Documentation:
https://docs.google.com/document/d/1Y_NHKGyYShXZ1yuRPyYU1wWOphII72viFpeAHDsBjtQ/edit?usp=sharing

https://github.com/mal-lang

Tasks:
https://docs.google.com/document/d/1aUpIe4Aoq6XtWmF7xrXJ2netTD8fcfM0aQjbFTaeaLg/edit?usp=sharing

This document:

https://colab.research.google.com/drive/1E2q6gS7nb8K6Pe-5tYqPADLjYyuUOI2_?usp=sharing

# Study Procedure:

## Reading Time (approx. 5 minutes):
Please first take about 5 minutes to carefully and completely read this introduction, as well as the following instructions and the task description. It is important that you understand the tasks before you begin.

## Task Completion Time (at least 30 minutes):
Afterwards, you will be asked to work on a series of tasks using the tool being evaluated. Please plan for a total time of at least 30 minutes for this. Depending on your individual working style, this may also take a little longer. Take the time you need to complete the tasks.

## Important Information for Participation:

* **No External Aids:** For completing the tasks, the use of external AI-based assistance systems (such as ChatGPT, Copilot, or similar tools), as well as actively searching for solutions on the internet or exchanging information with other people, is explicitly **not permitted**. The aim of this study is to evaluate your individual and uninfluenced interaction with the provided tool. The authenticity of your approach is crucial for the validity of the results.
* **Data Protection and Anonymity:** All data collected within this study will be treated with strict confidentiality and analyzed anonymously. No conclusions can be drawn about your person. The results will be used exclusively for scientific purposes within the scope of my thesis.
* **Voluntary Participation:** Participation in this study is, of course, voluntary. You can withdraw your participation at any time and without giving reasons, without any disadvantages for you. Any data already collected will be deleted upon your request in such a case.


# Cybersecurity Incident Report

**Incident ID:** IR-2025-0427
**Generated on:** 2025-05-15
**Reported by:** Security Operations Center (SOC)
**Category:** Infrastructure Threat Modeling

## System Overview

The affected infrastructure consists of interconnected components modeled in the Infrastructure category:

* **Gateways:** External-facing components that regulate entry to internal machines.
* **Machines:** Compute units capable of authentication and connection activities.
* **Operators:** Human users capable of launching social engineering attacks.
* **Credentials:** Authentication secrets shared between operators and machines.

## Threat Scenario Summary

An external Operator executed a successful phishing campaign against internal personnel, resulting in the extraction of Credentials. The stolen credentials were then used to gain unauthorized login access to several Machines. From there, lateral movement was observed via internal linking mechanisms.

## Attack Path Breakdown

### Phishing Launch

The attacker (Operator) initiated `launchPhishing`, resulting in `phishingHit`.

Based on simulation parameters:

* `phishingHit` has a 10% exponential probability per attempt.

### Credential Compromise

The `phishingHit` led to successful extract of Credentials.

### Machine Access

The attacker used the compromised Credentials to trigger `login` on a Machine.

* Each Machine uses `login` to allow entry.

### Lateral Movement

With entry established, the attacker used `link` capability to move between Machines through the internal network (Gateway → Machine).

## Associations Observed

* Gateways connected to multiple Machines via `LinkAccess`.
* Machines and Operators shared Credentials via `AuthData` relationships.
* No anomalies were detected in the Gateway itself, suggesting direct compromise was avoided.

## Risk Assessment

| Asset      | Risk Level | Exploited Technique            | Observed Impact                |
| :--------- | :--------- | :----------------------------- | :----------------------------- |
| Operator   | Medium     | Phishing (Social Engineering)  | Credential theft               |
| Credentials| High       | Unauthorized extraction        | Privilege escalation           |
| Machine    | High       | Login with stolen credentials  | Data access & persistence      |
| Gateway    | Low        | No direct access observed      | Used for lateral movement      |

## Mitigation Recommendations

* Enforce MFA for all Machine login attempts.
* Conduct phishing awareness training for all Operators.
* Rotate credentials and monitor for abnormal `link` behavior.
* Segment internal networks to restrict Gateway-based lateral movement.


In [None]:

MALC_TAR_URL = "https://github.com/mal-lang/malc/releases/download/release%2F0.2.0/malc-0.2.0.linux.amd64.tar.gz"
MALC_TAR_FILE = "malc-0.2.0.linux.amd64.tar.gz"
EXTRACT_DIR = "malc_extracted"


!wget {MALC_TAR_URL}
!mkdir -p {EXTRACT_DIR}
!tar -xvzf {MALC_TAR_FILE} -C {EXTRACT_DIR}
!ls -l {EXTRACT_DIR}
MALC_EXECUTABLE_PATH = f"./{EXTRACT_DIR}/malc-0.2.0.linux.amd64/malc"
!chmod +x {MALC_EXECUTABLE_PATH}


--2025-05-20 08:07:09--  https://github.com/mal-lang/malc/releases/download/release%2F0.2.0/malc-0.2.0.linux.amd64.tar.gz
Resolving github.com (github.com)... 140.82.113.3
Connecting to github.com (github.com)|140.82.113.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/385922173/34fa9e88-3a07-45c6-b3cf-1471ad8c9a9e?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250520%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250520T080709Z&X-Amz-Expires=300&X-Amz-Signature=66e0011a77107e4c35ebbd9de3740f96f1b182f0c64510271270f909b3e52e02&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dmalc-0.2.0.linux.amd64.tar.gz&response-content-type=application%2Foctet-stream [following]
--2025-05-20 08:07:09--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/385922173/34fa9e88-3a07-45c6-b3cf-1471ad8c9a9e?X-Amz-Algo

Results

In [18]:
mal_lang = '''

#id: "org.mal-lang.examplelang"
#version: "1.0.0"

category System {
  asset Operator {
     | launchPhishing
      -> phishingAttempt
    | phishingAttempt [Exponential(0.1)]
      -> credentials.obtain
    # Training
      -> phishingAttempt
  }
  asset Gateway {
    | link
      -> machine.login
    # IDS
      -> link
    # Segmentation
      -> link
  }

  asset Machine {
    | login
      -> gateways.link
    # PasswordExpiration
      -> login
  }

  asset Credentials {
    | obtain
      -> machine.login
    # MFA
      -> obtain
  }
}
associations {
  Gateway [gateways] * <-- GatewayAccess --> * [machine] Machine
  Operator [operator] 1 <-- Credentials --> * [credentials] Credentials
  Machine [machine]  1 <-- Credentials --> * [credentials] Credentials

}

'''

with open("result.mal", "w") as file:
    file.write(mal_lang)

In [17]:
MALC_EXECUTABLE_PATH = "./malc_extracted/malc-0.2.0.linux.amd64/malc"
MAL_SOURCE_FILE = "/content/result.mal"

!{MALC_EXECUTABLE_PATH} {MAL_SOURCE_FILE}

[0m[0m