CSI3351

Group Assignment to Establish Security Monitoring

and Respond to Cybersecurity Incidents

Contents
Details ..................................................................................................................................................... 1
Background ............................................................................................................................................. 1
Task ......................................................................................................................................................... 1
Suggested Report Structure .................................................................................................................... 2
Additional Task Information ................................................................................................................... 2
Assignment Submission .......................................................................................................................... 2
Marking Key ............................................................................................................................................ 3

Details
Title: Wannacry Analysis / Purple Teaming

Value: 40% of the final mark for the unit

Length: max. 20 A4 pages

Background
Ransomware attacks are on the rise. The
Wannacry ransomware attack was a worldwide
cyberattack in 2017, affecting hundreds of
thousands of Windows computers within a day
globally. On the infected systems, Wannacry
displayed a ransom note (see Figure 1). The
ransomware was propagated through the
EternalBlue exploit. Eventually, the discovery of a
kill switch prevented the further spread of the
ransomware.
Figure 1 A Wannacry ransom note. Image from
Task https://upload.wikimedia.org/wikipedia/en/1/18/Wana_Decrypt0r
_screenshot.png
You need to analyse the infamous worldwide
WannaCry ransomware attack from an incident response perspective, with a focus on the attack
from the technical perspective and the security measures that could not prevent it. You also need to
explain what security measures could have prevented it, and what can be done in general to prevent
similar attacks.
Suggested Report Structure
• Cover Page: unit code and title, assignment title, your name, student number, campus,
tutor’s name
• Table of Contents: an accurate reflection of the content within the document, generated
automatically.
• In-Depth Analysis
• Attack Summary: describe, explain, and visualise the attack using the MITRE framework
and the Lockheed Martin Cyber Kill Chain.
• Attack Explanation: What made the attack possible? Which computing environment
factors and vulnerabilities?
• Effective Countermeasures: How could it have been prevented?
• Fighting Ransomware: Which SOC/SIEM tools could be used for
o preventing
o detecting
o mitigating
ransomware attacks in general and why?
• Similar Attacks: Provide a technical description of similar/derivative attacks, and how
they were possible.
• Incident Response
o Explain how purple teaming (aligned red and blue teams) can help set up an
information security infrastructure in the enterprise that can be effective against
ransomware.
o Set up/join a blue team or a red team (applies only to those who attend the class on
campus). Describe the actions from the chosen team’s point of view.

Additional Task Information

• Each report will be unique and presented in its own way (for groups, this is per group).
• Scrutinise the marking key, and ask any questions you may have early!
• Focus on the important events of the real-world attack described.
• This task covers the understanding of both the technical complexity of the attack and the
real-world factors.

Assignment Submission
The submission must be a Microsoft Word document. You are only submitting one document
through Blackboard. You do not need an ECU assignment cover sheet. Do not submit more than one
document, because these will not be assessed.
Marking Key