The assessment will evaluate your ability to understand and apply cyber offense concepts and tools (tradecraft) on a target of your choice. You will execute all steps in the cyber kill chain that can be legally executed against that target, such as passive reconnaissance. You will provide documentation that explains all steps you have taken, the strategies you have taken, and the outcomes.
You will also document and explain all additional steps you would have taken if you were not
bound by legal constraints. One way to investigate and research these steps is by emulating the
computer environment of the target by means of designing and creating Virtual Machines (VMs),
virtually network them on a closed system, and execute the steps, i.e. much like you have done on
the Cyber Range when doing Assignment 2. Another way is to formally agree with the target which
actions you are allowed to take, and which not, i.e. somewhat like a penetration tester. Yet another
way is by purely theoretic analysis. That is all up to you, as long as it serves the aim of the
Choosing a target
The documentation must include a description of the target you chose and, possibly after having
done some initial reconnaissance, the goal you want to achieve. It is strongly advised that you
choose a challenging target/goal combination, as only then one or more successful exploits will
optimally display your learning from the course. Explain why you have chosen this target/goal
combination. If in doubt about the suitability of a target/goal combination, speak to your course
In case you need permissions from the target, provide evidence of these permissions in the
documentation. Properly research what you can and cannot do without permission. If, after having
done your research, you are still in doubt, ask advice from the course convener. In any case,
UNSW is NOT encouraging its students to perform illegal cyber offensive activities. The student
bears responsibility for their actions.
The practical project must show how much the author learned about:
LO1. Conduct simple cyber offensive operations,
LO2. Identify opportunities in defeating cyber threat actor tradecraft by understanding the full
spectrum of offensive activities,
LO3. Improve an organisation’s security by understanding and acting on artefacts and
signatures generated by cyber offensive activities,
LO4. Provide advice to policy makers on strategic issues regarding cyber capabilities, doctrine,
Formatting your submission is your choice. It should at least contain a technical report which at
• An executive summary of no more than 300 words
• An introduction
• A description and justification of chosen target and goal
• A description of the chosen strategy / approach
• Results of your activities
• How does your work relate to the course material
The report may contain any further analysis of your findings and alternative approaches, and it
may contain a variety of appendices, e.g. a copy of your note takings, screenshots, or VMs. There
is no constraint to the length of the report.
• Choose a target-goal combination close to your interests and experience, for instance
related to the topic of your Discussion Essay.
• An executive summary is not the same as an abstract. This assignment asks for an
• The introduction should include a clear scoping of the document. What is discussed and
what is not, and why? Narrowing the scope of your document provides the space to tackle
the chosen topic in more depth. However, narrowing the scope too much may limit you in
displaying how well you master the breadth of the course material (see Aims).
• The introduction should also explain how the remainder of the document is structured.
• The conclusions should not contain any new material. They should just summarize what
you conclude from your analysis.
• Use the APA referencing system for your citations.
Assessment of the essay will be based on the assessment criteria guide as below:
• Quality of the Executive Summary.
o Is the Executive Summary comprehensive, easy to read, and convincing?
o Does the introduction introduce and scope the executed work well, and introduce the
remainder of the document well?
• Suitability and feasibility of the scenario.
o Is the scenario presented realistic and a representation of a legitimate organisation
and threat actor?
o Is the background and context of the target, the goal, and the chosen strategy
presented in sufficient detail to allow the reader to understand why the threat (or
threats) exist(s) and that the chosen approach is feasible?
• Complexity and diversity.
o Does the author make effective use of a variety of tactics, techniques, and tools
understood throughout this course?
o Are the phases/steps applied distinct and well understood?
o Does the author show understanding of the target’s defenses, and can they
realistically circumvent them?
o Does the author show understanding of tradecraft to prevent detection?
• Quality of the conclusions section.
o Does the author provide a comprehensive set of valid conclusions that follow from
the analysis in earlier sections?
• Writing style.
o Is the documentation well structured? Is information presented in a logical manner?
o Does the author write succinct? Is information presented in a brief and accurate