Solutions: Threats and Malware Analysis (22CS703T(i))

Q.1 (Compulsory)

(a) Summarize the meaning of Cyber Threat Intelligence (CTI) in your own words. (2 Marks)
Cyber Threat Intelligence (CTI) refers to the collection, analysis, and sharing of information
about potential and existing cyber threats. It helps organizations understand attacker
motives, tactics, and techniques so they can proactively defend against attacks and reduce
risk.

(b) Describe any two stages of the Cyber Kill Chain in brief. (2 Marks)

1. Reconnaissance – The attacker gathers information about the target (e.g., IP ranges,
employee details, vulnerabilities) to plan an attack.

2. Exploitation – The attacker uses a discovered vulnerability (e.g., buffer overflow,

phishing) to execute malicious code and gain unauthorized access.

(c) Explain the role of an Intelligence Analyst in Cyber Threat Intelligence. (2 Marks)
An Intelligence Analyst evaluates raw data, correlates indicators, and identifies attack
patterns. Their role includes validating information, attributing threats to actors, producing
actionable intelligence reports, and supporting decision-making for proactive defense.

(d) Discuss any two common sources used for threat intelligence collection. (2 Marks)

1. OSINT (Open Source Intelligence): Public websites, social media, forums, and news
sources.

2. Internal Logs: Security logs from firewalls, IDS/IPS, and endpoint monitoring tools.

(e) Identify any two examples of OSINT research technology and demonstrate how they
can be used in a basic investigation. (2 Marks)

1. Shodan – Search for exposed devices and services connected to the internet.

2. Maltego – Visual link analysis tool to map relationships between domains, emails,
and IP addresses.
Example: During an investigation, Shodan can identify open ports of a suspicious IP,
while Maltego can connect that IP to related domains or emails.

Q.2 (a) Classify any two types of cyber threats and illustrate their impact with suitable
real-world examples. (5 Marks)
 1. Phishing Attacks – Social engineering attacks tricking users into sharing credentials.
Example: 2016 phishing attack on Gmail users, leading to compromised accounts.

2. Ransomware – Malware encrypts files and demands ransom.

Example: WannaCry (2017) affected 200,000+ systems worldwide, disrupting
healthcare and transportation.

(b) Illustrate the Cyber Kill Chain with an example. (5 Marks)

Example: Spear-phishing attack

 Reconnaissance: Attacker collects employee email addresses from LinkedIn.

 Weaponization: Creates a malicious Excel file with a macro.

 Delivery: Sends the file via a phishing email.

 Exploitation: User enables macros, malware executes.

 Installation: Backdoor installed on system.

 Command & Control (C2): Malware communicates with attacker’s server.

 Action on Objectives: Data exfiltration of financial records.

OR

Q.3 (a) Elaborate the Cyber Threat Intelligence (CTI) lifecycle with its phases. (5 Marks)

1. Planning & Direction – Define requirements.

2. Collection – Gather raw data (logs, feeds, OSINT).

3. Processing – Clean, normalize, enrich data.

4. Analysis – Correlate and assess threats.

5. Dissemination – Share reports, alerts, and IoCs.

6. Feedback – Evaluate effectiveness and refine.

(b) Differentiate between APTs and IoCs. (5 Marks)

Aspect APTs (Advanced Persistent Threats) IoCs (Indicators of Compromise)

Long-term, targeted attacks by skilled Observable artifacts left by an

Nature
adversaries attack

Scope Strategic (actor, motives, TTPs) Tactical (IP, hash, domain)

Persistence Adapt over time Short-lived, change quickly

Aspect APTs (Advanced Persistent Threats) IoCs (Indicators of Compromise)

Usage Threat profiling, long-term defense Detection & response automation

Q.4 (a) Demonstrate how MITRE ATT&CK Framework can be applied for effective threat
detection. (5 Marks)

 Map attacker behaviors (techniques like T1059 – Command Execution) to security

telemetry.

 Identify coverage gaps in SIEM/EDR.

 Develop detection rules and analytics.

 Example: Detecting PowerShell misuse with ATT&CK mapping improves hunting.

(b) Example structure of an Intelligence Report (5 Marks)

Incident: Ransomware in Finance Department

1. Executive Summary – Incident overview.

2. Technical Details – Malware hash, exploited vulnerability, IoCs.

3. Impact Assessment – Systems affected, business disruption.

4. Attribution – Possible actor or campaign.

5. Mitigation – Containment steps and recovery recommendations.

6. Lessons Learned – Strengthen patching and user awareness.

OR

Q.5 (a) Discuss any two challenges faced in threat intelligence budgeting. (5 Marks)

1. Measuring ROI – Difficult to prove value of preventive measures.

2. High Cost of Feeds/Tools – Quality threat feeds and integration cost is significant.

(b) Compare MITRE ATT&CK and Cyber Kill Chain. (5 Marks)

Aspect MITRE ATT&CK Cyber Kill Chain

Focus Tactics & techniques (granular) Stages of attack (high-level)

Detail Comprehensive database of TTPs Simple linear model

Aspect MITRE ATT&CK Cyber Kill Chain

Use Detection engineering, hunting Education, incident response

Limitation Complex, requires telemetry Too linear, less adaptive

Q.6 Examine the role of OSINT and classify any three tools or platforms based on their
functions. (5 Marks)

 Role of OSINT – Collects intelligence from publicly available sources to detect

threats, identify vulnerabilities, and support investigations.

Tools/Platforms:

1. Shodan (Infrastructure Discovery): Finds exposed devices.

2. Google Dorking (Search Engine Queries): Uncovers hidden files, misconfigurations.

3. HaveIBeenPwned (Data Breach Monitoring): Checks if credentials are leaked.

OR

Q.7 Differentiate key considerations for CTI implementation. (5 Marks)

Aspect Technical Operational Strategic

Tools, feeds, data People, processes,

Focus Governance, budget, policy
integration playbooks

Analyst workflows,
Example SIEM, TIP, EDR integration Alignment with business risk
automation

Data quality, privacy, ROI, compliance, long-term

Concern Training, collaboration
security inve

Instructions to Candidate – 1) Question No. 1 is compulsory.

2) Solve Que. No. 02 OR Que. No. 03

3) Solve Que. No. 04 OR Que. No. 05
 4) Solve Que. No. 06 OR Que. No. 07
5) All Questions carry marks as indicated
6) se of non-programmable calculator is allowed.
Que. No. Description of Question Marks [CO] [

Que.1(a) Summarize the meaning of Cyber Threat Intelligence (CTI) in your own words. 02 1

Que.1(b) Describe any two stages of the Cyber Kill Chain in brief. 02 1

Que.1(c) Explain the role of an Intelligence Analyst in Cyber Threat Intelligence. 02 2

Que.1(d) Discuss any two common sources used for threat intelligence collection. 02 2

Que.1(e) Identify any two examples of OSINT research technology and demonstrate how they 02 3
can be used in a basic investigation.

Que.2(a) Classify any two types of cyber threats and illustrate their impact with suitable real- 05 1
world examples.

Que.2(b) Illustrate the Cyber Kill Chain with an example. 05 1

OR
Que.3(a) Elaborate the Cyber Threat Intelligence (CTI) lifecycle with its phases. 05 1

Que.3(b) Differentiate between APTs (Advanced Persistent Threats) and IoCs (Indicators of 05 1
Compromise).
Que.4(a) Demonstrate how the MITRE ATT&CK Framework can be applied for effective threat 05 2
detection.

Que.4(b) Given a recent cyber incident in an organization, illustrate the typical structure of an 05 2
intelligence report by organizing the collected data into appropriate sections.

OR
Que.5(a) Discuss any two challenges faced in threat intelligence budgeting. 05 2

Que.5(b) Compare MITRE ATT&CK and Cyber Kill Chain. 05 2

Que.6 Examine the role of OSINT and classify any three tools or platforms based on their 05 3
functions

OR
Que.7 Differentiate the key considerations for CTI implementation in an organization based 05 3
on technical, operational, and strategic aspects.