NVCC Yara Detection Signature Rules For APT33 Cyber Security Paper

IT 462 Homework #3: “Applying Cyber Threat Intelligence pt. 2”

I have completed homework 2 in APT 33

This homework assignment builds on Homework #2 where you identified core characteristics and TTPs of a specific APT group. For this assignment, the focus is to develop actionable signatures that would detect your APT actor on a network.

This assignment is to create signatures aka actionable detection measures for your APT group. I am expecting that you will develop unique signatures based on the information you provided in Homework #2, not ones lifted from the Internet; plagiarism of this sort will result in an immediate 0 for the assignment and will be recommend to the University for an honor code violation.

Assignment Deliverables:

• A Powerpoint slide or Word document containing YARA-based detection signatures for each stages of the Kill Chain. These YARA signatures must include all three sections; you are the author of the signature, so make sure that is reflected in the meta section. Since reconnaissance is often outside of the control of network defenders, you do not need to create a yara or network-based (Snort, Bro, etc.) signature for phase 1 of the Kill Chain.
• In cases where YARA signatures are not applicable, SIEM rules/heuristics would also be acceptable, so long as it is tailored to your APT group’s TTPs and not a generalized measure.
• Also, identify any other relevant mitigations that would prevent this attacker from being able to gain a foothold into the network based on the TTPs you identified in Homework #2 that we would need to be put in place in our network security appliances and across the enterprise.