Introduction: Any IT graduate involved in IT security will need to be able to adapt and respond to unfamiliar and changing security threats and to evaluate and use new tools. To be capable in their profession, graduates need to be able to apply skills through design and planning, categorisation, evaluation and analyse of tools, techniques, threats and procedures.
Attack & Security Tools: PHISHING (FROM 10 TO 15 PAGES WITH SCREENSHOTS AND AT LEAST 2000 WORDS)
You will need to research 1 tool attacker’s use, and 1 security tool used to counter attackers in the area chosen. Your assignment involves running both tools, evaluating and analysing their use in means to evade or detect threats/detection. That is, how are you going to use these tools? To show how attackers can bypass detection, or how tools can be used to detect this threat type? Or show how both operate? From this perspective, you should justify your choice (over others), install, run and demonstrate the use of tools, producing some output or results. You should analyse and evaluate the usage and results from both attacker and defender perspectives, and potential impact. Be sure to discuss threats and countermeasures of these risks.
Attacker or Malware Analysis (scenario)
Select one of the following topics:
1. Using scripts and web services, trace (over 50) spam e-mails to their source as best as you can, try to detect them
To evaluate the spam, you are required to implement a spam detection engine (either in R or Python: there are many resources and datasets on GitHub). After investigating the sources of your spam, you should outline the purpose of the spam and impact it may have. Then you should first train and test a detection model, and have it predict the emails you obtained. You should analyse and evaluate the usage and results (confusion matric metrics) from both attacker and defender perspectives, and include language, topics, spam technique (to trick the target or bypass the filter) along with visualisation.
2. Analyse and document some malware which you have caught
You are to use forensic tools to analyse the malware. You can use static or dynamic tools, or a combination of both. Examples (but not limited to) of these a Cuckoo, REMnux, IDA Pro. Your evaluation should be in comparison to older versions of the malware family or against recent examples which are similar, and the challenges surrounding detection and mitigation. Examples of this evaluation could be: the change in behaviour, the means the malware obfuscates its behaviour, or how it interacts within an operating system, and thus the impact and challenges it presents. Along with your evaluation, you also need to document the justification of tools, threat definition and challenges, and analysis methodology.
- Find a malware and use Cuckoo Sandbox online to get the information (screenshots) and write the document
Q: The description says ‘evaluation should be in comparison to older versions of the malware family or against recent examples’. So my understanding is that I need to analyse 2 samples of the same malware family and compare their behaviour. Is this right?
Do both the samples have to be of the same malware family or can I choose 2 samples of different malware families?
A: Yes, you would analyse 2 different samples. Or you provide lots of referenced details to previous versions. You can compare either of the same family, or that which is similar (in its objective, e.g. ransomware) between time periods. It’s a new vs. old concept, what has changed, its evolution, or threat development.
Q: How much in depth analysis is required? Should I show the comparison of the assembly code of the 2 samples (in IDA Pro) or can I show a comparison of a sandbox report (like cuckoo) coupled with some dynamic analysis?
A: It depends on what you are comparing about them. As an examples, you might table the change is resources the malware loads given cuckoo reports. Or behaviour characteristics. If assembly code is relevant to analysis, you can include it.
Q: Are there any easy malware samples you would recommend?
A: Not really, but here is a source to consider http://contagiodump.blogspot.com/
All externally sourced information (i.e. not common knowledge or course material) must be cited. Referencing conventions required for this unit are: Vancouver (as used by IEEE).