CS3609 CYBERSECURITY COURSEWORK
Task 1: Network Diagram
The following is a network diagram, referencing the Brunel Tech Start-up Scenario.
BRUNEL TECH START-UP SCENARIO:
A tech start-up company has just moved into a new office space and is setting up office equipment. Each desk
in the office space will have a PC connected to a local area network. A meeting space in the office will have a
projector, a gaming PC for graphics requirements and voice over IP (VoIP) devices for conference calls. The
company has set up a Windows server in its machine room to host its website and internal document storage,
CS3609 Cybersecurity Task 1 – Threshold Coursework for 2020/21 Updated October 2020 2 of 4 Department of
Computer Science which includes customer and employee contact details. Brunel Tech is also using Amazon
Web Services (S3 in particular) to back-up all internal documents to the cloud. Brunel Tech’s employees will also
be able to access documents from home computers and mobile devices, typically using a Wi-Fi network –
including the office WiFi network. In addition, a Linux-based controller (on the wall) connects to a Linux server
in the machine room and stores CCTV still images, captured from cameras in the office space, in an SQL
database.
, Task 2: Threat reporting and Attack Vector Mapping
An attack scenario can be described due to the findings of the Red Team exercise. Firstly, adversaries would
begin the attack with Reconnaissance tactics. The technique of Active Scanning, specifically the sub-technique
Vulnerability Scanning (MITRE ATT&CK, T1595.002) would be executed. This is using an application or software
tool, which gathers information including identifying systems, services, and the version type (Andrew, 2020).
This attack scenario would be performed outside the network and would use a non-intrusive scan, and with
these scans identifying that the target, Brunel Tech, is running an outdated version of Apache Tomcat server
(CVE Mitre 2019-0232). The attackers would not have been able to continue passed this stage if Brunel Tech
kept their software up to date. With the identification of the vulnerability the adversary will now commence
the attack. Additionally, mitigations at this stage may be difficult and being a start-up company, Brunel Tech is
unlikely to have cyber security experts and controls in place working to monitor suspicious network traffic
which would indicate scanning.
Since the adversaries have discovered a vulnerability with the server, their next step is now to begin the Initial
Access tactic. The Exploit Public-Facing Application technique will be used to take advantage and establish
access into the network. (MITRE ATT&CK, T1190) Brunel Tech could consider investing in vulnerabilities
scanners themselves in order to patch up any weaknesses identified.
The next step is for the Execution tactic to begin. The Common Gateway Interface (CGI) is the interface to
execute programs and applications on the web server. The vulnerability discovered being that
enableCmdLineArguments is enabled, which allows for the adversaries to execute scripts and commands to
the server which is referred to as the Command and Scripting Interpreter technique. (MITRE ATT&CK, T1059)
The attacker will use PowerShell commands and scripts to deploy unauthorised scripts and commands,
associated with account creation.
Therefore, the attacker will have now moved onto using a Persistence tactic to use the technique Create
Account to maintain access to Brunel Tech’s systems and network. (MITRE ATT&CK, T1136.001) Mitigations
include a multi-factor authentication, for Brunel tech using a 2 Factor Authentication (2FA) which consists of a
request for an additional token once a user logs onto a system would have been effective to avoid this attack
scenario, for example a inserting a physical smart card to access a machine or browse files which only Brunel
Tech employees would have.
The adversaries are now in the final phases and can simply use the Command and Control tactic, scripts can be
used to download and launch Remote Access Software. With the company having infested machines, the
attacker having created accounts, can now access, and roam the machines using the Remote Access software
LogMein. (MITRE ATT&CK, T1219) The attacker having gained access will now pose a threat to several of
Brunel Tech’s assets. Brunel Tech’s asset of customer and employee data will now be stolen, violating their
privacy, as the attackers commit data theft.
Brunel Tech is likely to have information such as payroll slips with banking details and National Insurance
numbers. Additionally, names, contact information and other sensitive data will be extracted and the attacker
will now have the ability to share the data as well as commit identify theft. This will be complete through the
Exfiltration tactic, with the technique to Transfer Data to Cloud Account (MITRE ATT&CK, T1537). This consists
of transferring all the accessible data on the infested machine, to a cloud account they have access to.
Overall, the threat agent in this scenario being a Black-Hat Hacker reveals the potential threats, which have
been identified within this attack scenario, including but not limited to data theft and data loss to the asset’s
customer and employee data. The impact of this can be detrimental to the company, with the impact including
fines from the UK government due to the lack of security and being responsible for the breach in the General
Data Protection Regulation.
1
Task 1: Network Diagram
The following is a network diagram, referencing the Brunel Tech Start-up Scenario.
BRUNEL TECH START-UP SCENARIO:
A tech start-up company has just moved into a new office space and is setting up office equipment. Each desk
in the office space will have a PC connected to a local area network. A meeting space in the office will have a
projector, a gaming PC for graphics requirements and voice over IP (VoIP) devices for conference calls. The
company has set up a Windows server in its machine room to host its website and internal document storage,
CS3609 Cybersecurity Task 1 – Threshold Coursework for 2020/21 Updated October 2020 2 of 4 Department of
Computer Science which includes customer and employee contact details. Brunel Tech is also using Amazon
Web Services (S3 in particular) to back-up all internal documents to the cloud. Brunel Tech’s employees will also
be able to access documents from home computers and mobile devices, typically using a Wi-Fi network –
including the office WiFi network. In addition, a Linux-based controller (on the wall) connects to a Linux server
in the machine room and stores CCTV still images, captured from cameras in the office space, in an SQL
database.
, Task 2: Threat reporting and Attack Vector Mapping
An attack scenario can be described due to the findings of the Red Team exercise. Firstly, adversaries would
begin the attack with Reconnaissance tactics. The technique of Active Scanning, specifically the sub-technique
Vulnerability Scanning (MITRE ATT&CK, T1595.002) would be executed. This is using an application or software
tool, which gathers information including identifying systems, services, and the version type (Andrew, 2020).
This attack scenario would be performed outside the network and would use a non-intrusive scan, and with
these scans identifying that the target, Brunel Tech, is running an outdated version of Apache Tomcat server
(CVE Mitre 2019-0232). The attackers would not have been able to continue passed this stage if Brunel Tech
kept their software up to date. With the identification of the vulnerability the adversary will now commence
the attack. Additionally, mitigations at this stage may be difficult and being a start-up company, Brunel Tech is
unlikely to have cyber security experts and controls in place working to monitor suspicious network traffic
which would indicate scanning.
Since the adversaries have discovered a vulnerability with the server, their next step is now to begin the Initial
Access tactic. The Exploit Public-Facing Application technique will be used to take advantage and establish
access into the network. (MITRE ATT&CK, T1190) Brunel Tech could consider investing in vulnerabilities
scanners themselves in order to patch up any weaknesses identified.
The next step is for the Execution tactic to begin. The Common Gateway Interface (CGI) is the interface to
execute programs and applications on the web server. The vulnerability discovered being that
enableCmdLineArguments is enabled, which allows for the adversaries to execute scripts and commands to
the server which is referred to as the Command and Scripting Interpreter technique. (MITRE ATT&CK, T1059)
The attacker will use PowerShell commands and scripts to deploy unauthorised scripts and commands,
associated with account creation.
Therefore, the attacker will have now moved onto using a Persistence tactic to use the technique Create
Account to maintain access to Brunel Tech’s systems and network. (MITRE ATT&CK, T1136.001) Mitigations
include a multi-factor authentication, for Brunel tech using a 2 Factor Authentication (2FA) which consists of a
request for an additional token once a user logs onto a system would have been effective to avoid this attack
scenario, for example a inserting a physical smart card to access a machine or browse files which only Brunel
Tech employees would have.
The adversaries are now in the final phases and can simply use the Command and Control tactic, scripts can be
used to download and launch Remote Access Software. With the company having infested machines, the
attacker having created accounts, can now access, and roam the machines using the Remote Access software
LogMein. (MITRE ATT&CK, T1219) The attacker having gained access will now pose a threat to several of
Brunel Tech’s assets. Brunel Tech’s asset of customer and employee data will now be stolen, violating their
privacy, as the attackers commit data theft.
Brunel Tech is likely to have information such as payroll slips with banking details and National Insurance
numbers. Additionally, names, contact information and other sensitive data will be extracted and the attacker
will now have the ability to share the data as well as commit identify theft. This will be complete through the
Exfiltration tactic, with the technique to Transfer Data to Cloud Account (MITRE ATT&CK, T1537). This consists
of transferring all the accessible data on the infested machine, to a cloud account they have access to.
Overall, the threat agent in this scenario being a Black-Hat Hacker reveals the potential threats, which have
been identified within this attack scenario, including but not limited to data theft and data loss to the asset’s
customer and employee data. The impact of this can be detrimental to the company, with the impact including
fines from the UK government due to the lack of security and being responsible for the breach in the General
Data Protection Regulation.
1
