M24854: Forensic Investigator in the Cyber Security field with a tier-one management and technology consultancy: Forensic Investigations, Course Work, MU, Singapore

Forensic Investigations Coursework:

Honeypot Design and Analysis

You have just secured your first job as a Forensic Investigator in the Cyber Security field with a tier-one management and technology consultancy (hypothetical scenario). Your new firm has just onboarded a new corporate client (customer), who is a fast-growing cloud provider; but they lack certain domain-specific expertise.

The firm and your supervisor, knowing how capable and motivated you are, have assigned you the first major task to be completed for the new client.

They have asked you to investigate and write a report (3000 words) to inform them on what adversaries are currently doing to attack networks (not the client’s network). Specifically, this means you are to use your own Honeypot to capture attack attempts, etc.; then relay back what you did and your findings in the report.

This is an independent piece of coursework. It is expected that you take responsibility for all of the design, implementation (i.e., correct and error-free setup), analysis of results and writing of the report.

Your report should include at least both of the following:

1. The design of your Honeypot. Note, the design of it and how you implement it is open-ended (up to you); you may use existing Honeypot technology. Also note a Honeypot is designed to be used to collect intelligence on attacker behaviours. This means you want to collect as wide a dataset as possible (logs, etc.), but you also need to make your Honeypot “stealthy” to ensure that hackers do not leave too
2. The analysis of your results. You need to analyse, reason about, and discuss the results of your Honeypot. Some suggestions of things that might be useful, but not an exhaustive list, are the following:
   • Who are the attackers and where are they located? What attacks are attackers deploying?
   • How did they get in? Any common patterns or methods?
   • What do attackers do once they are inside your Honeypot? What are their objectives?
   • What can we learn that could be used to defend networks and systems?

And, depending on how you design and set up your Honeypot, you may need to use either Python string operations, Python regular expressions or another means of regular expressions to extract summaries from your Honeypot’s logs. You may use another mainstream programming language if you wish, but email to check first (e.g., Java, Ruby, Go-Lang, etc.). If you do, you must document how you implemented your log parsing method (e.g., supply code listings and discussion). Code listings are not part of the 3000 words, instead put code listings in an Appendix section and reference it in the main text and/or use code snippets, screenshots, etc.