Deliverables:
Step-12 SLA 3-5 pages
Project 2: Nations Behaving Badly
Start Here
Despite work that cyber management teams perform in regard to systems design, network security protocols, hardware and software maintenance, training, policies, implementation, maintenance, and monitoring, breaches can and do occur. In this project, you will work with a team of other cyber professionals to analyze and respond to anomalous network activities.
The graded submission for Project 2 is a packaged deliverable to the CISO about risk and network intrusion, to be completed as a team. The deliverable to the CISO will include the following five parts:
1. Cybersecurity Risk Assessment including Vulnerability Matrix
2. Incident Response Plan
3. Service-Level Agreement
4. FVEY Indicator Sharing Report
5. Final Forensic Report
The project will take 15 days to complete. After reading the scenario below, proceed to Step 1, where you will establish your team agreement plan.
The US reports data exfiltration has been detected in the IDS (intrusion detection system). All nations will perform forensic analysis and collect corroborating information to identify the bad actor.
Prior to the summit, your nation team was tasked with setting up its own independent secure comms network. Now, at 3 a.m., just hours before the summit begins, you receive a text message from your CISO that reads: "I need to meet with the team immediately about an urgent matter. Please come to the conference room next to my hotel room now so we can discuss it."
You quickly dress and head to the conference room. When you arrive, she breaks the news to your team: The nation hosting the summit has detected data exfiltration in its IDS (intrusion detection system). It is likely that this pattern of network traffic could also result in buffer overflows or other attacks such as denial of service. Each nation's server is at risk.
"The report shows that the pattern of network traffic is anomalous," says the CISO. "And the point of origin is internal. Someone at the summit is involved in this."
Given the nature of the summit, participants understand that all nations have a common goal. "None of the FVEY members would have done this," says a colleague. "It's got to be the Russians or the Chinese. Friends don't read each other's mail."
The CISO says, "No one is above suspicion here. Our FVEY partners have been known to both collect intelligence and seek to embarrass other partners when it suited their strategic needs. It could have been anyone. Until we know for sure, though, we will continue to regard them as allies."
Leaders of the nations at the summit agree they all need to perform forensic analysis on their respective systems to identify the bad actor.
Your CISO continues. "Let's get to the bottom of this. We’re all familiar with data exfiltration attacks; do you think that's part of what we're dealing with here? Or do you think there's more? Use our packet sniffing tools to a ...
1. Deliverables:
Step-12 SLA 3-5 pages
Project 2: Nations Behaving Badly
Start Here
Despite work that cyber management teams perform in regard
to systems design, network security protocols, hardware and
software maintenance, training, policies, implementation,
maintenance, and monitoring, breaches can and do occur. In this
project, you will work with a team of other cyber professionals
to analyze and respond to anomalous network activities.
The graded submission for Project 2 is a packaged deliverable
to the CISO about risk and network intrusion, to be completed
as a team. The deliverable to the CISO will include the
following five parts:
1. Cybersecurity Risk Assessment including Vulnerability
Matrix
2. Incident Response Plan
3. Service-Level Agreement
4. FVEY Indicator Sharing Report
5. Final Forensic Report
The project will take 15 days to complete. After reading the
scenario below, proceed to Step 1, where you will establish
your team agreement plan.
The US reports data exfiltration has been detected in the IDS
2. (intrusion detection system). All nations will perform forensic
analysis and collect corroborating information to identify the
bad actor.
Prior to the summit, your nation team was tasked with setting
up its own independent secure comms network. Now, at 3 a.m.,
just hours before the summit begins, you receive a text message
from your CISO that reads: "I need to meet with the team
immediately about an urgent matter. Please come to the
conference room next to my hotel room now so we can discuss
it."
You quickly dress and head to the conference room. When you
arrive, she breaks the news to your team: The nation hosting the
summit has detected data exfiltration in its IDS (intrusion
detection system). It is likely that this pattern of network traffic
could also result in buffer overflows or other attacks such as
denial of service. Each nation's server is at risk.
"The report shows that the pattern of network traffic is
anomalous," says the CISO. "And the point of origin is internal .
Someone at the summit is involved in this."
Given the nature of the summit, participants understand that
all nations have a common goal. "None of the FVEY members
would have done this," says a colleague. "It's got to be the
Russians or the Chinese. Friends don't read each other's mail."
The CISO says, "No one is above suspicion here. Our FVEY
partners have been known to both collect intelligence and seek
to embarrass other partners when it suited their strategic needs.
It could have been anyone. Until we know for sure, though, we
will continue to regard them as allies."
Leaders of the nations at the summit agree they all need to
perform forensic analysis on their respective systems to identify
the bad actor.
Your CISO continues. "Let's get to the bottom of this. We’re all
familiar with data exfiltration attacks; do you think
that's part of what we're dealing with here? Or do you think
there's more? Use our packet sniffing tools to analyze the
network traffic. Additionally, we need to identify attack vectors
3. and attributes. Give me any information you can find on the
tools, techniques, and the identity of this bad actor. Also,
establish an incident response plan that we can use in case of
another cyber event."
"Our systems went down due to this attack. We need to examine
the service-level agreement to see what it will take to get the
summit back up and running. After our analysis, we need to
quickly let our allies know how to protect their networks
through an indicator sharing report.
"Remember, no one is above suspicion—not even our allies. Got
it?"
Everyone nods in agreement. The CISO says, "Good. Now get to
work. I'm going to try to go back to sleep for a few hours."
When you submit your project, your work will be evaluated
using the competencies listed below. You can use the list below
to self-check your work before submission.
Competencies
Your work will be evaluated using the competencies listed
below.
· 2.2: Locate and access sufficient information to investigate the
issue or problem.
· 4.4: Demonstrate diversity and inclusiveness in a team setting.
· 5.3: Support policy decisions with the application of specific
cybersecurity technologies and standards.
· 5.8: Apply procedures, practices, and technologies for
protecting web servers, web users, and their surrounding
organizations.
· 6.1: Knowledge of methods and procedures to protect
information systems and data by ensuring their availability,
authentication, confidentiality, and integrity.
· 8.1: Employ ethics when planning and conducting forensic
investigations, and when testifying in court.
· 8.2: Incorporate international issues including culture and
foreign language to plans for investigations.
Step 1
As a part of your nation(Canada) team, an agreement needs to
4. be established in order to work efficiently on each project.
Begin by revisiting your current team agreement document,
which includes a suggested schedule for project completion.
Update your team agreement with roles and assignments for this
project. Your team will use this document as a guide to
establish a plan for completing and submitting the group tasks.
When you have completed the plan, resubmit it for review in
the dropbox below.
Step 2Project 2: Nations Behaving Badly
Step 2: Identify Attack Vectors
You and your nation state have just suffered an intrusion attack.
As a cybersecurity professional, one of the first steps is to
identify potential attack vectors. For each known cybersecurity
vulnerability and known threats (addressing cybersecurity
threats through risk management, international cybersecurity
approaches, you and your team members need to identify attack
vectors via information systems hardware, information systems
software, operating systems (operating system fundamentals,
operating system protections), telecommunications
(internet governance), and human factors (intrusion
motives/hacker psychology). Then, you must determine if any
attribution is known for the threat actor most likely involved in
exploiting each weakness.
Review the materials on attack vectors if a refresher is needed.
Once you've identified the attack vectors in this step, you will
be able to participate in the next step, in which you will discuss
your findings with colleagues and compare the findings with
their analyses.
Step 3Project 2: Nations Behaving Badly
Step 3: Discuss Attack Vectors and Known Attribution
In light of your research in the last step, you will now use your
group’s discussion board to share your thoughts with other
members of your nation team. Review the findings of classmates
in your group, noting points of agreement or disagreement,
asking critical questions, and making suggestions for
improvement or further research.
5. You should research incidents of known attribution of
the hackers and actors who employ the attack vectors previously
discussed by your group. This step provides a variety of options
and perspectives for your group to consider when drafting the
Attack Vector and Attribution Analysis in the next step.
This step also provides the foundation for research into known
attribution, which will help you to discern the motivation for
intrusion as well as the identity of the hackers and actors who
employ the attack vectors noted.
Support Your Findings
Support your comments with evidence from your
research. Remember, the intent is to help your fellow team
members with critical questions, suggestions, and improvement
in a respectful and honest manner.
Step 4Project 2: Nations Behaving Badly
Step 4: Analyze Attack Vectors and Known Attribution
You've discussed attack vectors and attribution with your nation
state team members. In this step, your group will prepare
an Attack Vector and Attribution Analysis of your group's
findings in the previous steps. The analysis should first identify
all possible attack vectors via hardware, software, operating
systems, telecommunications, and human factors. Next, you
should discuss whether attribution is known for the threat actor
(hackers and actors) likely involved in exploiting each
weakness. Integrate supporting research via in-text citations and
a reference list. This analysis will play a key role in the
development of a Vulnerability Assessment
Matrix and Cybersecurity Risk Assessment in the next few
steps.
Step 5Project 2: Nations Behaving Badly
Step 5: Develop the Vulnerability Assessment Matrix
With the Attack Vector and Attribution Analysis complete, in
this step your nation team will assess the impact of identified
threats and prioritize the allocation of resources to mitigate or
prevent risks. As a group, you will collaborate to develop and
6. submit one Vulnerability Assessment Matrix for your nation.
This spreadsheet includes the following:
· characterization of current and emerging vulnerabilities and
threats (cybersecurity vulnerability)
· identification of the attack vector(s) employed
· your assessment (high, medium, or low) of the impact the
vulnerability could have on your organization
Submit your team's matrix for feedback. This matrix will be
included in the final project deliverable, the Cybersecurity Risk
Assessment.
In the next step, you and your nation team members will
conduct research on best practices and countermeasures for the
kind of attack your nation team sustained at the summit.
Step 6
Project 2: Nations Behaving Badly
Step 6: Research Industry Best Practices and Countermeasures
At this point, you and your team members have analyzed attack
vectors and used your research to construct a vulnerability
assessment matrix. The next step in the process of analyzing the
intrusion is to look at common practices and countermeasures
that can be used for the type of attack your team incurred at the
summit.
In this step, you and your team members will perform research
on current best practices for authentication, authorization, and
access control methods. You will also research possible
countermeasures and cyber offense strategies that may be
available. Review the materials on countermeasures and cyber
offensives/warfare if needed. This research will help you make
recommendations in the cybersecurity risk assessment, which
you develop in the next step. Approach your research with
transparency to support trust among your team. Review these
resources on risk assessment and risk assessment approaches to
prepare for the next step. The following links will provide you
with resources on industry standards and best practices:
· Security Operations
· Software Development Security
7. · Security Assessment and Testing
· Security Engineering
Step 7Project 2: Nations Behaving Badly
Step 7: Develop the Cybersecurity Risk Assessment
In this step, your team will prepare the Cybersecurity Risk
Assessment in the form of a PowerPoint presentation. This is
one of your three final deliverables, which you will submit for
feedback as a group, and then for individual assessment at the
end of the project.
The presentation should identify current measures for
authentication, authorization, and access control, and clearly
explain weaknesses in your organization's security (to include
people, technology, and policy) that could result in successful
exploitation of vulnerabilities and/or threats. The presentation
should conclude with recommendations (e.g., continue to accept
risks, accept some risks (identify them), mitigate some risks
(identify them), mitigate all risks, etc.). Include the attack
vector and attribution analysis, and the vulnerability matrix
from the previous steps. Don’t try to shoehorn every point into
your presentation. For guidance on creating presentations, refer
to the following:
· Creating and Delivering Professional Presentations
· Record a Slide Show with Narration and Slide Timings
· Converting PowerPoint and Uploading to YouTube
Submit your Cybersecurity Risk Assessment PowerPoint for
feedback by uploading it to YouTube. At the end of this project,
your team will submit the presentation in the form of a
YouTube link for grading.
Step 8
Project 2: Nations Behaving Badly
Step 8: Define Incident Response, Part 1
It's time to begin work on the next phase of the final analysis of
the intrusion, which will include an incident response plan.
Such a plan provides a method for containing the impact from a
cybersecurity incident. It includes a plan for file
recovery and remediation from an incident. All the actions will
8. start from the security baseline analysis, which has been defined
for all the nations' network topologies at the summit, using a
network security baseline analyzer.
Your nation team will work together to develop an eight- to 10-
page Incident Response Plan to use in the event of a cyber
incident. This is one of your three final deliverables, which you
will submit for feedback as a group, and then for individual
assessment at the end of the project.
Begin your first half of the plan by focusing on the
environmental conditions and coordination mechanisms.
Include:
1. roles and responsibilities
2. phases of incident response
3. scenario—provide an incident response plan in the case of
distributed data exfiltration attacks, specifically the case of loss
of communications
4. activities, authorities pertaining to roles and responsibilities
5. triggering conditions for actions
6. triggering conditions for closure
7. reports and products throughout the incident response activity
8. tools, techniques, and technologies
9. communications paths and parties involved
10. coordination paths and parties involved
11. external partners and stakeholders, and their place in the
coordination and communication paths
12. security controls and tracking
13. recovery objectives and priorities
Your team will continue working on the incident response plan
in the next step. You will consider the processes of an active
response.
Step 9Project 2: Nations Behaving Badly
Step 9: Define Incident Response, Part 2
Your team in this step will continue developing the Incident
Response Plan. The second half of your report will focus on
events and processes of your active response plan. Include the
following:
9. 14. incident response checklist. Refer to the NIST Computer
Security Incident Handling Guide for an example.
15. data protection mechanisms
16. integrity controls (system integrity checks) after recovery
17. a plan to investigate the network behavior and a threat
bulletin that explains this activity
18. defined triggering mechanisms for continuing alerts and
notifications throughout the cyber incident
19. additional aspects of the incident response plan necessary to
contain a cyber incident on the international domain
20. diagrams of swim lanes of authorities, activities and process
flows, coordination and communication paths. Review the Swim
Lane Template to familiarize yourself with the concept of swim
lanes and swim lane diagrams.
You will complete your incident response plan in the next step.
Your incident response plan is critical in outlining your
activities during a cyberattack as well as providing direction for
recovery.
Step 10roject 2: Nations Behaving Badly
Step 10: Execute Incident Response
The intrusion activity apparently is not over yet. The CIOs of
the nations are still detecting high-volume traffic on their
networks. Almost as soon as there is a surge in activity, network
functions and websites immediately become nonoperational.
Communications are also affected between the nation teams.
The CIOs have provided information on the anomalous activity
in the following lab.
Step 11Project 2: Nations Behaving Badly
Step 11: Analyze Cyber Defense Information
Take Note
This step includes a mandatory lab exercise. The teams should
work together on the exercise, relying on each other’s expertise
in the subject area of the exercise. The findings will be included
in your team’s Security Baseline Report.
The attack continues. Now the CIO reports high-volume activity
10. shutting down web access to the summit and to the attending
nations' government websites. In addition, the volume impact
has also caused latency in third-party websites whose processes
and data sharing are linked to the summit and to the nations'
government websites.
Your team now enters Workspace to analyze the .pcap files the
CIOs had provided. You will analyze the .pcap files to
understand some of the conditions that may have led to this
high-volume traffic, an apparent DoS attack.
Step 12Project 2: Nations Behaving Badly
Step 12: Share the Cyber Defense Information With Nations
Now that you have analyzed the .pcap contents, you and your
team of analysts will prepare mitigation (risk analysis and
mitigation) for this current attack as well as any future attacks.
You will also provide risk countermeasure implementation to
a data exfiltration attack. Compile these strategies in a FVEY
Indicator Sharing Report to be shared with your FVEY allies.
Include Snort rules signatures and prepare rules
for firewalls that would have prevented the data
exfiltration attack. Review these resources on intrusion
detection and prevention (IDS/IPS) systems and IDS/IPS
classification to refresh your understanding of communications
and network security, intrusion detection, and intrusion
prevention.
Your report should include the following:
· other possible sources of vulnerabilities and best practices to
protect endpoints.
· indicators for data exfiltration.
· methods for protection in bring your own device
(BYOD) mobile security.
· an explanation of the importance of authorization and
authentication mechanisms like CAC-PIV card readers. Review
these resources on common access card (CAC) and multifactor
authentication technologies if you need a refresher.
· best practices for database protection (data loss prevention),
which serves as the backbone to information sharing and
11. communications. How can obfuscation and masking be used to
ensure database security?
You don't want to just build a wall and block everything. Your
team has conducted a risk assessment and developed an
approach. In your report, share the tools, methods, and the
actual net defenses your nation team has used.
In Project 1, your team identified the nations performing the
malicious activities. At this point, it is necessary to protect the
network and defend against the attacks. You must devise a plan
and pull from the suite of net defense tools available to you. For
intrusion detection and prevention, you must program rule sets
in firewalls.
Now that your nation team has identified the bad actors, your
nation will then build out Snort rules based on the traffic you
have analyzed to allow the permitted communications while
keeping out malicious traffic and activities.
Once your team has completed the sharing report, post it to the
FVEY discussion where other nation teams can view it.
Step 13Project 2: Nations Behaving Badly
Step 13: Evaluate and Execute the Data Exfiltration Service-
Level Agreement (SLA)
You've communicated the attack to your other nation teams,
your team has determined that all the nation teams were
under data exfiltration attack, and they sustained latency or
even unavailability of their networks. Now the CIOs have
directed that the service-level agreements (SLAs) be reviewed
on what the attack means to the cost and services rendered.
Technologically trained professionals increase their
marketability and hire-ability when they can demonstrate
business acumen as well as technical expertise. And with more
integrated environments following services on-demand
structures such as cloud computing, it is imperative that
cybersecurity professionals be able to assess if their
organization is getting what it paid for.
You may have determined a network topology for your nation
team, or you may have researched a network topology and are
12. using that to base your analysis, citing the researched
information using APA format. In these topologies, you will
research the operating system vulnerabilities (operating system
fundamentals, operating system protections). You will identify
requirements for operating system security to address these
vulnerabilities.
You will then formulate a service-level agreement to mitigate
the vulnerabilities, particularly for data exfiltration activities.
Produce a three- to five-page Service-Level Agreement
(SLA) that you believe is best to serve the nation teams’
security protections. If you research sample SLAs, provide
citations.
Include:
· an agreement not to engage in testing data exfiltration without
notifying the internet service provider (ISP)
· metrics for availability
· bandwidth requirements
· monitoring from the ISP's network
· traffic reports to be received and access to ISP information on
net defense and best practices
· testing nation teams’ configurations by ISP
· other components needed to fulfill your nation team's
requirements
Perform an evaluation of the SLA that you created, and in a
checklist format, report on the performance of the ISP during
the data exfiltration attack. Conduct independent research if a
checklist example is needed. If you model your checklist after
an existing resource, cite and reference it using APA format.
Estimate costs of services or any compensation owed to the
nation team. Include written justification to the ISP for the
downtime due to data exfiltration. This evaluation is included in
the three- to five-page requirement.
In the next step, you will take on "packet sniffing" in the lab,
as you move to a digital forensics role in the investigation.
Step 14Project 2: Nations Behaving Badly
Step 14: Conduct Wireshark Packet Capture Analysis
13. It is time to help the CISO with the network intrusion. Your role
here is to assume responsibility of analyzing a network packet
capture file that was created during the network attack. You will
conduct packet sniffing with Wireshark to gather information
about the attacker, determine the resources that may have been
compromised during the attack, and how the attacker
compromised the resources.
The CISO and response team believe there were attempts to
scan the network for vulnerabilities and that an attacker may
have discovered and exploited a vulnerability on one of the
network servers. The attack may involve a brute-force password
attack followed by a data breach where the attacker was able to
download and read one or more files from a compromised
server.
Your objectives are to identify the attacker, identify the
compromised server and service, identify the vulnerability that
was exploited, and determine what data was breached or stolen.
Your task is to enter Workspace and complete the Wireshark
Packet Capture Analysis. Complete the lab report, including all
answers to questions in the instructions linked below.
Step 15Project 2: Nations Behaving Badly
Step 15: Develop Final Forensic Report
There are many digital forensic tools and techniques available
to conduct an end-to-end forensic investigation. An end-to-end
investigation tracks all elements of an attack, including how the
attack began, what intermediate devices were used during the
attack, and who was attacked. A typical investigation will
involve visual analysis to statically review the contents of any
drives, as well as dynamically review logs, artifacts (strategies
for handling digital artifacts), and internet activity from the web
history associated with the breached network (web browser
forensics).
The investigation concludes when the investigator examines all
of the information, he or she correlates all of the events and all
of the data from the various sources to get the whole picture,
and prepares reports and evidence in a forensically sound
14. manner.
In this scenario, you know that there has been an
attempted/successful intrusion on the network, and you have
completed the packet capture analysis using Wireshark. Your
task is to write a Final Forensic Report that summarizes
network forensics and the digital forensic tools and techniques
for analyzing network incidents. This report will include your
lab report from the previous step and should also be composed
of network attack techniques, network attack vectors, and a
comprehensive comparison of at least five tools used for
analyzing network intrusions. This report will conclude with a
recommendation for network administrators to meet the goals of
hardening the infrastructure and protecting private data on the
network.
Submit the Final Forensic Report for review and feedback.
Step 16
Project 2: Nations Behaving Badly
Step 16: Deliver to Your CISO
As a synthesis of the previous steps in this project, you will
now submit the following for grading a packaged deliverable to
the CISO that contains the following:
1. Cybersecurity Risk Assessment including Vulnerability
Matrix
2. Incident Response Plan
3. Service-Level Agreement
4. FVEY Indicator Sharing Report
5. Final Forensic Report
Based on the feedback you have received, you should
have revised the deliverables. Although many of these
deliverables were initially developed in a team setting, each
team member is responsible for submitting his or her own
documents for individual assessment.
Before you submit your assignment, review the competencies
below, which your instructor will use to evaluate your work. A
good practice would be to use each competency as a self-check
to confirm you have incorporated all of them in your work.
15. Check Your Evaluation Criteria
Before you submit your assignment, review the competencies
below, which your instructor will use to evaluate your work. A
good practice would be to use each competency as a self-check
to confirm you have incorporated all of them. To view the
complete grading rubric, click My Tools, select Assignments
from the drop-down menu, and then click the project title.
· 2.2: Locate and access sufficient information to investigate the
issue or problem.
· 4.4: Demonstrate diversity and inclusiveness in a team setting.
· 5.3: Support policy decisions with the application of specific
cybersecurity technologies and standards.
· 5.8: Apply procedures, practices, and technologies for
protecting web servers, web users, and their surrounding
organizations.
· 6.1: Knowledge of methods and procedures to protect
information systems and data by ensuring their availability,
authentication, confidentiality, and integrity.
· 8.1: Employ ethics when planning and conducting forensic
investigations, and when testifying in court.
· 8.2: Incorporate international issues including culture and
foreign language to plans for investigations.
Deliverable:
Step 7: Analyze Key Elements of NIST Standards and Submit
the Team Report
You have analyzed the linkage between technologies and the
impacts of these relationships. Now, you will analyze the aspect
of National Institute of Standards and Technology (NIST)
standards for cloud computing as it affects your sector and
complete the team sector brief.
Write another brief, one to two pages, that addresses some of
the following questions:
16. · Is cloud computing a good "fit" for your industry?
· How does it benefit a cybersecurity solution?
· Should it apply across all industries?
Combine this information with the brief papers from the prior
steps to create a three- to five-page Team Sector Brief. Your
brief should also consider how your decisions might support
other sectors. Introduce this brief with the one-page overview of
your sector.