UFCFFY-15-M Cyber Security Analytics¶
Assignment: Task 3¶
The completion of Portfolio Task 3: Conduct a research study using a virtualised infrastructure to simulate attacks and identify these through a SIEM platform is worth 40% towards your portfolio for the UFCFFY-15-M Cyber Security Analytics (CSA) module. Please refer to your Assignment Overview for full details.
Portfolio Task 3: Conduct a research study using a virtualised infrastructure to simulate attacks and identify these through a SIEM platform¶
For this task, you should use a virtualised infrastructure (e.g., DetectionLab or Splunk Attack Range). You will need to conduct research to develop your study, to illustrate sample offensive attacks against the infrastructure. You could use Atomic Red Team for this, or you may choose an alternative approach such as connecting your own Kali instance to the infrastructure. You should then demonstrate from a 'blue team' perspective how a cyber security analyst could identify these attacks using a SIEM (e.g., Splunk). Your portfolio submission for this task should be a written report (max. 2000 words), using either Jupyter notebook (Markdown) or Microsoft Word, that details your offensive attacks and your defensive investigation, showing clear screenshots of your study. You MUST document fully your use of any online/3rd party resources giving appropriate citation and recognition to existing works.
DetectionLab and Splunk Attack Range are both resource intensive for running multiple virtual machines. If your personal computing facilities do not meet this specification, it is strongly advised that you use the University-lab facilities and an external solid state drive. Most campus machines have at least 32GB RAM which should be sufficient for running multiple VMs within these environments.
You are expected to conduct independent research in order to inform your work for this task. Using online resources, you will find infomation about suitable attack vectors and defensive strategies - you are expected to show that you are able to research these findings both to understand common attack vectors and also to understand how defensive strategies will help to identify these attacks, and introduce mitigations against their usage.
Assessment and Marking¶
| Criteria | 0-39 | 40-49 | 50-59 | 60-69 | 70-84 | 85-100 |
|---|---|---|---|---|---|---|
| Evidence of deploying a functional testing environment (15%) | No evidence of progress | A limited attempt to address this criteria | A partially working environment has been deployed and reported as supported by screenshots and report detail | A working environment has been deployed and reported as supported by screenshots and report detail | A working environment has been deployed and reported with very good demonstration of understanding | A working environment has been deployed and reported with excellent demonstration of understanding |
| Ability to demonstrate attacks on the test environment (20%) | No evidence of progress | A limited attempt to address this criteria | Some evidence of conducting attacks supported by screenshots but lacking in understanding | Good evidence of conducting attacks supported by screenshots and report detail | Very good evidence of conducting attacks demonstrating clear understanding | Excellent evidence of conducting attacks demonstrating clear understanding and further creativity beyond expected |
| Ability to identify attacks via Splunk logging mechanisms (40%) | No evidence of progress | A limited attempt to address this criteria | Some evidence of identifying attacks supported by screenshots but lacking in understanding | Good evidence of identifying attacks supported by screenshots and report detail | Very good evidence of identifying attacks demonstrating clear understanding | Excellent evidence of identifying attacks demonstrating clear understanding and further creativity beyond expected |
| Clarity and professional report presentation (25%) | No evidence of progress | A limited attempt to address this criteria | A fair report with grammatical and presentation flaws | Good report with only minor grammatical and presentation flaws | Very good report to a high standard | Excellent report to a professional and publishable standard |
To achieve the higher end of the grade scale, you need to demonstrate creativity in how you approach the problem - both in terms of the attack vectors that you are testing on your infrastructure, and how these attacks can be identified from a defensive analytical perspective - and you will need to document this clearly within your report.
Submission Documents¶
Your submission for this task should include:
- 1 Report Document in PDF format. You should provide a short written report of your investigation (approx. 1500-2000 words) complete with evidence of your infrastructure setup, attack execution, and identification of attacks in the form of screenshots. All included figures (screenshots) should be discussed in the body of your report. Your report must be within the word limit specified. Any content over the word limit will not be marked. This is an individual assignment and your report should represent your own work.
Your final portfolio should be submitted to Blackboard by 14:00 on 12th May 2022. Your Blackboard submission should consist of the following individual files:
- Task1.html (an HTML document exported from Jupyter notebook for Task 1)
- Task1.ipynb (source Jupyter notebook for Task 1)
- Task2.html (an HTML document exported from Jupyter notebook for Task 2)
- Task2.ipynb (source Jupyter notebook for Task 2)
- Task3.pdf (a PDF report of your research investigation for Task 3)
- Task4.mp4 (an MP4 video file, or similar standard format - or a URL to an online video - for Task 4)
Please do not ZIP the files together as a single submission on Blackboard, you can submit multiple files to Blackboard.
Self-Assessment¶
For each criteria, please reflect on the marking rubric and indicate what grade you would expect to receive for the work that you are submitting. For your own personal development and learning, it is important to reflect on your work and to attempt to assess this careful. Do think carefully about both positive aspects of your work, as well as any limitations you may have faced.
Evidence of deploying a functional testing environment (15%): You estimate that your grade will be __.
Ability to demonstrate attacks on the test environment (20%): You estimate that your grade will be __.
Ability to identify attacks via Splunk logging mechanisms (40%): You estimate that your grade will be __.
Clarity and professional report presentation (25%): You estimate that your grade will be __.
Please provide a minimum of two sentences to comment and reflect on your own self-assessment: __. __.
Contact¶
Questions about this assignment should be directed to your module leader (Phil.Legg@uwe.ac.uk). You can use the Blackboard Q&A feature to ask questions related to this module and this assignment, as well as the on-site teaching sessions.