Week 4 Discussion Building on the initial research you did.docx
1. Week 4 Discussion – “APTs pt.2” Building on the initial research you did
on your
Week 4 Discussion – “APTs pt.2”Building on the initial research you did on your APT group
last week, for this week’s discussion, I want you to familiarize yourself with the Lockheed
Martin “Cyber Kill Chain” (https://www.sans.org/security-awareness-
training/blog/applying-security-awareness-cyber-kill-chain) and then identify your APT
group’s tools, techniques, and procedures (TTPs) for the Exploitation, Installation, and
Command and Control phases.1) What Indicators of Compromise (IOCs) would suggest that
this adversary is present on a network?2) What techniques or tools are they using to evade
detection by host-based detection products? What techniques or tools are they using to
evade network-based detection?3) Assuming you work in an affected company’s incident
response/network defense team, what steps would you take to remediate and mitigate the
threat? Note: posting that you would improve security awareness/education training does
NOT remediate against an on-going operation and as such, I won’t provide credit if I see this
answer posted. Ditto with a posting that says use vendor X’s product (Falcon View, etc.).4)
How would you present the case to your management that the APT group is on the network
and would it matter to the company whether the threat was coming from a suspect state-
sponsored actor? If so/not, explain.My expectation for this post is that you will use multiple
APT reports to identify such indicators, so I’ll expect to see references from multiple cyber
security vendors’ reporting in your citations. Note that the same group could be called
something different by a different cyber security vendor, so I’ll provide you with this Google
Group page as a starting point to help you identify other names for your APT actors:
https://docs.google.com/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsd
vePFX68EKU/pubhtml