IndexProfessional Credibility and Job RetentionWhat is a Matched Attack Pattern (APM)?Example Sample APM Signature:Problems While Working on a Project :Technical:People:a. Different programb. Not going in the same direction Resources/technologies: Step 1: Step 2: Step 3: Step 4: Conclusion and future work Acknowledgments Attack pattern matching (APM) and writing a signature to detect and hunt a threat are extremely valuable, in-demand and desirable skills for malware analysis and threat hunting, as well as incident response such as location. If someone understands and is able to write an APM signature using a programming language like Python, bash scripting, or C++, these skills will help them become a successful malware analyst and also in reverse engineering. Say no to plagiarism. Get a tailor-made essay on "Why Violent Video Games Shouldn't Be Banned"? Get an original essay Professional credibility and job retention Having solid skills is the key element for professional strength and provides security in your current job and makes you the right person in the eyes of your employer for the organization and organizations always want to maintain those figures at any cost. Skills like APM are among the most demanding that every company seeks for those involved in malware analysis. What is an attack pattern (APM)? Attack Pattern Matching (APM) is a generic and open signature algorithm that allows you to describe record relevant events in a simple way. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose is to define and design a set of rules that will identify different attack patterns in the form of rules for both files and network traffic. (MVS GROUP INTERNSHIP DOC) As far as we know, generating signatures using attack pattern matching (APM) technique is a new concept, there is a similar tool for signature generation called YARA rules for threat detection, but the problem with that method is the slower process. Processing 10TB log files takes hours with YARA rules/signatures. In contrast, APM signatures take much less time to process the same amount of logs. APM signature example: Title: Description: Describe the rule in one or two sentences Author: Give credit to yourself References: List everyone you referenced Log source: List the type of log you think it is Detection: Identifiers or patterns unique False positives: conditions that would define it as a false positive Level: informational/low/medium/high/critical (MVS GROUP INTERNSHIP DOC) Problems while working on the project: Technical: a. Lack of available intelligence: Attack Pattern Matching (APM) is a relatively new approach to threat hunting and protecting your systems and network from external attacks. Solution: As mentioned above, APM is a new concept for threat hunting, initially we didn't find enough material for our project and couldn't go further. At this point, our professor provided the best guidance and encouragement to proceed in the right way. The other most important factor by which we got motivated and started our journey and were able to design the road map for our project was the workshop conducted by Mr. Ali. It provided us with the knowledge and tools needed to execute our capstone project in a very short period.b. Lack of Programming Skills: Matching Attack Patterns(APM) requires programming skills to generate signatures. Solution: Malware analysis and signature writing require basic knowledge of programming languages. However, we both have a programming background but haven't worked for a long time in an environment where writing/reading programming code is the main job. We both took this problem as a challenge and started working on brushing up our programming skills by reading and watching videos and used all available resources to reach the required level of proficiency. People: a. Different Schedule Solution: We both are married and have responsibilities towards our dependent family members, after school hours it was very difficult to sit together and work on our project. It was very difficult to achieve a common time frame for the project, but after some difficulty we managed to manage a mutually acceptable time frame.b. Not going in the same direction Solution: While working on the project we discovered that at some point we were going in a different direction. In this situation, we were always respectful of each other and openly listened to each other's points of view. The above strategy helped us work in the same direction. Resources/Technologies: During the project, we did not use free open source software/tools to parse the Logs file and generate APM signatures, these software, tools and websites are listed as follows:Log files provided by MVS groupNotepad++MS ExcelMS WordWindows 10 host machineVMWare workstation15 proVM machine Windows machine7VM Windows 10 machine RED Hat LinuxBash scriptingTotal virus (website)Otxaleinvault (website)URL decoding and encoding (website)SANS critical logs review cheat sheet (website) Design and implementation : In this section we will provide detailed explanations on the preparation, design and implementation phases of the capstone project. Step 1: The first step is to make the machines needed to perform the task for the capstone project. As mentioned in the resources section, we are using VMware 15 workstation for virtualization and Windows 10 as the host machine. We built the following three virtual machines using test versions: Windows 7 VM Machine Windows 10 VM Machine RED Hat Linux VM Machine Step 2: The second step is to analyze the log file provided by the MVS group using Notepad++ Microsoft Excel and Microsoft Access. The main purpose of analytics logs is to find suspicious logs, such as logs with attached suspicious IP addresses, URLs, DNS, file path, port and specific string etc. Steps 3: The next step is to analyze the suspicious logs and information attached to them. There are several paid tools available to analyze suspicious logs, but in our case we basically use two websites for our research: virustotal and otxalienvault. We also used Google extensively during our research to analyze suspicious logs. Furthermore, we have written some bash scripts to filter suspicious logs by providing malicious keywords including IP addresses, URL, DNS, file path, port, and specific string etc. The bash script helps detection of malicious logs based on providing strings and saving time. Interestingly, we can take our work one step further by automating the search for malicious logs via virustotal and otxalienvault, if we integrate the APIs of the above-mentioned sites into our bash script. Unfortunately, due to lack of funds, we are unable to carry out the activity at this point. Step 4: This is the most important one for our capstone project where we have to.