SlideShare a Scribd company logo

Final Project Incident Response Exercise & ReportYour TaskYou.docx

Download as DOCX, PDF
L
lmelaine

The Red Team was able to penetrate Sifers-Grayson's network and systems through unprotected connections, stealing design documents, source code, and employee passwords. They installed malware on a PROM burner that took control of a test drone, landing it at headquarters. The incident must be analyzed and reported according to contract requirements to comply with standards like NIST SP 800-171 for protecting controlled information.

Education
1 of 10
Final Project: Incident Response Exercise & Report Your Task You have been assigned to work incident clean-up as part of the Sifers-Grayson Blue Team. Your task is to assist in analyzing and documenting the incident described below. The Blue Team has already created a set of enterprise architecture diagrams (see figures 1-4) to help with your analysis of the incident and preparation of the incident report as required by the company’s contracts with the federal government. After completing their penetration tests, the Red Team provided Sifers-Grayson executives with a diagram showing their analysis of the threat environment and potential weaknesses in the company’s security posture for the R&D DevOps Lab (see figure 5). Your Deliverable Complete and submit the Incident Report form found at the end of this file. Consult the “Notes to Students” for additional directions regarding completion of the form. Overview of the Incident Sifers-Grayson hired a cybersecurity consulting firm to help it meet the security requirements of a contract with a federal agency. The consulting firm’s Red Team conducted a penetration test and was able to gain access to the engineering center’s R&D servers by hacking into the enterprise network through an unprotected network connection (see figure 2). The Red Team proceeded to exfiltrate files from those servers and managed to steal 100% of the design documents and source code for the AX10 Drone System. The Red Team also reported that it had stolen passwords for 20% of the employee logins using keylogging software installed on USB keys that were left on the lunch table in the headquarters building employee lounge (see Figure 3). The Red Team also noted that the Sifers-Grayson employees were quite friendly and talkative as they opened the
RFID controlled doors for the “new folks” on the engineering staff (who were actually Red Teamers). The Red Team continued its efforts to penetrate the enterprise and used a stolen login to install malware over the network onto a workstation connected to a PROM burner in the R&D DevOps lab (See Figure 3). This malware made its way onto a PROM that was then installed in an AX10-a test vehicle undergoing flight trials at the Sifers-Grayson test range (See Figures 1 and 4). The malware “phoned home” to the Red Team over a cellular connection to the R&D center. The Red Team took control of the test vehicle and flew it from the test range to a safe landing in the parking lot at Sifers-Grayson headquarters. Background Sifers-Grayson is a family owned business headquartered in Grayson County, Kentucky, USA. The company’s physical address is 1555 Pine Knob Trail, Pine Knob, KY 42721. The president of the company is Ira John Sifers, III. He is the great- grandson of one of the company’s founders and is also the head of the engineering department. The chief operating officer is Michael Coles, Jr. who is Ira John’s great nephew. Mary Beth Sifers is the chief financial officer and also serves as the head of personnel for the company. Recent contracts with the Departments of Defense and Homeland Security have imposed additional security requirements upon the company and its R&D DevOps and SCADA labs operations. The company is now required to comply with NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The company must also comply with provisions of the Defense Federal Acquisition Regulations (DFARS) including section 252-204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. These requirements are designed to ensure that sensitive technical information, provided by the federal government and stored on
computer systems in the Sifers-Grayson R&D DevOps and SCADA labs, is protected from unauthorized disclosure. This information includes software designs and source code. The contract requirements also mandate that Sifers-Grayson report cyber incidents to the federal government in a timely manner.SCADA Lab The SCADA lab was originally setup in 1974. It has been upgraded and rehabbed several times since then. The most recent hardware and software upgrades were completed three years ago after the lab was hit with a ransomware attack that exploited several Windows XP vulnerabilities. At that time, the engineering and design workstations were upgraded to Windows 8.1 professional. A second successful ransomware attack occurred three months ago. The company paid the ransom in both cases because the lab did not have file backups that it could use to recover the damaged files (in the first case) and did not have system backups that it could use to rebuild the system hard drives (in the second case). The SCADA Lab is locked into using Windows 8.1. The planned transition to Windows 10 is on indefinite hold due to technical problems encountered during previous attempts to modify required software applications to work under the new version of the operating system. This means that an incident response and recovery capability for the lab must support the Windows 8.1 operating system and its utilities.R&D DevOps Lab The R&D DevOps Lab was built in 2010 and is used to develop, integrate, test, support, and maintain software and firmware (software embedded in chips) for the company’s robots, drones, and non-SCADA industrial control systems product lines. The workstations in this lab are running Windows 10 and are configured to receive security updates per Microsoft’s monthly schedule. Enterprise IT Operations The company uses a combination of Windows 10 workstations and laptops as the foundation of its enterprise IT capabilities. The servers in the data center and the engineering R&D center are built upon Windows Server 2012.
Issues Summary: 1. Newly won government contracts now require compliance with DFARS §252.204-7008, 7009, and 7012 · http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.ht m · http://www.acq.osd.mil/se/docs/DFARS-guide.pdf 2. Derivative requirements include: · Implementation of and compliance with NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8 00-171r1.pdf · Compliance with DFARS 252.239-7009 Representation of Use of Cloud Computing and 7010 Cloud Computing Services (see https://www.acq.osd.mil/dpap/dars/dfars/html/current/252239.ht m#252.239-7009 3. Additional Contractual Requirements for Lab Operations include: · Incident Response per NIST SP-800-61 (Computer Security Incident Handling Guide) · SCADA Security per NIST SP 800-82 (Guide to Industrial Control Systems Security) · Software / Systems Development Lifecycle (SDLC) Security per NIST SP 800-64 (Security Considerations in the System Development Life Cycle) · Configuration Management per NIST SP 800-128 (Guide for Security-Focused Configuration Management of Information Systems) Notes to Students: 1. Your final deliverable should be professionally formatted and should not exceed 10 pages. The goal is to be clear and concise in your reporting of your analysis of this incident. This report should reflect your learning and analysis. For that reason, the
citation rules are relaxed and you may write from your own knowledge as an “expert.” BUT, if you paste exact phrases, sentences, or paragraphs from another document or resource, you must cite that source using an appropriate citation style (e.g. footnotes, end notes, in-text citations). 2. You may include annotated diagrams if necessary to illustrate your analysis and/or make your point(s). You may use the figures in this assignment as the foundation for diagrams in your final report (no citations required). 3. Use the NIST Incident Handling Process (see Table 1) to guide your incident analysis. You do not need to cite a source for this table. 4. You may assume that the company has implemented one or more of the IT products that you recommended in your Case Studies for this course. You may also assume that the company is using the incident response guidance documents that you wrote for your labs and that the associated operating systems utilities are in use (e.g. you can assume that system backups are being made, etc.). 5. DOCUMENT YOUR ASSUMPTIONS about people, processes, and technologies as if they were fact. But, don’t change any of the factual information provided in the incident report from the Red Team. 6. Use the incident report form that appears at the end of this file. Copy it to a new MS Word document. Insert a title page at the beginning of your file and include the title of the report, your name, and the due date. 7. After you perform your incident analysis, fill in the required information in the provided form (see the end of this file). Attach the file to your assignment folder entry, and submit it for grading as your final project. 8. For section 1 of the form, use your own name but provide reasonable but fictitious information for the remaining fields. 9. For section 2 of the form, assign IP addresses in the following ranges to any servers, workstations, or network connections that you need to discuss.
a. R&D Center 10.10.120.0/24 b. Test Range 10.10.128.0/24 c. Corporate Headquarters 10.10.135.0/24 10. For sections 2, 3, and 5, you should use and interpret information provided in this file (Overview, Background, Issues Summary). You may use a judicious amount of creativity, if necessary, to fill in any missing information. 11. For section 4 of the form you may provide a fictitious cost estimate based upon $100 per hour for IT staff to perform “clean-up” activities. Reasonable estimates are probably in the range of 150 to 300 person hours. What’s important is that you document how you arrived at your cost estimate. 12. Discuss the contract requirements and derivative requirements for cybersecurity at Sifers-Grayson in 3 to 5 paragraphs under “Section 6 General Comments.” Words for the Wise … Do not let “perfection” be a barrier to completing this assignment. It’s more importation to be on-time and provide SOME analysis in a professional format than to find and document every single possible vulnerability. CSIA 310: Cybersecurity Processes & Technologies ·
Copyright ©2019 by University of Maryland University College. All Rights Reserved. Figure 1. Overview of Sifers-Grayson Enterprise IT Architecture Figure 2. Combined Network and Systems Views: Sifers-Grayson Headquarters, R&D Center, and Data Center Figure 3. Combined Network and Systems View for Sifers- Grayson R&D DevOps Lab Figure 4. Combined Communications and Systems Views for Sifers-Grayson Test Range Figure 5. Threat Landscape for Sifers-Grayson R&D DevOps Lab NIST Incident Handling Checklist by Phase Detection and Analysis 1. Determine whether an incident has occurred 1.1 Analyze the precursors and indicators 1.2 Look for correlating information 1.3
Perform research (e.g., search engines, knowledge base) 1.4 As soon as the handler believes an incident has occurred, begin documenting the investigation and gathering evidence 2. Prioritize handling the incident based on the relevant factors (functional impact, information impact, recoverability effort, etc.) 3. Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery 4. Acquire, preserve, secure, and document evidence 5. Contain the incident 6. Eradicate the incident 6.1 Identify and mitigate all vulnerabilities that were exploited 6.2 Remove malware, inappropriate materials, and other components 6.3 If more affected hosts are discovered (e.g., new malware infections), repeat the Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then contain (5) and eradicate (6) the incident for them 7. Recover from the incident 7.1 Return affected systems to an operationally ready state 7.2 Confirm that the affected systems are functioning normally 7.3 If necessary, implement additional monitoring to look for future
related activity Post-Incident Activity 8. Create a follow-up report 9. Hold a lessons learned meeting (mandatory for major incidents, optional otherwise) Source: NIST SP 800-61r2 Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide (NIST SP 800-62 rev. 2). http://dx.doi.org/10.6028/NIST.SP.800-61r2 SIFERS-GRAYSON CYBERSECURITY INCIDENT REPORT FORM 1. Contact Information for the Incident Reporter and Handler – Name – Role – Organizational unit (e.g., agency, department, division, team) and affiliation – Email address – Phone number – Location (e.g., mailing address, office room number) 2. Incident Details – Status change date/timestamps (including time zone): when the incident started, when the incident was discovered/detected, when the incident was reported, when the incident was resolved/ended, etc. – Physical location of the incident (e.g., city, state) – Current status of the incident (e.g., ongoing attack) – Source/cause of the incident (if known), including hostnames and IP addresses – Description of the incident (e.g., how it was detected, what occurred) – Description of affected resources (e.g., networks, hosts, applications, data), including systems’ hostnames, IP addresses,
and function – If known, incident category, vectors of attack associated with the incident, and indicators related to the incident (traffic patterns, registry keys, etc.) – Prioritization factors (functional impact, information impact, recoverability, etc.) – Mitigating factors (e.g., stolen laptop containing sensitive data was using full disk encryption) – Response actions performed (e.g., shut off host, disconnected host from network) – Other organizations contacted (e.g., software vendor) 3. Cause of the Incident (e.g., misconfigured application, unpatched host) 4. Cost of the Incident 5. Business Impact of the Incident 6. General Comments

Recommended

Final Project Incident Response Exercise & ReportYour TaskYou hav.docx
Final Project Incident Response Exercise & ReportYour TaskYou hav.docxFinal Project Incident Response Exercise & ReportYour TaskYou hav.docx
Final Project Incident Response Exercise & ReportYour TaskYou hav.docx
AKHIL969626
 
This week your focus should be on figuring out what the Red Team did.docx
This week your focus should be on figuring out what the Red Team did.docxThis week your focus should be on figuring out what the Red Team did.docx
This week your focus should be on figuring out what the Red Team did.docx
juliennehar
 
erm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
erm Paper Managing an IT Infrastructure AuditDue Week 10 and woerm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
erm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
eleanorabarrington
 
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docxTerm Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
manningchassidy
 
Case Project 1-1 Defining and Designing a NetworkThe overview.docx
Case Project 1-1 Defining and Designing a NetworkThe overview.docxCase Project 1-1 Defining and Designing a NetworkThe overview.docx
Case Project 1-1 Defining and Designing a NetworkThe overview.docx
tidwellveronique
 
Project Deliverable 5 Infrastructure and SecurityThis assignm.docx
Project Deliverable 5 Infrastructure and SecurityThis assignm.docxProject Deliverable 5 Infrastructure and SecurityThis assignm.docx
Project Deliverable 5 Infrastructure and SecurityThis assignm.docx
wkyra78
 
Cst 630 Inspiring Innovation--tutorialrank.com
Cst 630 Inspiring Innovation--tutorialrank.comCst 630 Inspiring Innovation--tutorialrank.com
Cst 630 Inspiring Innovation--tutorialrank.com
PrescottLunt385
 
Cst 630 Believe Possibilities / snaptutorial.com
Cst 630 Believe Possibilities / snaptutorial.comCst 630 Believe Possibilities / snaptutorial.com
Cst 630 Believe Possibilities / snaptutorial.com
Davis11a
 

Recommended

Final Project Incident Response Exercise & ReportYour TaskYou hav.docx
Final Project Incident Response Exercise & ReportYour TaskYou hav.docxFinal Project Incident Response Exercise & ReportYour TaskYou hav.docx
Final Project Incident Response Exercise & ReportYour TaskYou hav.docx
AKHIL969626
 
This week your focus should be on figuring out what the Red Team did.docx
This week your focus should be on figuring out what the Red Team did.docxThis week your focus should be on figuring out what the Red Team did.docx
This week your focus should be on figuring out what the Red Team did.docx
juliennehar
 
erm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
erm Paper Managing an IT Infrastructure AuditDue Week 10 and woerm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
erm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
eleanorabarrington
 
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docxTerm Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
manningchassidy
 
Case Project 1-1 Defining and Designing a NetworkThe overview.docx
Case Project 1-1 Defining and Designing a NetworkThe overview.docxCase Project 1-1 Defining and Designing a NetworkThe overview.docx
Case Project 1-1 Defining and Designing a NetworkThe overview.docx
tidwellveronique
 
Project Deliverable 5 Infrastructure and SecurityThis assignm.docx
Project Deliverable 5 Infrastructure and SecurityThis assignm.docxProject Deliverable 5 Infrastructure and SecurityThis assignm.docx
Project Deliverable 5 Infrastructure and SecurityThis assignm.docx
wkyra78
 
Cst 630 Inspiring Innovation--tutorialrank.com
Cst 630 Inspiring Innovation--tutorialrank.comCst 630 Inspiring Innovation--tutorialrank.com
Cst 630 Inspiring Innovation--tutorialrank.com
PrescottLunt385
 
Cst 630 Believe Possibilities / snaptutorial.com
Cst 630 Believe Possibilities / snaptutorial.comCst 630 Believe Possibilities / snaptutorial.com
Cst 630 Believe Possibilities / snaptutorial.com
Davis11a
 
CST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.comCST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.com
kopiko147
 
CST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comCST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.com
agathachristie266
 
CST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comCST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.com
VSNaipaul15
 
CST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comCST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.com
KeatonJennings104
 
CST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comCST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.com
agathachristie113
 
Cst 630Education Specialist / snaptutorial.com
Cst 630Education Specialist / snaptutorial.comCst 630Education Specialist / snaptutorial.com
Cst 630Education Specialist / snaptutorial.com
McdonaldRyan79
 
Cst 630 Enhance teaching / snaptutorial.com
Cst 630 Enhance teaching / snaptutorial.comCst 630 Enhance teaching / snaptutorial.com
Cst 630 Enhance teaching / snaptutorial.com
Baileyabw
 
Cst 630 Education Organization-snaptutorial.com
Cst 630 Education Organization-snaptutorial.comCst 630 Education Organization-snaptutorial.com
Cst 630 Education Organization-snaptutorial.com
robertlesew6
 
Project Deliverable 5 Network Infrastructure and SecurityDu
Project Deliverable 5 Network Infrastructure and SecurityDuProject Deliverable 5 Network Infrastructure and SecurityDu
Project Deliverable 5 Network Infrastructure and SecurityDu
davieec5f
 
Project Deliverable 5 Network Infrastructure and SecurityDue We.docx
Project Deliverable 5 Network Infrastructure and SecurityDue We.docxProject Deliverable 5 Network Infrastructure and SecurityDue We.docx
Project Deliverable 5 Network Infrastructure and SecurityDue We.docx
denneymargareta
 
CST 630 Exceptional Education - snaptutorial.com
CST 630 Exceptional Education - snaptutorial.comCST 630 Exceptional Education - snaptutorial.com
CST 630 Exceptional Education - snaptutorial.com
DavisMurphyA97
 
CST 630 Effective Communication - snaptutorial.com
CST 630 Effective Communication - snaptutorial.comCST 630 Effective Communication - snaptutorial.com
CST 630 Effective Communication - snaptutorial.com
donaldzs8
 
CST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.comCST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.com
chrysanthemu49
 
Tony_Reid_Resume
Tony_Reid_ResumeTony_Reid_Resume
Tony_Reid_Resume
Tony Reid
 
Jan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docx
Jan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docxJan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docx
Jan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docx
lmelaine
 
Jan 10, 20141.Definition of law A set of rules and proced.docx
Jan 10, 20141.Definition of law A set of rules and proced.docxJan 10, 20141.Definition of law A set of rules and proced.docx
Jan 10, 20141.Definition of law A set of rules and proced.docx
lmelaine
 
James RiverJewelryProjectQuesti.docx
James RiverJewelryProjectQuesti.docxJames RiverJewelryProjectQuesti.docx
James RiverJewelryProjectQuesti.docx
lmelaine
 
Jacob claims the employer violated his rights. In your opinion, what.docx
Jacob claims the employer violated his rights. In your opinion, what.docxJacob claims the employer violated his rights. In your opinion, what.docx
Jacob claims the employer violated his rights. In your opinion, what.docx
lmelaine
 
Ive been promised A+ papers in the past but so far I have not seen .docx
Ive been promised A+ papers in the past but so far I have not seen .docxIve been promised A+ papers in the past but so far I have not seen .docx
Ive been promised A+ papers in the past but so far I have not seen .docx
lmelaine
 
It’s easy to dismiss the works from the Dada movement as silly. Cons.docx
It’s easy to dismiss the works from the Dada movement as silly. Cons.docxIt’s easy to dismiss the works from the Dada movement as silly. Cons.docx
It’s easy to dismiss the works from the Dada movement as silly. Cons.docx
lmelaine
 
Its meaning is still debated. It could be a symbol of the city of Fl.docx
Its meaning is still debated. It could be a symbol of the city of Fl.docxIts meaning is still debated. It could be a symbol of the city of Fl.docx
Its meaning is still debated. It could be a symbol of the city of Fl.docx
lmelaine
 
Jaffe and Jordan want to use financial planning models to prepar.docx
Jaffe and Jordan want to use financial planning models to prepar.docxJaffe and Jordan want to use financial planning models to prepar.docx
Jaffe and Jordan want to use financial planning models to prepar.docx
lmelaine
 

More Related Content

Similar to Final Project Incident Response Exercise & ReportYour TaskYou.docx

Project Deliverable 5 Network Infrastructure and SecurityDu
Project Deliverable 5 Network Infrastructure and SecurityDuProject Deliverable 5 Network Infrastructure and SecurityDu
Project Deliverable 5 Network Infrastructure and SecurityDu
davieec5f
 
Project Deliverable 5 Network Infrastructure and SecurityDue We.docx
Project Deliverable 5 Network Infrastructure and SecurityDue We.docxProject Deliverable 5 Network Infrastructure and SecurityDue We.docx
Project Deliverable 5 Network Infrastructure and SecurityDue We.docx
denneymargareta
 
Tony_Reid_Resume
Tony_Reid_ResumeTony_Reid_Resume
Tony_Reid_Resume
Tony Reid
 

Similar to Final Project Incident Response Exercise & ReportYour TaskYou.docx (14)

CST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.comCST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.com
 
CST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comCST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.com
 
CST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comCST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.com
 
CST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comCST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.com
 
CST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comCST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.com
 
Cst 630Education Specialist / snaptutorial.com
Cst 630Education Specialist / snaptutorial.comCst 630Education Specialist / snaptutorial.com
Cst 630Education Specialist / snaptutorial.com
 
Cst 630 Enhance teaching / snaptutorial.com
Cst 630 Enhance teaching / snaptutorial.comCst 630 Enhance teaching / snaptutorial.com
Cst 630 Enhance teaching / snaptutorial.com
 
Cst 630 Education Organization-snaptutorial.com
Cst 630 Education Organization-snaptutorial.comCst 630 Education Organization-snaptutorial.com
Cst 630 Education Organization-snaptutorial.com
 
Project Deliverable 5 Network Infrastructure and SecurityDu
Project Deliverable 5 Network Infrastructure and SecurityDuProject Deliverable 5 Network Infrastructure and SecurityDu
Project Deliverable 5 Network Infrastructure and SecurityDu
 
Project Deliverable 5 Network Infrastructure and SecurityDue We.docx
Project Deliverable 5 Network Infrastructure and SecurityDue We.docxProject Deliverable 5 Network Infrastructure and SecurityDue We.docx
Project Deliverable 5 Network Infrastructure and SecurityDue We.docx
 
CST 630 Exceptional Education - snaptutorial.com
CST 630 Exceptional Education - snaptutorial.comCST 630 Exceptional Education - snaptutorial.com
CST 630 Exceptional Education - snaptutorial.com
 
CST 630 Effective Communication - snaptutorial.com
CST 630 Effective Communication - snaptutorial.comCST 630 Effective Communication - snaptutorial.com
CST 630 Effective Communication - snaptutorial.com
 
CST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.comCST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.com
 
Tony_Reid_Resume
Tony_Reid_ResumeTony_Reid_Resume
Tony_Reid_Resume
 

More from lmelaine

James RiverJewelryProjectQuesti.docx
James RiverJewelryProjectQuesti.docxJames RiverJewelryProjectQuesti.docx
James RiverJewelryProjectQuesti.docx
lmelaine
 
Jacob claims the employer violated his rights. In your opinion, what.docx
Jacob claims the employer violated his rights. In your opinion, what.docxJacob claims the employer violated his rights. In your opinion, what.docx
Jacob claims the employer violated his rights. In your opinion, what.docx
lmelaine
 
Ive been promised A+ papers in the past but so far I have not seen .docx
Ive been promised A+ papers in the past but so far I have not seen .docxIve been promised A+ papers in the past but so far I have not seen .docx
Ive been promised A+ papers in the past but so far I have not seen .docx
lmelaine
 
It’s easy to dismiss the works from the Dada movement as silly. Cons.docx
It’s easy to dismiss the works from the Dada movement as silly. Cons.docxIt’s easy to dismiss the works from the Dada movement as silly. Cons.docx
It’s easy to dismiss the works from the Dada movement as silly. Cons.docx
lmelaine
 
Jaffe and Jordan want to use financial planning models to prepar.docx
Jaffe and Jordan want to use financial planning models to prepar.docxJaffe and Jordan want to use financial planning models to prepar.docx
Jaffe and Jordan want to use financial planning models to prepar.docx
lmelaine
 
Ive got this assinment due and was wondering if anyone has done any.docx
Ive got this assinment due and was wondering if anyone has done any.docxIve got this assinment due and was wondering if anyone has done any.docx
Ive got this assinment due and was wondering if anyone has done any.docx
lmelaine
 
It is now time to select sources and take some notes. You will nee.docx
It is now time to select sources and take some notes. You will nee.docxIt is now time to select sources and take some notes. You will nee.docx
It is now time to select sources and take some notes. You will nee.docx
lmelaine
 
itively impact job satisfactionWeek 3 - Learning Team Paper - Due .docx
itively impact job satisfactionWeek 3 - Learning Team Paper - Due .docxitively impact job satisfactionWeek 3 - Learning Team Paper - Due .docx
itively impact job satisfactionWeek 3 - Learning Team Paper - Due .docx
lmelaine
 
It is not an online course so i cannot share any login details. No d.docx
It is not an online course so i cannot share any login details. No d.docxIt is not an online course so i cannot share any login details. No d.docx
It is not an online course so i cannot share any login details. No d.docx
lmelaine
 
IT Strategic Plan, Part 1Using the case provided, analyze the busi.docx
IT Strategic Plan, Part 1Using the case provided, analyze the busi.docxIT Strategic Plan, Part 1Using the case provided, analyze the busi.docx
IT Strategic Plan, Part 1Using the case provided, analyze the busi.docx
lmelaine
 
IT Strategic Plan, Part 2Using the case provided, build on Part .docx
IT Strategic Plan, Part 2Using the case provided, build on Part .docxIT Strategic Plan, Part 2Using the case provided, build on Part .docx
IT Strategic Plan, Part 2Using the case provided, build on Part .docx
lmelaine
 

More from lmelaine (20)

Jan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docx
Jan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docxJan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docx
Jan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docx
 
Jan 10, 20141.Definition of law A set of rules and proced.docx
Jan 10, 20141.Definition of law A set of rules and proced.docxJan 10, 20141.Definition of law A set of rules and proced.docx
Jan 10, 20141.Definition of law A set of rules and proced.docx
 
James RiverJewelryProjectQuesti.docx
James RiverJewelryProjectQuesti.docxJames RiverJewelryProjectQuesti.docx
James RiverJewelryProjectQuesti.docx
 
Jacob claims the employer violated his rights. In your opinion, what.docx
Jacob claims the employer violated his rights. In your opinion, what.docxJacob claims the employer violated his rights. In your opinion, what.docx
Jacob claims the employer violated his rights. In your opinion, what.docx
 
Ive been promised A+ papers in the past but so far I have not seen .docx
Ive been promised A+ papers in the past but so far I have not seen .docxIve been promised A+ papers in the past but so far I have not seen .docx
Ive been promised A+ papers in the past but so far I have not seen .docx
 
It’s easy to dismiss the works from the Dada movement as silly. Cons.docx
It’s easy to dismiss the works from the Dada movement as silly. Cons.docxIt’s easy to dismiss the works from the Dada movement as silly. Cons.docx
It’s easy to dismiss the works from the Dada movement as silly. Cons.docx
 
Its meaning is still debated. It could be a symbol of the city of Fl.docx
Its meaning is still debated. It could be a symbol of the city of Fl.docxIts meaning is still debated. It could be a symbol of the city of Fl.docx
Its meaning is still debated. It could be a symbol of the city of Fl.docx
 
Jaffe and Jordan want to use financial planning models to prepar.docx
Jaffe and Jordan want to use financial planning models to prepar.docxJaffe and Jordan want to use financial planning models to prepar.docx
Jaffe and Jordan want to use financial planning models to prepar.docx
 
Ive got this assinment due and was wondering if anyone has done any.docx
Ive got this assinment due and was wondering if anyone has done any.docxIve got this assinment due and was wondering if anyone has done any.docx
Ive got this assinment due and was wondering if anyone has done any.docx
 
It is thought that a metabolic waste product produced by a certain g.docx
It is thought that a metabolic waste product produced by a certain g.docxIt is thought that a metabolic waste product produced by a certain g.docx
It is thought that a metabolic waste product produced by a certain g.docx
 
it is not the eassay it is about anwering the question with 2,3 pa.docx
it is not the eassay it is about anwering the question with 2,3 pa.docxit is not the eassay it is about anwering the question with 2,3 pa.docx
it is not the eassay it is about anwering the question with 2,3 pa.docx
 
It is now time to select sources and take some notes. You will nee.docx
It is now time to select sources and take some notes. You will nee.docxIt is now time to select sources and take some notes. You will nee.docx
It is now time to select sources and take some notes. You will nee.docx
 
Its a linear equations question...Neilsen Media Research surveys .docx
Its a linear equations question...Neilsen Media Research surveys .docxIts a linear equations question...Neilsen Media Research surveys .docx
Its a linear equations question...Neilsen Media Research surveys .docx
 
itively impact job satisfactionWeek 3 - Learning Team Paper - Due .docx
itively impact job satisfactionWeek 3 - Learning Team Paper - Due .docxitively impact job satisfactionWeek 3 - Learning Team Paper - Due .docx
itively impact job satisfactionWeek 3 - Learning Team Paper - Due .docx
 
IT205 Management of Information SystemsHello, I am looking for he.docx
IT205 Management of Information SystemsHello, I am looking for he.docxIT205 Management of Information SystemsHello, I am looking for he.docx
IT205 Management of Information SystemsHello, I am looking for he.docx
 
It is not an online course so i cannot share any login details. No d.docx
It is not an online course so i cannot share any login details. No d.docxIt is not an online course so i cannot share any login details. No d.docx
It is not an online course so i cannot share any login details. No d.docx
 
IT Strategic Plan, Part 1Using the case provided, analyze the busi.docx
IT Strategic Plan, Part 1Using the case provided, analyze the busi.docxIT Strategic Plan, Part 1Using the case provided, analyze the busi.docx
IT Strategic Plan, Part 1Using the case provided, analyze the busi.docx
 
It should be in API format.Research paper should be on Ethernet .docx
It should be in API format.Research paper should be on Ethernet .docxIt should be in API format.Research paper should be on Ethernet .docx
It should be in API format.Research paper should be on Ethernet .docx
 
IT Strategic Plan, Part 2Using the case provided, build on Part .docx
IT Strategic Plan, Part 2Using the case provided, build on Part .docxIT Strategic Plan, Part 2Using the case provided, build on Part .docx
IT Strategic Plan, Part 2Using the case provided, build on Part .docx
 
It seems most everything we buy these days has the label made in Ch.docx
It seems most everything we buy these days has the label made in Ch.docxIt seems most everything we buy these days has the label made in Ch.docx
It seems most everything we buy these days has the label made in Ch.docx
 

Recently uploaded

Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
EADTU
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 

Recently uploaded (20)

NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & Systems
 
Play hard learn harder: The Serious Business of Play
Play hard learn harder: The Serious Business of PlayPlay hard learn harder: The Serious Business of Play
Play hard learn harder: The Serious Business of Play
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Simple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdfSimple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdf
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
What is 3 Way Matching Process in Odoo 17.pptx
What is 3 Way Matching Process in Odoo 17.pptxWhat is 3 Way Matching Process in Odoo 17.pptx
What is 3 Way Matching Process in Odoo 17.pptx
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
Introduction to TechSoup’s Digital Marketing Services and Use Cases
Introduction to TechSoup’s Digital Marketing Services and Use CasesIntroduction to TechSoup’s Digital Marketing Services and Use Cases
Introduction to TechSoup’s Digital Marketing Services and Use Cases
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Economic Importance Of Fungi In Food Additives
Economic Importance Of Fungi In Food AdditivesEconomic Importance Of Fungi In Food Additives
Economic Importance Of Fungi In Food Additives
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
dusjagr & nano talk on open tools for agriculture research and learning
dusjagr & nano talk on open tools for agriculture research and learningdusjagr & nano talk on open tools for agriculture research and learning
dusjagr & nano talk on open tools for agriculture research and learning
 
Tatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf artsTatlong Kwento ni Lola basyang-1.pdf arts
Tatlong Kwento ni Lola basyang-1.pdf arts
 

Final Project Incident Response Exercise & ReportYour TaskYou.docx

  • 1. Final Project: Incident Response Exercise & Report Your Task You have been assigned to work incident clean-up as part of the Sifers-Grayson Blue Team. Your task is to assist in analyzing and documenting the incident described below. The Blue Team has already created a set of enterprise architecture diagrams (see figures 1-4) to help with your analysis of the incident and preparation of the incident report as required by the company’s contracts with the federal government. After completing their penetration tests, the Red Team provided Sifers-Grayson executives with a diagram showing their analysis of the threat environment and potential weaknesses in the company’s security posture for the R&D DevOps Lab (see figure 5). Your Deliverable Complete and submit the Incident Report form found at the end of this file. Consult the “Notes to Students” for additional directions regarding completion of the form. Overview of the Incident Sifers-Grayson hired a cybersecurity consulting firm to help it meet the security requirements of a contract with a federal agency. The consulting firm’s Red Team conducted a penetration test and was able to gain access to the engineering center’s R&D servers by hacking into the enterprise network through an unprotected network connection (see figure 2). The Red Team proceeded to exfiltrate files from those servers and managed to steal 100% of the design documents and source code for the AX10 Drone System. The Red Team also reported that it had stolen passwords for 20% of the employee logins using keylogging software installed on USB keys that were left on the lunch table in the headquarters building employee lounge (see Figure 3). The Red Team also noted that the Sifers-Grayson employees were quite friendly and talkative as they opened the
  • 2. RFID controlled doors for the “new folks” on the engineering staff (who were actually Red Teamers). The Red Team continued its efforts to penetrate the enterprise and used a stolen login to install malware over the network onto a workstation connected to a PROM burner in the R&D DevOps lab (See Figure 3). This malware made its way onto a PROM that was then installed in an AX10-a test vehicle undergoing flight trials at the Sifers-Grayson test range (See Figures 1 and 4). The malware “phoned home” to the Red Team over a cellular connection to the R&D center. The Red Team took control of the test vehicle and flew it from the test range to a safe landing in the parking lot at Sifers-Grayson headquarters. Background Sifers-Grayson is a family owned business headquartered in Grayson County, Kentucky, USA. The company’s physical address is 1555 Pine Knob Trail, Pine Knob, KY 42721. The president of the company is Ira John Sifers, III. He is the great- grandson of one of the company’s founders and is also the head of the engineering department. The chief operating officer is Michael Coles, Jr. who is Ira John’s great nephew. Mary Beth Sifers is the chief financial officer and also serves as the head of personnel for the company. Recent contracts with the Departments of Defense and Homeland Security have imposed additional security requirements upon the company and its R&D DevOps and SCADA labs operations. The company is now required to comply with NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The company must also comply with provisions of the Defense Federal Acquisition Regulations (DFARS) including section 252-204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. These requirements are designed to ensure that sensitive technical information, provided by the federal government and stored on
  • 3. computer systems in the Sifers-Grayson R&D DevOps and SCADA labs, is protected from unauthorized disclosure. This information includes software designs and source code. The contract requirements also mandate that Sifers-Grayson report cyber incidents to the federal government in a timely manner.SCADA Lab The SCADA lab was originally setup in 1974. It has been upgraded and rehabbed several times since then. The most recent hardware and software upgrades were completed three years ago after the lab was hit with a ransomware attack that exploited several Windows XP vulnerabilities. At that time, the engineering and design workstations were upgraded to Windows 8.1 professional. A second successful ransomware attack occurred three months ago. The company paid the ransom in both cases because the lab did not have file backups that it could use to recover the damaged files (in the first case) and did not have system backups that it could use to rebuild the system hard drives (in the second case). The SCADA Lab is locked into using Windows 8.1. The planned transition to Windows 10 is on indefinite hold due to technical problems encountered during previous attempts to modify required software applications to work under the new version of the operating system. This means that an incident response and recovery capability for the lab must support the Windows 8.1 operating system and its utilities.R&D DevOps Lab The R&D DevOps Lab was built in 2010 and is used to develop, integrate, test, support, and maintain software and firmware (software embedded in chips) for the company’s robots, drones, and non-SCADA industrial control systems product lines. The workstations in this lab are running Windows 10 and are configured to receive security updates per Microsoft’s monthly schedule. Enterprise IT Operations The company uses a combination of Windows 10 workstations and laptops as the foundation of its enterprise IT capabilities. The servers in the data center and the engineering R&D center are built upon Windows Server 2012.
  • 4. Issues Summary: 1. Newly won government contracts now require compliance with DFARS §252.204-7008, 7009, and 7012 · http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.ht m · http://www.acq.osd.mil/se/docs/DFARS-guide.pdf 2. Derivative requirements include: · Implementation of and compliance with NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8 00-171r1.pdf · Compliance with DFARS 252.239-7009 Representation of Use of Cloud Computing and 7010 Cloud Computing Services (see https://www.acq.osd.mil/dpap/dars/dfars/html/current/252239.ht m#252.239-7009 3. Additional Contractual Requirements for Lab Operations include: · Incident Response per NIST SP-800-61 (Computer Security Incident Handling Guide) · SCADA Security per NIST SP 800-82 (Guide to Industrial Control Systems Security) · Software / Systems Development Lifecycle (SDLC) Security per NIST SP 800-64 (Security Considerations in the System Development Life Cycle) · Configuration Management per NIST SP 800-128 (Guide for Security-Focused Configuration Management of Information Systems) Notes to Students: 1. Your final deliverable should be professionally formatted and should not exceed 10 pages. The goal is to be clear and concise in your reporting of your analysis of this incident. This report should reflect your learning and analysis. For that reason, the
  • 5. citation rules are relaxed and you may write from your own knowledge as an “expert.” BUT, if you paste exact phrases, sentences, or paragraphs from another document or resource, you must cite that source using an appropriate citation style (e.g. footnotes, end notes, in-text citations). 2. You may include annotated diagrams if necessary to illustrate your analysis and/or make your point(s). You may use the figures in this assignment as the foundation for diagrams in your final report (no citations required). 3. Use the NIST Incident Handling Process (see Table 1) to guide your incident analysis. You do not need to cite a source for this table. 4. You may assume that the company has implemented one or more of the IT products that you recommended in your Case Studies for this course. You may also assume that the company is using the incident response guidance documents that you wrote for your labs and that the associated operating systems utilities are in use (e.g. you can assume that system backups are being made, etc.). 5. DOCUMENT YOUR ASSUMPTIONS about people, processes, and technologies as if they were fact. But, don’t change any of the factual information provided in the incident report from the Red Team. 6. Use the incident report form that appears at the end of this file. Copy it to a new MS Word document. Insert a title page at the beginning of your file and include the title of the report, your name, and the due date. 7. After you perform your incident analysis, fill in the required information in the provided form (see the end of this file). Attach the file to your assignment folder entry, and submit it for grading as your final project. 8. For section 1 of the form, use your own name but provide reasonable but fictitious information for the remaining fields. 9. For section 2 of the form, assign IP addresses in the following ranges to any servers, workstations, or network connections that you need to discuss.
  • 6. a. R&D Center 10.10.120.0/24 b. Test Range 10.10.128.0/24 c. Corporate Headquarters 10.10.135.0/24 10. For sections 2, 3, and 5, you should use and interpret information provided in this file (Overview, Background, Issues Summary). You may use a judicious amount of creativity, if necessary, to fill in any missing information. 11. For section 4 of the form you may provide a fictitious cost estimate based upon $100 per hour for IT staff to perform “clean-up” activities. Reasonable estimates are probably in the range of 150 to 300 person hours. What’s important is that you document how you arrived at your cost estimate. 12. Discuss the contract requirements and derivative requirements for cybersecurity at Sifers-Grayson in 3 to 5 paragraphs under “Section 6 General Comments.” Words for the Wise … Do not let “perfection” be a barrier to completing this assignment. It’s more importation to be on-time and provide SOME analysis in a professional format than to find and document every single possible vulnerability. CSIA 310: Cybersecurity Processes & Technologies ·
  • 7. Copyright ©2019 by University of Maryland University College. All Rights Reserved. Figure 1. Overview of Sifers-Grayson Enterprise IT Architecture Figure 2. Combined Network and Systems Views: Sifers-Grayson Headquarters, R&D Center, and Data Center Figure 3. Combined Network and Systems View for Sifers- Grayson R&D DevOps Lab Figure 4. Combined Communications and Systems Views for Sifers-Grayson Test Range Figure 5. Threat Landscape for Sifers-Grayson R&D DevOps Lab NIST Incident Handling Checklist by Phase Detection and Analysis 1. Determine whether an incident has occurred 1.1 Analyze the precursors and indicators 1.2 Look for correlating information 1.3
  • 8. Perform research (e.g., search engines, knowledge base) 1.4 As soon as the handler believes an incident has occurred, begin documenting the investigation and gathering evidence 2. Prioritize handling the incident based on the relevant factors (functional impact, information impact, recoverability effort, etc.) 3. Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery 4. Acquire, preserve, secure, and document evidence 5. Contain the incident 6. Eradicate the incident 6.1 Identify and mitigate all vulnerabilities that were exploited 6.2 Remove malware, inappropriate materials, and other components 6.3 If more affected hosts are discovered (e.g., new malware infections), repeat the Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then contain (5) and eradicate (6) the incident for them 7. Recover from the incident 7.1 Return affected systems to an operationally ready state 7.2 Confirm that the affected systems are functioning normally 7.3 If necessary, implement additional monitoring to look for future
  • 9. related activity Post-Incident Activity 8. Create a follow-up report 9. Hold a lessons learned meeting (mandatory for major incidents, optional otherwise) Source: NIST SP 800-61r2 Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide (NIST SP 800-62 rev. 2). http://dx.doi.org/10.6028/NIST.SP.800-61r2 SIFERS-GRAYSON CYBERSECURITY INCIDENT REPORT FORM 1. Contact Information for the Incident Reporter and Handler – Name – Role – Organizational unit (e.g., agency, department, division, team) and affiliation – Email address – Phone number – Location (e.g., mailing address, office room number) 2. Incident Details – Status change date/timestamps (including time zone): when the incident started, when the incident was discovered/detected, when the incident was reported, when the incident was resolved/ended, etc. – Physical location of the incident (e.g., city, state) – Current status of the incident (e.g., ongoing attack) – Source/cause of the incident (if known), including hostnames and IP addresses – Description of the incident (e.g., how it was detected, what occurred) – Description of affected resources (e.g., networks, hosts, applications, data), including systems’ hostnames, IP addresses,
  • 10. and function – If known, incident category, vectors of attack associated with the incident, and indicators related to the incident (traffic patterns, registry keys, etc.) – Prioritization factors (functional impact, information impact, recoverability, etc.) – Mitigating factors (e.g., stolen laptop containing sensitive data was using full disk encryption) – Response actions performed (e.g., shut off host, disconnected host from network) – Other organizations contacted (e.g., software vendor) 3. Cause of the Incident (e.g., misconfigured application, unpatched host) 4. Cost of the Incident 5. Business Impact of the Incident 6. General Comments