the increasing frequency of cyberattacks. The impact of a successful cyberattack could be severe, potentially leading to loss of data, financial harm and damage to the client's reputation. The inherent risk rating for this scenario would therefore be high. However, the client may already have existing measures in place to mitigate the risk of a cyberattack, such as firewalls and antivirus software. These measures would reduce the likelihood and impact of the attack, resulting in a lower current risk rating. Finally, the client could also consider additional measures, such as regular software updates and security awareness training for employees, to further reduce the risk and achieve a lower target risk rating.
