You will be using online resources to prepare a report to your CIO. Do not answer the questions below
like an exam but use the questions to structure your report. Report can be first person (for example: our
company is relying on XYZ technology and there are several critical vulnerabilities associated with this
product. But the top three vulnerabilities that are CWE-190 …). Give a heading for each answer and write
your report under the heading (For example, Vulnerabilities by Product and Vendor…..)
- From the national vulnerability database website (https://nvd.nist.gov/), look at the vulnerability trends
over the years. Find the Vulnerabilities by Type over Time, from the General-Visualization menu (see
the screenshot). From the Vulnerability Type Change by Year figure (see the screenshot), pick 3
vulnerabilities that are in rise and 3 vulnerabilities that are in decline between 2017 and 2019. Make a
note of their names. Use the tooltips and the legend to get the names corresponding to the colors. For
example: CWE-190: Integer Overflow or Wraparound. Briefly, write about what you found. - Use the common weakness enumeration website (https://cwe.mitre.org/) for more information on the
vulnerabilities you found previously. Describe two of the rising vulnerabilities in your own words (not
copy paste) in detail. For example, the description of the vulnerability can be summarized using the
descriptions on the website (see the screenshot). Describe the consequences on CIA, potential mitigations,
and defenses. All these are outlined on the vulnerability page. You need to summarize and translate what
is on the webpage into a more executive friendly version.
2 - Go to the common vulnerabilities and exposures website (https://www.cvedetails.com/) and from the
Top 50 menu on the left, assess vendors and products (see the screenshot below). Use the Vendors and
Vendor Cvss Scores to write an assessment of the vendors, and use the Products and Product Cvss Scores
to write an assessment of the products. It is up to you what you write. Make it informative to your CIO.
4) After enjoying a hot delicious cup of borscht, our CEO left the local Russian restaurant without paying
the check. So now, she is worried the group named APT 28 is after our company network. In addition,
one of your colleagues raised concern of the new malware called Emotet. Using the Mitre ATT&CK
Navigator, find out what kind of techniques both of these threats use.
a) Using the ATT&CK website (https://attack.mitre.org/), provide a short description of APT 28 from the
Groups link (do not copy and paste)
b) Using the ATT&CK website (https://attack.mitre.org/), provide a short description of Emotet from the
Software link (do not copy and paste)
c) Create an ATT&CK layer that shows the covers the techniques of both APT 28 and Emotet. Do your
own, and don’t share screenshots. Use the instructions below or look at the class video under the weekly
content folder (2:38 starting the use navigator, 2:43 starting to create a combined layer)
d) Briefly comment on the techniques both threats have in common (there should be three)
3
Instructions on using ATT&CK Navigator
https://mitre-attack.github.io/attack-navigator/
Creating a new layer - Click on Create New Layer and choose Enterprise
- Use the Multi-select icon to select your criteria (example: APT1)
4 - After selecting the threat, choose background color and score of your choice (choose a color and
score different for each threat. For example APT 1 can be red and score 1, APT12 can be yellow and
score 2). And name your layer after coloring and scoring
Creating layers from other layers - Click on the plus sign to create a new layer and choose Create Layer from other layers option
- Choose Enterprise ATT&CK v8 and write the score expression based on your labels. See that in the
screeshot below layer 1 is named a and layer to is names b automatically. And the score expression is a+b
to get the combined layer (layer1 + layer2). If you have more than two layers you may have more than a
and b. Write the score expression as to add the two layers you want to combine.
5 - The new combined layer will have the techniques from both of the threats. Based on the score, the
techniques will have a different color. For instance, Layer 1 techniques will be red (score 1), Layer 2 will
be green (score 2), and techniques in both will be blue (score 1+2=3). See the example result below.
Sample Solution