VCU Computer Science Diamond Model Findings Project

APT Assignment
{ Discussion board result to be used}
APT29, also known as Cozy Bear, is an Advanced Persistent Threat that has been linked to the Russian
government. A range of institutions, including governments and healthcare companies, have been the
focus of their targeting efforts. The duration of the campaigns has extended over many years, with the
primary objective being the acquisition of sensitive data and the execution of espionage activities. APT29
utilizes advanced methodologies like spear-phishing, zero-day vulnerabilities (Bahrami 2019) and the
deployment of malware such as Hammertoss and WellMess.
Gaining insight into the techniques and targets of APT organizations has the potential to enhance future
cybersecurity initiatives(Alladi 2020) This information facilitates the development of customized defensive
strategies, enhances incident response capabilities, and identifies possible indications of compromise
particular to the APT group, thus strengthening the overall security posture.
The US Government has dealt with APT attacks by enforcing economic, law, and diplomatic measures.
Also sanctioning individuals and organizations associated with APTs, indicted individuals involved in
cyber espionage, (EICHENSEH 2021) and engaged in diplomatic efforts to address cyber threats,
pursuing international cooperation and norms to deter malicious cyber activities.
Alladi, T., Chamola, V., & Zeadally, S. (2020). Industrial control systems: Cyberattack trends and
countermeasures. Computer Communications, 155, 1-8.
Bahrami, P. N., Dehghantanha, A., Dargahi, T., Parizi, R. M., Choo, K. K. R., & Javadi, H. H. (2019).
Cyber kill chain-based taxonomy of advanced persistent threat actors: Analogy of tactics, techniques, and
procedures. Journal of information processing systems, 15(4), 865-889.
EICHENSEHR, E. B. K. E. (2021). Contemporary Practice of the United States Relating to International
Law. American Journal of International Law, 115(1),
Applying Cyber Threat Intelligence – Part 1
This assignment will require you to submit a word document and a PowerPoint slide. For this assignment,
we will build the profile of the APT group (one summarized above on the first page), identifying likely
related personas, victims, infrastructure, tools, etc. using the Diamond model and then also map the
group’s tools, techniques, and procedures (TTPs) to the Lockheed Martin Cyber Kill Chain stages. You
will use the same APT group for both the word document and the PowerPoint. I want you to express
information about the APT group in both a narrative and briefing format.
This assignment will require you to use several (at least 3) industry reports on the APT group you chose
from multiple vendors. Include citations in each of the deliverables and the specific page number where
the information can be found. I’ve found that annotations such a [1], [2], etc. and then a final works cited
slide that includes the report name and page number have worked well for past students.
Note: Points will be deducted for using sources that are not full APT reports, i.e. news reporting website
( I have attached two samples of what the power point and word doc should look like for Part 1).
Applying Cyber Threat Intelligence – Part 2
This homework assignment builds on Part 1 where you identified core characteristics and TTPs of a
specific APT group. For this assignment, the focus is to develop actionable signatures that would detect
your APT actor on a network.
This assignment is to create signatures aka actionable detection measures for your APT group. I am
expecting that you will develop unique signatures based on the information you provided in not ones
lifted from the Internet; plagiarism of this sort will result in an immediate 0 for the assignment and will
be recommend to the University for an honor code violation.
Assignment Deliverables:
•
A Powerpoint slide or Word document containing YARA-based detection signatures for each
stages of the Kill Chain. These YARA signatures must include all three sections; you are the
author of the signature, so make sure that is reflected in the meta section. Since
reconnaissance is often outside of the control of network defenders, you do not need to
create a yara or network-based (Snort, Bro, etc.) signature for phase 1 of the Kill Chain.
•
In cases where YARA signatures are not applicable, SIEM rules/heuristics would also be
acceptable, so long as it is tailored to your APT group’s TTPs and not a generalized measure.
•
Also, identify any other relevant mitigations that would prevent this attacker from being
able to gain a foothold into the network based on the TTPs you identified in Homework #2
that we would need to be put in place in our network security appliances and across the
enterprise.
•
(only create a single rule, even though the instructions ask for you to create a rule
for each part of the kill chain.)
•
Yara Rule/Signature Example below:
Here is an example of a yara rule that alerts to the installation of a blackenergy implant
botnet. It shows known hashes for detecting versions of the malware and some known
origination IPs used by the adversary. It is also good to read the discussion board this week
as it talks about VirusTotal.
Rule APT_BlackEnergy_Installation {
Meta:
Description = “APT BlackEnergy Installation”
Author = “Zane Afzal”
Reference = “https://attack.mitre.org/software/S0089/,https://github.com/YaraRules/rules/blob/master/malware/APT_Blackenergy.yar”
Date = “04-20-2020”
$hash1 = “87FB0C1E0DE46177390DE3EE18608B21”$hash2 =
“277FF86501B98A4FF8C945AC4D4A7C53”$hash3 =
“C9F16F0BE8C77F0170B9B6CE876ED7FB”$hash4 =
“A602A7B6DEADC3DFB6473A94D7EDC9E4”
Strings:$body_1 = “WARNING! Active Threat Detected!”$body_2 = “Please review and
respond immediately!”$a_1 = “82.102.14.219”$a_2 = “94.23.172.164”$a_3 =
“185.15.247.147”$a_4 = “185.181.8.246”
Condition:All of ($body*) ORAll of ($a*) }