SlideShare a Scribd company logo

Final Project – Incident Response Exercise SAMPLE.docx

Download as DOCX, PDF
L
lmelaine

Final Project – Incident Response Exercise SAMPLE 1. Contact Information for the Incident Reporter and Handler – Mruga Patel – Cyber Incident Response Team Lead – Organizational Information - Sifers-Grayson Corporation (Blue Team), Information Technology Department – [email protected] – 410-923-9221 – Location - 100 Fairway Ave, Suite 101, Catonsville, MD 21228 2. Incident Details – The attack occurred during off-hours at 22:00 EST. Incident was discovered when the system became unusable due to high volume traffic from an unauthorized IP Address. The incident ended at approximately 22:45 EST. – Catonsville, MD – Attack has ended – The attack occurred from an IP address of 11.125.22.198 with no host name. The cause of the incident has yet to be determined. – The attack was discovered when the system became unusable due to high levels of latency. It was detected using logging information from a server from the Task Manager. – The system remains unaffected. Only data was stolen from our company. The server which was extracted from the Employee server. IP address- 192.168.1.0, hotname SifersHouston.com. – N/A – The system resumed to normal function after attacked occurred. – Data stolen was from the server containing employee information. – Network was turned off once attack was discovered. The system logged all necessary information for forensic evidence. – N/A 3. Cause of Incident was from an unsecured network which was uses to steal company information. 4. The cost of the incident has yet to be determined. PII stolen has no calculated price. However, estimated person hours are about 200. It would cost around $100 per hour for IT staff to perform “clean-up” activities. As of now it would cost around $20,000.00. 5. The impact of the incident is significant. The necessary measures to combat this problem has yet to be determined. 6. General Comments- Our network poses a lot of security risks. Going forward, we need to implement certain security measures from further incidents from taking place. Background The Sifers-Grayson company has hired an outside organization to penetrate our network and report on vulnerabilities found within the network. Upon penetration testing and weeks of trying to exploit our system, the red team (testing team) has been successful. Holding a government contract, the Department of Defense (DoD) requires additional security requirements for the R&D and SCADA lab operations. Both of which hold classified and secret information and happen to be where the red team was able to exploit. The company is now required to use the NIST publications for protection controlled unclassified information in Nonfederal information systems and organizations. Failure to comply can result in fines and even contract termination. The (DFARS) Defense Federal Acquisition Regulations also outlines the safeguarding of Cyber Security Incident Reporting. Fortunately, identifying these risks before hacke ...

Education
1 of 25
Final Project – Incident Response Exercise SAMPLE 1. Contact Information for the Incident Reporter and Handler – Mruga Patel – Cyber Incident Response Team Lead – Organizational Information - Sifers-Grayson Corporation (Blue Team), Information Technology Department – [email protected]
– 410-923-9221 – Location - 100 Fairway Ave, Suite 101, Catonsville, MD 21228 2. Incident Details – The attack occurred during off-hours at 22:00 EST. Incident was discovered when the system became unusable due to high volume traffic from an unauthorized IP Address. The incident ended at approximately 22:45 EST. – Catonsville, MD – Attack has ended – The attack occurred from an IP address of 11.125.22.198 with no host name. The cause of the incident has yet to be determined. – The attack was discovered when the system became unusable due to high levels of latency. It was detected using logging information from a server from the Task Manager. – The system remains unaffected. Only data was stolen from our company. The server which was extracted from the Employee server. IP address- 192.168.1.0, hotname SifersHouston.com. – N/A – The system resumed to normal function after attacked occurred. – Data stolen was from the server containing employee information. – Network was turned off once attack was discovered. The system logged all necessary information for forensic evidence. – N/A 3. Cause of Incident was from an unsecured network which was uses to steal company information. 4. The cost of the incident has yet to be determined. PII stolen has no calculated price. However, estimated person hours are about 200. It would cost around $100 per hour for IT staff to perform “clean-up” activities. As of now it would cost around $20,000.00.
5. The impact of the incident is significant. The necessary measures to combat this problem has yet to be determined. 6. General Comments- Our network poses a lot of security risks. Going forward, we need to implement certain security measures from further incidents from taking place. Background The Sifers-Grayson company has hired an outside organization to penetrate our network and report on vulnerabilities found within the network. Upon penetration testing and weeks of trying to exploit our system, the red team (testing team) has been successful. Holding a government contract, the Department of Defense (DoD) requires additional security requirements for the R&D and SCADA lab operations. Both of which hold classified and secret information and happen to be where the red team was able to exploit. The company is now required to use the NIST publications for protection controlled unclassified information in Nonfederal information systems and organizations. Failure to comply can result in fines and even contract termination. The (DFARS) Defense Federal Acquisition Regulations also outlines the safeguarding of Cyber Security Incident Reporting. Fortunately, identifying these risks before hackers do is a plus. Using the information within these doctrines can help provide security and prevent future exploiting attempts. The analysis will provide tools and resources safeguard information in the future. Analysis The current topology of the internet for the internet connection of the R&D servers come from a Wireless Access Point that is connected through a wired connection. The wired connection or Campus Area Network is connection to the R&D site. The other connection of internet access within this topology is from a wired connection underground through a firewall back through the Campus Area Network to the wireless router. The red team whom was hired as the penetration testing team was able to gain access through engineer’s center R&D server
by hacking unprotected network connections. These connections could come from hacking the wireless router or rerouting network cables to a rogue routing device. Using unsecured connections not only makes it easy to pick up traffic for anyone to monitor, but also a golden ticket for hackers seeing government information. Monitoring tools can be freely used and downloaded from the internet. Technologies like these include Wireshark and Nessus. This information can monitor unencrypted networks by capturing usernames, passwords, banking information, etc. Within this agency, using the highest possible security standards should be required and the recommendation going forward is to use WPA2 encryption with TKIP or AES protection. This technology is the IEEE 802.11 technology standard for data encryption (Mitchell, 2017). The WPA2 encryption scrambles up the data passed through a Wi-Fi connection. This makes is much harder for anyone with the correct tools to pick up or decrypt the data. WPA2 also utilizes the Extensible Authentication Protocol (EAP). EAP works by establishing secure tunnels between a client and a WAP. After a connection is established, authentication can begin, usually with a username and password, or just a password. The servers authenticating the users should be implemented by Kerberos. Kerberos is imbedded within the Microsoft Software to handle authenticate requests. Installing Microsoft Active Directory is a highly recommended solution within this topology. Looking at our networking topology, we have resources and different areas where devices vary, and security can easily be penetrated. Using Active Directory on our systems within our network, we can gain better control of our resources. Gaining control of these resources vary from a spectrum of different controls. Using Active Directory, we can utilize many tools. One tool which can be used to prevent unauthorized access is Domain Services. Information is stored about members of domains, users, devices,
verifies credentials of users, and the rights associated per their account. The second tool which could have been used to prevent unauthorized access to implement Certificate Services. This utility gives us the ability to create, validate, and revoke public key certificates (Wikipedia, n.d.). These certificates can be used for validating data from devices user access information or from.Some of the bonuses it provides is encrypting files, emails, and network traffic when used through a VPN. VPN’s can be utilized out in the field when doing experiments within the company. Through the WAP in the field, a hacker could gain access with CRACK software even when using WPA2. Using a VPN would tunnel the traffic between the two routers and even through an internet connection. This data would be unusable if picked up from an outside resource. Active Directory Rights Management Services (AD RMS) can also be used to prevent unauthorized users from obtaining access to documents, emails, and web pages. It uses encryption and selective functionality denial for limiting access for these objects. The decryption is also handled by AD RMS by the users defined with specific objects handed by certificates the user is granted. The other great utility Active Directory uses is the ability to give access to users only defined on our network. The red team gained access through an unsecured network connection but than were able to gain access to our servers through the connection penetrated. With Active Directory, only users defined within Users and computers can access information from their domain. Rights and privileges are assigned using the principal of least privilege. Through this principal, users are only assigned rights associated with their role within the organization. Any users not defined within the Users and Computers feature will have zero access to our network. The second concern was the ability to crack password’s using logging software by the red team that was installed on a USB drive found in lounge area. Upon finding this USB drive, an
employee plugged the device into their computer enabling this software to log passwords. There are many ways to combat this problem and prevent this error from occurring again. The first and easiest way is to hold employee awareness training. This training should cover the different ways hackers are able to gain access to networks and what employees should be aware of to prevent incidents from occurring. Common issues which should be covered are downloading files from the internet, plugging in unauthorized devices, common phishing attacks, and physical security issues, such as piggybacking. The second way to prevent plugging in devices is to simply to disable all USB drives on all networking devices. This practice would guarantee the physical security of preventing unauthorized devices from gaining access to our network and is a common practice within a DoD environment. Limiting the most access as possible to a network where users are still able to maintain their daily work should be the goal of every security administrator. If USB’s are needed for certain users, access may be granted through requests per department manager to the IT department. Containment, Eradication, and Recovery Upon the discovery of stolen login credentials, malware was found to be installed from the DevOps department. This Malware was installed over the unsecured network connection onto a workstation in this department. The ability to fight Malware and hacking attempts has become complex and hard to detect. Therefore, technologies have been put in place to contain, detect, and eliminate these threats. One common solution which could have prevented this problem is the implementation of an IPS and IDS. The Intrusion Prevention System is a software of hardware designed to identity Malware and other hacking attempts into our network and either cut off the internet connection its using to spread the Malware or block the IP addresses. This could have been useful in determining outside resources gaining access to the unsecured network connection and blocked the persons from
gaining access to our network. This would be done by blocking the user based on failed login attempts, or by unauthorized MAC addressing. The Intrusion Detection System is a hardware or software used to detect Malware, login information, and other attempts to harm the network and log the information. The information can be logged to a centralized location and can be used for auditing and forensic evidence. Unlike the IPS, the IDS only logs information. It can be customized to alert the administrator when Malware or attempts to hack in to the system have been identified. In this scenario, an IDS would have been able to detect the Malware installed on the system from the unsecure connection all the way to the device it was installed on. These two different technologies can prevent these types of attacks in the future and should be implemented as soon as possible. The last issue our company had was lost data from a hack which occurred months ago. After which we paid the attackers the ransom to retrieve our data back. This is not a recommended practice and we need a solution to have our files backed up and restored properly. To backup our files we need to add this role to one of our servers. Luckily, Microsoft Active Directory has features which allow backing up of files, restoring of data, and high availability. The Windows Server Backup Utility allows us to backup and recovery our operating system, applications, and all data within our network (TechNet, n.d.) Backing up our data can consist of all the volumes, files, folders, and state of our system. This would have prevented the loss of all our data through snapshots of our system during recovery stages. Backups should run every night and every weekend during non- working hours to save bandwidth for server functionality. Instead of backing up data every month, this implementation would save more work in between monthly backups for recovery purposes. Backups can be saved to the server or external resources such as off-site locations. This can be done remotely or by saving backups weekly to an external drive and stored in an off-site location. The backup feature also supports the
ability to provide clustered shared volumes (CSV). This shared data between servers providing high availability of our data. If a server were to go down for any reason, another server would be able to take over for the failed server and provide access to saved data. References Active Directory. (2017, November 26). Retrieved November 26, 2017, from https://en.wikipedia.org/wiki/Active_Directory Mitchell, B. (n.d.). How Can You Secure a Wi-Fi Network with WPA2? Retrieved November 26, 2017, from https://www.lifewire.com/what-is-wpa2-818352 What is Microsoft Active Directory Rights Management Services (AD Rights Management Services)? - Definition from WhatIs.com. (n.d.). Retrieved November 26, 2017, from http://searchwindowsserver.techtarget.com/definition/Micr osoft-Active-Directory-Rights Management-Services-AD- Rights-Management-Services Windows Server Backup Feature Overview. (n.d.). Retrieved November 26, 2017, fromhttps://technet.microsoft.com/en- us/library/jj614621(v=ws.11).aspx
Notes to Students: 1. Your final deliverable should be professionally formatted and should not exceed 10 pages. The goal is to be clear and concise in your reporting of your analysis of this incident. This report should reflect your learning and analysis. For that reason, the citation rules are relaxed and you may write from your own knowledge as an “expert.” BUT, if you paste exact phrases, sentences, or paragraphs from another document or resource, you must cite that source using an appropriate citation style (e.g. footnotes, end notes, in-text citations). 2. You may include annotated diagrams if necessary to illustrate your analysis and/or make your point(s). You may use the figures in this assignment as the foundation for diagrams in your final report (no citations required). 3. Use the NIST Incident Handling Process (see Table 1) to guide your incident analysis. You do not need to cite a source for this table. 4. You may assume that the company has implemented one or more of the IT products that you recommended in your Case Studies for this course. You may also assume that the company is using the incident response guidance documents that you wrote for your labs and that the associated operating systems utilities are in use (e.g. you can assume that system backups are being made, etc.). 5. DOCUMENT YOUR ASSUMPTIONS about people, processes, and technologies as if they were fact. But, don’t change any of the factual information provided in the incident report from the Red Team. 6. Use the incident report form that appears at the end of this file. Copy it to a new MS Word document. Insert a title page at
the beginning of your file and include the title of the report, your name, and the due date. 7. After you perform your incident analysis, fill in the required information in the provided form (see the end of this file). Attach the file to your assignment folder entry, and submit it for grading as your final project. 8. For section 1 of the form, use your own name but provide reasonable but fictitious information for the remaining fields. 9. For section 2 of the form, assign IP addresses in the following ranges to any servers, workstations, or network connections that you need to discuss. a. R&D Center 10.10.120.0/24 b. Test Range 10.10.128.0/24 c. Corporate Headquarters 10.10.135.0/24 10. For sections 2, 3, and 5, you should use and interpret information provided in this file (Overview, Background, Issues Summary). You may use a judicious amount of creativity, if necessary, to fill in any missing information. 11. For section 4 of the form you may provide a fictitious cost estimate based upon $100 per hour for IT staff to perform “clean-up” activities. Reasonable estimates are probably in the range of 150 to 300 person hours. What’s important is that you document how you arrived at your cost estimate. 12. Discuss the contract requirements and derivative requirements for cybersecurity at Sifers-Grayson in 3 to 5 paragraphs under “Section 6 General Comments.” NIST Incident Handling Checklist by Phase Detection and Analysis 1. Determine whether an incident has occurred 1.1 Analyze the precursors and indicators 1.2 Look for correlating information 1.3
Perform research (e.g., search engines, knowledge base) 1.4 As soon as the handler believes an incident has occurred, begin documenting the investigation and gathering evidence 2. Prioritize handling the incident based on the relevant factors (functional impact, information impact, recoverability effort, etc.) 3. Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery 4. Acquire, preserve, secure, and document evidence 5. Contain the incident 6. Eradicate the incident 6.1 Identify and mitigate all vulnerabilities that were exploited 6.2 Remove malware, inappropriate materials, and other components 6.3 If more affected hosts are discovered (e.g., new malware infections), repeat the Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then contain (5) and eradicate (6) the incident for them 7. Recover from the incident 7.1 Return affected systems to an operationally ready state 7.2 Confirm that the affected systems are functioning normally 7.3 If necessary, implement additional monitoring to look for future
related activity Post-Incident Activity 8. Create a follow-up report 9. Hold a lessons learned meeting (mandatory for major incidents, optional otherwise) Source: NIST SP 800-61r2 Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide (NIST SP 800-62 rev. 2). http://dx.doi.org/10.6028/NIST.SP.800-61r2 SIFERS-GRAYSON CYBERSECURITY INCIDENT REPORT FORM 7. Contact Information for the Incident Reporter and Handler – Name – Role – Organizational unit (e.g., agency, department, division, team) and affiliation – Email address – Phone number – Location (e.g., mailing address, office room number) 8. Incident Details – Status change date/timestamps (including time zone): when the incident started, when the incident was discovered/detected, when the incident was reported, when the incident was resolved/ended, etc. – Physical location of the incident (e.g., city, state) – Current status of the incident (e.g., ongoing attack) – Source/cause of the incident (if known), including hostnames and IP addresses – Description of the incident (e.g., how it was detected, what occurred) – Description of affected resources (e.g., networks, hosts, applications, data), including systems’ hostnames, IP addresses,
and function – If known, incident category, vectors of attack associated with the incident, and indicators related to the incident (traffic patterns, registry keys, etc.) – Prioritization factors (functional impact, information impact, recoverability, etc.) – Mitigating factors (e.g., stolen laptop containing sensitive data was using full disk encryption) – Response actions performed (e.g., shut off host, disconnected host from network) – Other organizations contacted (e.g., software vendor) 9. Cause of the Incident (e.g., misconfigured application, unpatched host) 10. Cost of the Incident 11. Business Impact of the Incident 12. General Comments Final Project: Incident Response Exercise & Report Your Task You have been assigned to work incident clean-up as part of the Sifers-Grayson Blue Team. Your task is to assist in analyzing and documenting the incident described below. The Blue Team has already created a set of enterprise architecture diagrams (see figures 1-4) to help with your analysis of the incident and preparation of the incident report as required by the company’s contracts with the federal government. After completing their penetration tests, the Red Team provided Sifers-Grayson executives with a diagram showing their analysis of the threat environment and potential weaknesses in the company’s security posture for the R&D DevOps Lab (see figure 5).
Your Deliverable Complete and submit the Incident Report form found at the end of this file. Consult the “Notes to Students” for additional directions regarding completion of the form. Overview of the Incident Sifers-Grayson hired a cybersecurity consulting firm to help it meet the security requirements of a contract with a federal agency. The consulting firm’s Red Team conducted a penetration test and was able to gain access to the engineering center’s R&D servers by hacking into the enterprise network through an unprotected network connection (see figure 2). The Red Team proceeded to exfiltrate files from those servers and managed to steal 100% of the design documents and source code for the AX10 Drone System. The Red Team also reported that it had stolen passwords for 20% of the employee logins using keylogging software installed on USB keys that were left on the lunch table in the headquarters building employee lounge (see Figure 3). The Red Team also noted that the Sifers-Grayson employees were quite friendly and talkative as they opened the RFID controlled doors for the “new folks” on the engineering staff (who were actually Red Teamers). The Red Team continued its efforts to penetrate the enterprise and used a stolen login to install malware over the network onto a workstation connected to a PROM burner in the R&D DevOps lab (See Figure 3). This malware made its way onto a PROM that was then installed in an AX10-a test vehicle undergoing flight trials at the Sifers-Grayson test range (See Figures 1 and 4). The malware “phoned home” to the Red Team over a cellular connection to the R&D center. The Red Team took control of the test vehicle and flew it from the test range to a safe landing in the parking lot at Sifers-Grayson headquarters. Background Sifers-Grayson is a family owned business headquartered in Grayson County, Kentucky, USA. The company’s physical
address is 1555 Pine Knob Trail, Pine Knob, KY 42721. The president of the company is Ira John Sifers, III. He is the great- grandson of one of the company’s founders and is also the head of the engineering department. The chief operating officer is Michael Coles, Jr. who is Ira John’s great nephew. Mary Beth Sifers is the chief financial officer and also serves as the head of personnel for the company. Recent contracts with the Departments of Defense and Homeland Security have imposed additional security requirements upon the company and its R&D DevOps and SCADA labs operations. The company is now required to comply with NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The company must also comply with provisions of the Defense Federal Acquisition Regulations (DFARS) including section 252-204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. These requirements are designed to ensure that sensitive technical information, provided by the federal government and stored on computer systems in the Sifers-Grayson R&D DevOps and SCADA labs, is protected from unauthorized disclosure. This information includes software designs and source code. The contract requirements also mandate that Sifers-Grayson report cyber incidents to the federal government in a timely manner.SCADA Lab The SCADA lab was originally setup in 1974. It has been upgraded and rehabbed several times since then. The most recent hardware and software upgrades were completed three years ago after the lab was hit with a ransomware attack that exploited several Windows XP vulnerabilities. At that time, the engineering and design workstations were upgraded to Windows 8.1 professional. A second successful ransomware attack occurred three months ago. The company paid the ransom in both cases because the lab did not have file backups that it could use to recover the damaged files (in the first case) and did
not have system backups that it could use to rebuild the system hard drives (in the second case). The SCADA Lab is locked into using Windows 8.1. The planned transition to Windows 10 is on indefinite hold due to technical problems encountered during previous attempts to modify required software applications to work under the new version of the operating system. This means that an incident response and recovery capability for the lab must support the Windows 8.1 operating system and its utilities.R&D DevOps Lab The R&D DevOps Lab was built in 2010 and is used to develop, integrate, test, support, and maintain software and firmware (software embedded in chips) for the company’s robots, drones, and non-SCADA industrial control systems product lines. The workstations in this lab are running Windows 10 and are configured to receive security updates per Microsoft’s monthly schedule. Enterprise IT Operations The company uses a combination of Windows 10 workstations and laptops as the foundation of its enterprise IT capabilities. The servers in the data center and the engineering R&D center are built upon Windows Server 2012. Issues Summary: 1. Newly won government contracts now require compliance with DFARS §252.204-7008, 7009, and 7012 · http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.ht m · http://www.acq.osd.mil/se/docs/DFARS-guide.pdf 2. Derivative requirements include: · Implementation of and compliance with NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8 00-171r1.pdf · Compliance with DFARS 252.239-7009 Representation of Use of Cloud Computing and 7010 Cloud Computing Services (see
https://www.acq.osd.mil/dpap/dars/dfars/html/current/252239.ht m#252.239-7009 3. Additional Contractual Requirements for Lab Operations include: · Incident Response per NIST SP-800-61 (Computer Security Incident Handling Guide) · SCADA Security per NIST SP 800-82 (Guide to Industrial Control Systems Security) · Software / Systems Development Lifecycle (SDLC) Security per NIST SP 800-64 (Security Considerations in the System Development Life Cycle) · Configuration Management per NIST SP 800-128 (Guide for Security-Focused Configuration Management of Information Systems) Notes to Students: 1. Your final deliverable should be professionally formatted and should not exceed 10 pages. The goal is to be clear and concise in your reporting of your analysis of this incident. This report should reflect your learning and analysis. For that reason, the citation rules are relaxed and you may write from your own knowledge as an “expert.” BUT, if you paste exact phrases, sentences, or paragraphs from another document or resource, you must cite that source using an appropriate citation style (e.g. footnotes, end notes, in-text citations). 2. You may include annotated diagrams if necessary to illustrate your analysis and/or make your point(s). You may use the figures in this assignment as the foundation for diagrams in your final report (no citations required). 3. Use the NIST Incident Handling Process (see Table 1) to guide your incident analysis. You do not need to cite a source for this table. 4. You may assume that the company has implemented one or more of the IT products that you recommended in your Case Studies for this course. You may also assume that the company is using the incident response guidance documents that you
wrote for your labs and that the associated operating systems utilities are in use (e.g. you can assume that system backups are being made, etc.). 5. DOCUMENT YOUR ASSUMPTIONS about people, processes, and technologies as if they were fact. But, don’t change any of the factual information provided in the incident report from the Red Team. 6. Use the incident report form that appears at the end of this file. Copy it to a new MS Word document. Insert a title page at the beginning of your file and include the title of the report, your name, and the due date. 7. After you perform your incident analysis, fill in the required information in the provided form (see the end of this file). Attach the file to your assignment folder entry, and submit it for grading as your final project. 8. For section 1 of the form, use your own name but provide reasonable but fictitious information for the remaining fields. 9. For section 2 of the form, assign IP addresses in the following ranges to any servers, workstations, or network connections that you need to discuss. a. R&D Center 10.10.120.0/24 b. Test Range 10.10.128.0/24 c. Corporate Headquarters 10.10.135.0/24 10. For sections 2, 3, and 5, you should use and interpret information provided in this file (Overview, Background, Issues Summary). You may use a judicious amount of creativity, if necessary, to fill in any missing information. 11. For section 4 of the form you may provide a fictitious cost estimate based upon $100 per hour for IT staff to perform “clean-up” activities. Reasonable estimates are probably in the range of 150 to 300 person hours. What’s important is that you document how you arrived at your cost estimate. 12. Discuss the contract requirements and derivative requirements for cybersecurity at Sifers-Grayson in 3 to 5 paragraphs under “Section 6 General Comments.”
Words for the Wise … Do not let “perfection” be a barrier to completing this assignment. It’s more important to be on-time and provide SOME analysis in a professional format than to find and document every single possible vulnerability. · Figure 1. Overview of Sifers-Grayson Enterprise IT Architecture Figure 2. Combined Network and Systems Views: Sifers-Grayson Headquarters, R&D Center, and Data Center Figure 3. Combined Network and Systems View for Sifers- Grayson R&D DevOps Lab Figure 4. Combined Communications and Systems Views for Sifers-Grayson Test Range
Figure 5. Threat Landscape for Sifers-Grayson R&D DevOps Lab NIST Incident Handling Checklist by Phase Detection and Analysis 1. Determine whether an incident has occurred 1.1 Analyze the precursors and indicators 1.2 Look for correlating information 1.3 Perform research (e.g., search engines, knowledge base) 1.4 As soon as the handler believes an incident has occurred, begin documenting the investigation and gathering evidence 2. Prioritize handling the incident based on the relevant factors (functional impact, information impact, recoverability effort, etc.) 3. Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery 4. Acquire, preserve, secure, and document evidence 5. Contain the incident 6. Eradicate the incident 6.1 Identify and mitigate all vulnerabilities that were exploited 6.2 Remove malware, inappropriate materials, and other
components 6.3 If more affected hosts are discovered (e.g., new malware infections), repeat the Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then contain (5) and eradicate (6) the incident for them 7. Recover from the incident 7.1 Return affected systems to an operationally ready state 7.2 Confirm that the affected systems are functioning normally 7.3 If necessary, implement additional monitoring to look for future related activity Post-Incident Activity 8. Create a follow-up report 9. Hold a lessons learned meeting (mandatory for major incidents, optional otherwise) Source: NIST SP 800-61r2 Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide (NIST SP 800-62 rev. 2). http://dx.doi.org/10.6028/NIST.SP.800-61r2 SIFERS-GRAYSON CYBERSECURITY INCIDENT REPORT FORM 1. Contact Information for the Incident Reporter and Handler – Name – Role – Organizational unit (e.g., agency, department, division, team) and affiliation – Email address – Phone number
– Location (e.g., mailing address, office room number) 2. Incident Details – Status change date/timestamps (including time zone): when the incident started, when the incident was discovered/detected, when the incident was reported, when the incident was resolved/ended, etc. – Physical location of the incident (e.g., city, state) – Current status of the incident (e.g., ongoing attack) – Source/cause of the incident (if known), including hostnames and IP addresses – Description of the incident (e.g., how it was detected, what occurred) – Description of affected resources (e.g., networks, hosts, applications, data), including systems’ hostnames, IP addresses, and function – If known, incident category, vectors of attack associated with the incident, and indicators related to the incident (traffic patterns, registry keys, etc.) – Prioritization factors (functional impact, information impact, recoverability, etc.) – Mitigating factors (e.g., stolen laptop containing sensitive data was using full disk encryption) – Response actions performed (e.g., shut off host, disconnected host from network) – Other organizations contacted (e.g., software vendor) 3. Cause of the Incident (e.g., misconfigured application, unpatched host) 4. Cost of the Incident 5. Business Impact of the Incident 6. General Comments
Rubric Name: Final Project - Incident Report Criteria Excellent Section 1: Contact Information 10 points Provided an acceptable title page for the file. Provided a complete section 1 of the Incident Report Form that included realistic but fictionalized data for all of the following fields: · Name · Role · Organizational Unit and affiliation · Email address · Phone Number · location Section 2: Incident Details 25 points Provided an excellent report of the incident details as required by the NIST template. Responses for all items were clear, concise, and reflected the analysis of the Blue Team with additional contributions by this student. Section 3: Cause of the Incident 25 points Provided an excellent report of the incident causes using information reported by the Red Team (from the assignment) and additional analysis performed by the Blue Team and this student. Appropriately used information from the Sifers- Grayson Overview and Enterprise Architecture diagrams. Reporting of the analysis was clear, concise, and reflected the analysis of the Blue Team with additional contributions by this student. Sections 4 & 5: Cost and Impact 10 points
Provided an excellent analysis of the potential costs and impacts of the incident as reported by the Red Team. Analysis was clear and concise. Included information from the Blue Team and supplemented it with additional analysis by this student. Section 6: General Comments 10 points Provided an excellent discussion of the contract requirements and derivative requirements for cybersecurity at Sifers-Grayson (clear, concise, accurate). Included information from the Blue Team and supplemented it with additional analysis by this student. Included additional information as necessary to provide explanations and improve overall clarity for the incident response report. Professionalism: Execution 20 points Work is professional in appearance and organization (appropriate and consistent use of fonts, headings, color). No word usage, grammar, spelling, or punctuation errors. All quotations (copied text) are properly marked and cited using a professional format. (APA format recommended but not required.) RESOURCES Computer security incident handling guide (NIST SP 800-61 rev. 2)- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8 00-61r2.pdf
Final Project – Incident Response Exercise SAMPLE.docx

Recommended

Running head INFORMATION SECURITY1INFORMATION SECURITY6.docx
Running head INFORMATION SECURITY1INFORMATION SECURITY6.docxRunning head INFORMATION SECURITY1INFORMATION SECURITY6.docx
Running head INFORMATION SECURITY1INFORMATION SECURITY6.docxwlynn1
 
Running head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docx
Running head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docxRunning head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docx
Running head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docxtoltonkendal
 
Enterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEEnterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEFast Lane Consulting and Education, Inc.
 
Cyber security and cyber law
Cyber security and cyber lawCyber security and cyber law
Cyber security and cyber lawDivyank Jindal
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Brianna Johnson
 
Running head Assignment 1 Identifying Potential Malicious Attack.docx
Running head Assignment 1 Identifying Potential Malicious Attack.docxRunning head Assignment 1 Identifying Potential Malicious Attack.docx
Running head Assignment 1 Identifying Potential Malicious Attack.docxsusanschei
 
VTU network security(10 ec832) unit 6 notes
VTU network security(10 ec832) unit 6 notesVTU network security(10 ec832) unit 6 notes
VTU network security(10 ec832) unit 6 notesJayanth Dwijesh H P
 
1784 1788
1784 17881784 1788
1784 1788Editor IJARCET
 

Recommended

Running head INFORMATION SECURITY1INFORMATION SECURITY6.docx
Running head INFORMATION SECURITY1INFORMATION SECURITY6.docxRunning head INFORMATION SECURITY1INFORMATION SECURITY6.docx
Running head INFORMATION SECURITY1INFORMATION SECURITY6.docxwlynn1
 
Running head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docx
Running head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docxRunning head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docx
Running head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docxtoltonkendal
 
Enterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEEnterprise Edge Security with Cisco ISE
Enterprise Edge Security with Cisco ISEFast Lane Consulting and Education, Inc.
 
Cyber security and cyber law
Cyber security and cyber lawCyber security and cyber law
Cyber security and cyber lawDivyank Jindal
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Brianna Johnson
 
Running head Assignment 1 Identifying Potential Malicious Attack.docx
Running head Assignment 1 Identifying Potential Malicious Attack.docxRunning head Assignment 1 Identifying Potential Malicious Attack.docx
Running head Assignment 1 Identifying Potential Malicious Attack.docxsusanschei
 
VTU network security(10 ec832) unit 6 notes
VTU network security(10 ec832) unit 6 notesVTU network security(10 ec832) unit 6 notes
VTU network security(10 ec832) unit 6 notesJayanth Dwijesh H P
 
1784 1788
1784 17881784 1788
1784 1788Editor IJARCET
 
1784 1788
1784 17881784 1788
1784 1788Editor IJARCET
 
10.1.1.436.3364.pdf
10.1.1.436.3364.pdf10.1.1.436.3364.pdf
10.1.1.436.3364.pdfmistryritesh
 
Physical/Network Access Control
Physical/Network Access ControlPhysical/Network Access Control
Physical/Network Access Controljwpiccininni
 
Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing IRJET Journal
 
GBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headachesGBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headachesKristin Helgeson
 
Hirsch Identive | White Paper | Securing the Enterprise in a Networked World
Hirsch Identive | White Paper | Securing the Enterprise in a Networked WorldHirsch Identive | White Paper | Securing the Enterprise in a Networked World
Hirsch Identive | White Paper | Securing the Enterprise in a Networked WorldIdentive
 
unit 2 IT security solution.pptx
unit 2 IT security solution.pptxunit 2 IT security solution.pptx
unit 2 IT security solution.pptxlochanrajdahal
 
Employment Feedback by Securing Data using Anonymous Authentication
Employment Feedback by Securing Data using Anonymous AuthenticationEmployment Feedback by Securing Data using Anonymous Authentication
Employment Feedback by Securing Data using Anonymous AuthenticationIRJET Journal
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016Karla Sasser, CPA CITP, CIA, CGMA
 
Iaetsd cloud computing and security challenges
Iaetsd cloud computing and security challengesIaetsd cloud computing and security challenges
Iaetsd cloud computing and security challengesIaetsd Iaetsd
 
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docxRunning Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docxjeanettehully
 
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docxRunning Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docxtodd521
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Tim Wright
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxcuddietheresa
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxsalmonpybus
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4Rodrigo Piovesana
 
network security ppt.pptx
network security ppt.pptxnetwork security ppt.pptx
network security ppt.pptxMijanurSepai1
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemInternational Journal of Engineering Inventions www.ijeijournal.com
 
network security ppt.pptx
network security ppt.pptxnetwork security ppt.pptx
network security ppt.pptxKellyIsaac3
 
Jan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docx
Jan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docxJan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docx
Jan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docxlmelaine
 
Jan 10, 20141.Definition of law A set of rules and proced.docx
Jan 10, 20141.Definition of law A set of rules and proced.docxJan 10, 20141.Definition of law A set of rules and proced.docx
Jan 10, 20141.Definition of law A set of rules and proced.docxlmelaine
 

More Related Content

Similar to Final Project – Incident Response Exercise SAMPLE.docx

10.1.1.436.3364.pdf
10.1.1.436.3364.pdf10.1.1.436.3364.pdf
10.1.1.436.3364.pdfmistryritesh
 
Physical/Network Access Control
Physical/Network Access ControlPhysical/Network Access Control
Physical/Network Access Controljwpiccininni
 
Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing IRJET Journal
 
GBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headachesGBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headachesKristin Helgeson
 
Hirsch Identive | White Paper | Securing the Enterprise in a Networked World
Hirsch Identive | White Paper | Securing the Enterprise in a Networked WorldHirsch Identive | White Paper | Securing the Enterprise in a Networked World
Hirsch Identive | White Paper | Securing the Enterprise in a Networked WorldIdentive
 
unit 2 IT security solution.pptx
unit 2 IT security solution.pptxunit 2 IT security solution.pptx
unit 2 IT security solution.pptxlochanrajdahal
 
Employment Feedback by Securing Data using Anonymous Authentication
Employment Feedback by Securing Data using Anonymous AuthenticationEmployment Feedback by Securing Data using Anonymous Authentication
Employment Feedback by Securing Data using Anonymous AuthenticationIRJET Journal
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Iaetsd cloud computing and security challenges
Iaetsd cloud computing and security challengesIaetsd cloud computing and security challenges
Iaetsd cloud computing and security challengesIaetsd Iaetsd
 
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docxRunning Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docxjeanettehully
 
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docxRunning Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docxtodd521
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Tim Wright
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxcuddietheresa
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxsalmonpybus
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4Rodrigo Piovesana
 
network security ppt.pptx
network security ppt.pptxnetwork security ppt.pptx
network security ppt.pptxMijanurSepai1
 
network security ppt.pptx
network security ppt.pptxnetwork security ppt.pptx
network security ppt.pptxKellyIsaac3
 

Similar to Final Project – Incident Response Exercise SAMPLE.docx (20)

1784 1788
1784 17881784 1788
1784 1788
 
10.1.1.436.3364.pdf
10.1.1.436.3364.pdf10.1.1.436.3364.pdf
10.1.1.436.3364.pdf
 
Physical/Network Access Control
Physical/Network Access ControlPhysical/Network Access Control
Physical/Network Access Control
 
Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing
 
GBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headachesGBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headaches
 
Hirsch Identive | White Paper | Securing the Enterprise in a Networked World
Hirsch Identive | White Paper | Securing the Enterprise in a Networked WorldHirsch Identive | White Paper | Securing the Enterprise in a Networked World
Hirsch Identive | White Paper | Securing the Enterprise in a Networked World
 
unit 2 IT security solution.pptx
unit 2 IT security solution.pptxunit 2 IT security solution.pptx
unit 2 IT security solution.pptx
 
Employment Feedback by Securing Data using Anonymous Authentication
Employment Feedback by Securing Data using Anonymous AuthenticationEmployment Feedback by Securing Data using Anonymous Authentication
Employment Feedback by Securing Data using Anonymous Authentication
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016User_Access_IIA-LA_3-9-2016
User_Access_IIA-LA_3-9-2016
 
Iaetsd cloud computing and security challenges
Iaetsd cloud computing and security challengesIaetsd cloud computing and security challenges
Iaetsd cloud computing and security challenges
 
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docxRunning Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
 
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docxRunning Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
Running Head RISK, THREAT AND VULNERABILITY MANAGEMENT .docx
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docx
 
Discuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docxDiscuss how a successful organization should have the followin.docx
Discuss how a successful organization should have the followin.docx
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4
 
network security ppt.pptx
network security ppt.pptxnetwork security ppt.pptx
network security ppt.pptx
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection System
 
network security ppt.pptx
network security ppt.pptxnetwork security ppt.pptx
network security ppt.pptx
 

More from lmelaine

Jan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docx
Jan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docxJan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docx
Jan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docxlmelaine
 
Jan 10, 20141.Definition of law A set of rules and proced.docx
Jan 10, 20141.Definition of law A set of rules and proced.docxJan 10, 20141.Definition of law A set of rules and proced.docx
Jan 10, 20141.Definition of law A set of rules and proced.docxlmelaine
 
James RiverJewelryProjectQuesti.docx
James RiverJewelryProjectQuesti.docxJames RiverJewelryProjectQuesti.docx
James RiverJewelryProjectQuesti.docxlmelaine
 
Jacob claims the employer violated his rights. In your opinion, what.docx
Jacob claims the employer violated his rights. In your opinion, what.docxJacob claims the employer violated his rights. In your opinion, what.docx
Jacob claims the employer violated his rights. In your opinion, what.docxlmelaine
 
Ive been promised A+ papers in the past but so far I have not seen .docx
Ive been promised A+ papers in the past but so far I have not seen .docxIve been promised A+ papers in the past but so far I have not seen .docx
Ive been promised A+ papers in the past but so far I have not seen .docxlmelaine
 
It’s easy to dismiss the works from the Dada movement as silly. Cons.docx
It’s easy to dismiss the works from the Dada movement as silly. Cons.docxIt’s easy to dismiss the works from the Dada movement as silly. Cons.docx
It’s easy to dismiss the works from the Dada movement as silly. Cons.docxlmelaine
 
Its meaning is still debated. It could be a symbol of the city of Fl.docx
Its meaning is still debated. It could be a symbol of the city of Fl.docxIts meaning is still debated. It could be a symbol of the city of Fl.docx
Its meaning is still debated. It could be a symbol of the city of Fl.docxlmelaine
 
Jaffe and Jordan want to use financial planning models to prepar.docx
Jaffe and Jordan want to use financial planning models to prepar.docxJaffe and Jordan want to use financial planning models to prepar.docx
Jaffe and Jordan want to use financial planning models to prepar.docxlmelaine
 
Ive got this assinment due and was wondering if anyone has done any.docx
Ive got this assinment due and was wondering if anyone has done any.docxIve got this assinment due and was wondering if anyone has done any.docx
Ive got this assinment due and was wondering if anyone has done any.docxlmelaine
 
It is thought that a metabolic waste product produced by a certain g.docx
It is thought that a metabolic waste product produced by a certain g.docxIt is thought that a metabolic waste product produced by a certain g.docx
It is thought that a metabolic waste product produced by a certain g.docxlmelaine
 
it is not the eassay it is about anwering the question with 2,3 pa.docx
it is not the eassay it is about anwering the question with 2,3 pa.docxit is not the eassay it is about anwering the question with 2,3 pa.docx
it is not the eassay it is about anwering the question with 2,3 pa.docxlmelaine
 
It is now time to select sources and take some notes. You will nee.docx
It is now time to select sources and take some notes. You will nee.docxIt is now time to select sources and take some notes. You will nee.docx
It is now time to select sources and take some notes. You will nee.docxlmelaine
 
Its a linear equations question...Neilsen Media Research surveys .docx
Its a linear equations question...Neilsen Media Research surveys .docxIts a linear equations question...Neilsen Media Research surveys .docx
Its a linear equations question...Neilsen Media Research surveys .docxlmelaine
 
itively impact job satisfactionWeek 3 - Learning Team Paper - Due .docx
itively impact job satisfactionWeek 3 - Learning Team Paper - Due .docxitively impact job satisfactionWeek 3 - Learning Team Paper - Due .docx
itively impact job satisfactionWeek 3 - Learning Team Paper - Due .docxlmelaine
 
IT205 Management of Information SystemsHello, I am looking for he.docx
IT205 Management of Information SystemsHello, I am looking for he.docxIT205 Management of Information SystemsHello, I am looking for he.docx
IT205 Management of Information SystemsHello, I am looking for he.docxlmelaine
 
It is not an online course so i cannot share any login details. No d.docx
It is not an online course so i cannot share any login details. No d.docxIt is not an online course so i cannot share any login details. No d.docx
It is not an online course so i cannot share any login details. No d.docxlmelaine
 
IT Strategic Plan, Part 1Using the case provided, analyze the busi.docx
IT Strategic Plan, Part 1Using the case provided, analyze the busi.docxIT Strategic Plan, Part 1Using the case provided, analyze the busi.docx
IT Strategic Plan, Part 1Using the case provided, analyze the busi.docxlmelaine
 
It should be in API format.Research paper should be on Ethernet .docx
It should be in API format.Research paper should be on Ethernet .docxIt should be in API format.Research paper should be on Ethernet .docx
It should be in API format.Research paper should be on Ethernet .docxlmelaine
 
IT Strategic Plan, Part 2Using the case provided, build on Part .docx
IT Strategic Plan, Part 2Using the case provided, build on Part .docxIT Strategic Plan, Part 2Using the case provided, build on Part .docx
IT Strategic Plan, Part 2Using the case provided, build on Part .docxlmelaine
 
It seems most everything we buy these days has the label made in Ch.docx
It seems most everything we buy these days has the label made in Ch.docxIt seems most everything we buy these days has the label made in Ch.docx
It seems most everything we buy these days has the label made in Ch.docxlmelaine
 

More from lmelaine (20)

Jan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docx
Jan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docxJan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docx
Jan 18, 2013 at 217pmNo unread replies.No replies.Post yo.docx
 
Jan 10, 20141.Definition of law A set of rules and proced.docx
Jan 10, 20141.Definition of law A set of rules and proced.docxJan 10, 20141.Definition of law A set of rules and proced.docx
Jan 10, 20141.Definition of law A set of rules and proced.docx
 
James RiverJewelryProjectQuesti.docx
James RiverJewelryProjectQuesti.docxJames RiverJewelryProjectQuesti.docx
James RiverJewelryProjectQuesti.docx
 
Jacob claims the employer violated his rights. In your opinion, what.docx
Jacob claims the employer violated his rights. In your opinion, what.docxJacob claims the employer violated his rights. In your opinion, what.docx
Jacob claims the employer violated his rights. In your opinion, what.docx
 
Ive been promised A+ papers in the past but so far I have not seen .docx
Ive been promised A+ papers in the past but so far I have not seen .docxIve been promised A+ papers in the past but so far I have not seen .docx
Ive been promised A+ papers in the past but so far I have not seen .docx
 
It’s easy to dismiss the works from the Dada movement as silly. Cons.docx
It’s easy to dismiss the works from the Dada movement as silly. Cons.docxIt’s easy to dismiss the works from the Dada movement as silly. Cons.docx
It’s easy to dismiss the works from the Dada movement as silly. Cons.docx
 
Its meaning is still debated. It could be a symbol of the city of Fl.docx
Its meaning is still debated. It could be a symbol of the city of Fl.docxIts meaning is still debated. It could be a symbol of the city of Fl.docx
Its meaning is still debated. It could be a symbol of the city of Fl.docx
 
Jaffe and Jordan want to use financial planning models to prepar.docx
Jaffe and Jordan want to use financial planning models to prepar.docxJaffe and Jordan want to use financial planning models to prepar.docx
Jaffe and Jordan want to use financial planning models to prepar.docx
 
Ive got this assinment due and was wondering if anyone has done any.docx
Ive got this assinment due and was wondering if anyone has done any.docxIve got this assinment due and was wondering if anyone has done any.docx
Ive got this assinment due and was wondering if anyone has done any.docx
 
It is thought that a metabolic waste product produced by a certain g.docx
It is thought that a metabolic waste product produced by a certain g.docxIt is thought that a metabolic waste product produced by a certain g.docx
It is thought that a metabolic waste product produced by a certain g.docx
 
it is not the eassay it is about anwering the question with 2,3 pa.docx
it is not the eassay it is about anwering the question with 2,3 pa.docxit is not the eassay it is about anwering the question with 2,3 pa.docx
it is not the eassay it is about anwering the question with 2,3 pa.docx
 
It is now time to select sources and take some notes. You will nee.docx
It is now time to select sources and take some notes. You will nee.docxIt is now time to select sources and take some notes. You will nee.docx
It is now time to select sources and take some notes. You will nee.docx
 
Its a linear equations question...Neilsen Media Research surveys .docx
Its a linear equations question...Neilsen Media Research surveys .docxIts a linear equations question...Neilsen Media Research surveys .docx
Its a linear equations question...Neilsen Media Research surveys .docx
 
itively impact job satisfactionWeek 3 - Learning Team Paper - Due .docx
itively impact job satisfactionWeek 3 - Learning Team Paper - Due .docxitively impact job satisfactionWeek 3 - Learning Team Paper - Due .docx
itively impact job satisfactionWeek 3 - Learning Team Paper - Due .docx
 
IT205 Management of Information SystemsHello, I am looking for he.docx
IT205 Management of Information SystemsHello, I am looking for he.docxIT205 Management of Information SystemsHello, I am looking for he.docx
IT205 Management of Information SystemsHello, I am looking for he.docx
 
It is not an online course so i cannot share any login details. No d.docx
It is not an online course so i cannot share any login details. No d.docxIt is not an online course so i cannot share any login details. No d.docx
It is not an online course so i cannot share any login details. No d.docx
 
IT Strategic Plan, Part 1Using the case provided, analyze the busi.docx
IT Strategic Plan, Part 1Using the case provided, analyze the busi.docxIT Strategic Plan, Part 1Using the case provided, analyze the busi.docx
IT Strategic Plan, Part 1Using the case provided, analyze the busi.docx
 
It should be in API format.Research paper should be on Ethernet .docx
It should be in API format.Research paper should be on Ethernet .docxIt should be in API format.Research paper should be on Ethernet .docx
It should be in API format.Research paper should be on Ethernet .docx
 
IT Strategic Plan, Part 2Using the case provided, build on Part .docx
IT Strategic Plan, Part 2Using the case provided, build on Part .docxIT Strategic Plan, Part 2Using the case provided, build on Part .docx
IT Strategic Plan, Part 2Using the case provided, build on Part .docx
 
It seems most everything we buy these days has the label made in Ch.docx
It seems most everything we buy these days has the label made in Ch.docxIt seems most everything we buy these days has the label made in Ch.docx
It seems most everything we buy these days has the label made in Ch.docx
 

Recently uploaded

Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...RKavithamani
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 

Recently uploaded (20)

Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 

Final Project – Incident Response Exercise SAMPLE.docx

  • 1. Final Project – Incident Response Exercise SAMPLE 1. Contact Information for the Incident Reporter and Handler – Mruga Patel – Cyber Incident Response Team Lead – Organizational Information - Sifers-Grayson Corporation (Blue Team), Information Technology Department – [email protected]
  • 2. – 410-923-9221 – Location - 100 Fairway Ave, Suite 101, Catonsville, MD 21228 2. Incident Details – The attack occurred during off-hours at 22:00 EST. Incident was discovered when the system became unusable due to high volume traffic from an unauthorized IP Address. The incident ended at approximately 22:45 EST. – Catonsville, MD – Attack has ended – The attack occurred from an IP address of 11.125.22.198 with no host name. The cause of the incident has yet to be determined. – The attack was discovered when the system became unusable due to high levels of latency. It was detected using logging information from a server from the Task Manager. – The system remains unaffected. Only data was stolen from our company. The server which was extracted from the Employee server. IP address- 192.168.1.0, hotname SifersHouston.com. – N/A – The system resumed to normal function after attacked occurred. – Data stolen was from the server containing employee information. – Network was turned off once attack was discovered. The system logged all necessary information for forensic evidence. – N/A 3. Cause of Incident was from an unsecured network which was uses to steal company information. 4. The cost of the incident has yet to be determined. PII stolen has no calculated price. However, estimated person hours are about 200. It would cost around $100 per hour for IT staff to perform “clean-up” activities. As of now it would cost around $20,000.00.
  • 3. 5. The impact of the incident is significant. The necessary measures to combat this problem has yet to be determined. 6. General Comments- Our network poses a lot of security risks. Going forward, we need to implement certain security measures from further incidents from taking place. Background The Sifers-Grayson company has hired an outside organization to penetrate our network and report on vulnerabilities found within the network. Upon penetration testing and weeks of trying to exploit our system, the red team (testing team) has been successful. Holding a government contract, the Department of Defense (DoD) requires additional security requirements for the R&D and SCADA lab operations. Both of which hold classified and secret information and happen to be where the red team was able to exploit. The company is now required to use the NIST publications for protection controlled unclassified information in Nonfederal information systems and organizations. Failure to comply can result in fines and even contract termination. The (DFARS) Defense Federal Acquisition Regulations also outlines the safeguarding of Cyber Security Incident Reporting. Fortunately, identifying these risks before hackers do is a plus. Using the information within these doctrines can help provide security and prevent future exploiting attempts. The analysis will provide tools and resources safeguard information in the future. Analysis The current topology of the internet for the internet connection of the R&D servers come from a Wireless Access Point that is connected through a wired connection. The wired connection or Campus Area Network is connection to the R&D site. The other connection of internet access within this topology is from a wired connection underground through a firewall back through the Campus Area Network to the wireless router. The red team whom was hired as the penetration testing team was able to gain access through engineer’s center R&D server
  • 4. by hacking unprotected network connections. These connections could come from hacking the wireless router or rerouting network cables to a rogue routing device. Using unsecured connections not only makes it easy to pick up traffic for anyone to monitor, but also a golden ticket for hackers seeing government information. Monitoring tools can be freely used and downloaded from the internet. Technologies like these include Wireshark and Nessus. This information can monitor unencrypted networks by capturing usernames, passwords, banking information, etc. Within this agency, using the highest possible security standards should be required and the recommendation going forward is to use WPA2 encryption with TKIP or AES protection. This technology is the IEEE 802.11 technology standard for data encryption (Mitchell, 2017). The WPA2 encryption scrambles up the data passed through a Wi-Fi connection. This makes is much harder for anyone with the correct tools to pick up or decrypt the data. WPA2 also utilizes the Extensible Authentication Protocol (EAP). EAP works by establishing secure tunnels between a client and a WAP. After a connection is established, authentication can begin, usually with a username and password, or just a password. The servers authenticating the users should be implemented by Kerberos. Kerberos is imbedded within the Microsoft Software to handle authenticate requests. Installing Microsoft Active Directory is a highly recommended solution within this topology. Looking at our networking topology, we have resources and different areas where devices vary, and security can easily be penetrated. Using Active Directory on our systems within our network, we can gain better control of our resources. Gaining control of these resources vary from a spectrum of different controls. Using Active Directory, we can utilize many tools. One tool which can be used to prevent unauthorized access is Domain Services. Information is stored about members of domains, users, devices,
  • 5. verifies credentials of users, and the rights associated per their account. The second tool which could have been used to prevent unauthorized access to implement Certificate Services. This utility gives us the ability to create, validate, and revoke public key certificates (Wikipedia, n.d.). These certificates can be used for validating data from devices user access information or from.Some of the bonuses it provides is encrypting files, emails, and network traffic when used through a VPN. VPN’s can be utilized out in the field when doing experiments within the company. Through the WAP in the field, a hacker could gain access with CRACK software even when using WPA2. Using a VPN would tunnel the traffic between the two routers and even through an internet connection. This data would be unusable if picked up from an outside resource. Active Directory Rights Management Services (AD RMS) can also be used to prevent unauthorized users from obtaining access to documents, emails, and web pages. It uses encryption and selective functionality denial for limiting access for these objects. The decryption is also handled by AD RMS by the users defined with specific objects handed by certificates the user is granted. The other great utility Active Directory uses is the ability to give access to users only defined on our network. The red team gained access through an unsecured network connection but than were able to gain access to our servers through the connection penetrated. With Active Directory, only users defined within Users and computers can access information from their domain. Rights and privileges are assigned using the principal of least privilege. Through this principal, users are only assigned rights associated with their role within the organization. Any users not defined within the Users and Computers feature will have zero access to our network. The second concern was the ability to crack password’s using logging software by the red team that was installed on a USB drive found in lounge area. Upon finding this USB drive, an
  • 6. employee plugged the device into their computer enabling this software to log passwords. There are many ways to combat this problem and prevent this error from occurring again. The first and easiest way is to hold employee awareness training. This training should cover the different ways hackers are able to gain access to networks and what employees should be aware of to prevent incidents from occurring. Common issues which should be covered are downloading files from the internet, plugging in unauthorized devices, common phishing attacks, and physical security issues, such as piggybacking. The second way to prevent plugging in devices is to simply to disable all USB drives on all networking devices. This practice would guarantee the physical security of preventing unauthorized devices from gaining access to our network and is a common practice within a DoD environment. Limiting the most access as possible to a network where users are still able to maintain their daily work should be the goal of every security administrator. If USB’s are needed for certain users, access may be granted through requests per department manager to the IT department. Containment, Eradication, and Recovery Upon the discovery of stolen login credentials, malware was found to be installed from the DevOps department. This Malware was installed over the unsecured network connection onto a workstation in this department. The ability to fight Malware and hacking attempts has become complex and hard to detect. Therefore, technologies have been put in place to contain, detect, and eliminate these threats. One common solution which could have prevented this problem is the implementation of an IPS and IDS. The Intrusion Prevention System is a software of hardware designed to identity Malware and other hacking attempts into our network and either cut off the internet connection its using to spread the Malware or block the IP addresses. This could have been useful in determining outside resources gaining access to the unsecured network connection and blocked the persons from
  • 7. gaining access to our network. This would be done by blocking the user based on failed login attempts, or by unauthorized MAC addressing. The Intrusion Detection System is a hardware or software used to detect Malware, login information, and other attempts to harm the network and log the information. The information can be logged to a centralized location and can be used for auditing and forensic evidence. Unlike the IPS, the IDS only logs information. It can be customized to alert the administrator when Malware or attempts to hack in to the system have been identified. In this scenario, an IDS would have been able to detect the Malware installed on the system from the unsecure connection all the way to the device it was installed on. These two different technologies can prevent these types of attacks in the future and should be implemented as soon as possible. The last issue our company had was lost data from a hack which occurred months ago. After which we paid the attackers the ransom to retrieve our data back. This is not a recommended practice and we need a solution to have our files backed up and restored properly. To backup our files we need to add this role to one of our servers. Luckily, Microsoft Active Directory has features which allow backing up of files, restoring of data, and high availability. The Windows Server Backup Utility allows us to backup and recovery our operating system, applications, and all data within our network (TechNet, n.d.) Backing up our data can consist of all the volumes, files, folders, and state of our system. This would have prevented the loss of all our data through snapshots of our system during recovery stages. Backups should run every night and every weekend during non- working hours to save bandwidth for server functionality. Instead of backing up data every month, this implementation would save more work in between monthly backups for recovery purposes. Backups can be saved to the server or external resources such as off-site locations. This can be done remotely or by saving backups weekly to an external drive and stored in an off-site location. The backup feature also supports the
  • 8. ability to provide clustered shared volumes (CSV). This shared data between servers providing high availability of our data. If a server were to go down for any reason, another server would be able to take over for the failed server and provide access to saved data. References Active Directory. (2017, November 26). Retrieved November 26, 2017, from https://en.wikipedia.org/wiki/Active_Directory Mitchell, B. (n.d.). How Can You Secure a Wi-Fi Network with WPA2? Retrieved November 26, 2017, from https://www.lifewire.com/what-is-wpa2-818352 What is Microsoft Active Directory Rights Management Services (AD Rights Management Services)? - Definition from WhatIs.com. (n.d.). Retrieved November 26, 2017, from http://searchwindowsserver.techtarget.com/definition/Micr osoft-Active-Directory-Rights Management-Services-AD- Rights-Management-Services Windows Server Backup Feature Overview. (n.d.). Retrieved November 26, 2017, fromhttps://technet.microsoft.com/en- us/library/jj614621(v=ws.11).aspx
  • 9. Notes to Students: 1. Your final deliverable should be professionally formatted and should not exceed 10 pages. The goal is to be clear and concise in your reporting of your analysis of this incident. This report should reflect your learning and analysis. For that reason, the citation rules are relaxed and you may write from your own knowledge as an “expert.” BUT, if you paste exact phrases, sentences, or paragraphs from another document or resource, you must cite that source using an appropriate citation style (e.g. footnotes, end notes, in-text citations). 2. You may include annotated diagrams if necessary to illustrate your analysis and/or make your point(s). You may use the figures in this assignment as the foundation for diagrams in your final report (no citations required). 3. Use the NIST Incident Handling Process (see Table 1) to guide your incident analysis. You do not need to cite a source for this table. 4. You may assume that the company has implemented one or more of the IT products that you recommended in your Case Studies for this course. You may also assume that the company is using the incident response guidance documents that you wrote for your labs and that the associated operating systems utilities are in use (e.g. you can assume that system backups are being made, etc.). 5. DOCUMENT YOUR ASSUMPTIONS about people, processes, and technologies as if they were fact. But, don’t change any of the factual information provided in the incident report from the Red Team. 6. Use the incident report form that appears at the end of this file. Copy it to a new MS Word document. Insert a title page at
  • 10. the beginning of your file and include the title of the report, your name, and the due date. 7. After you perform your incident analysis, fill in the required information in the provided form (see the end of this file). Attach the file to your assignment folder entry, and submit it for grading as your final project. 8. For section 1 of the form, use your own name but provide reasonable but fictitious information for the remaining fields. 9. For section 2 of the form, assign IP addresses in the following ranges to any servers, workstations, or network connections that you need to discuss. a. R&D Center 10.10.120.0/24 b. Test Range 10.10.128.0/24 c. Corporate Headquarters 10.10.135.0/24 10. For sections 2, 3, and 5, you should use and interpret information provided in this file (Overview, Background, Issues Summary). You may use a judicious amount of creativity, if necessary, to fill in any missing information. 11. For section 4 of the form you may provide a fictitious cost estimate based upon $100 per hour for IT staff to perform “clean-up” activities. Reasonable estimates are probably in the range of 150 to 300 person hours. What’s important is that you document how you arrived at your cost estimate. 12. Discuss the contract requirements and derivative requirements for cybersecurity at Sifers-Grayson in 3 to 5 paragraphs under “Section 6 General Comments.” NIST Incident Handling Checklist by Phase Detection and Analysis 1. Determine whether an incident has occurred 1.1 Analyze the precursors and indicators 1.2 Look for correlating information 1.3
  • 11. Perform research (e.g., search engines, knowledge base) 1.4 As soon as the handler believes an incident has occurred, begin documenting the investigation and gathering evidence 2. Prioritize handling the incident based on the relevant factors (functional impact, information impact, recoverability effort, etc.) 3. Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery 4. Acquire, preserve, secure, and document evidence 5. Contain the incident 6. Eradicate the incident 6.1 Identify and mitigate all vulnerabilities that were exploited 6.2 Remove malware, inappropriate materials, and other components 6.3 If more affected hosts are discovered (e.g., new malware infections), repeat the Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then contain (5) and eradicate (6) the incident for them 7. Recover from the incident 7.1 Return affected systems to an operationally ready state 7.2 Confirm that the affected systems are functioning normally 7.3 If necessary, implement additional monitoring to look for future
  • 12. related activity Post-Incident Activity 8. Create a follow-up report 9. Hold a lessons learned meeting (mandatory for major incidents, optional otherwise) Source: NIST SP 800-61r2 Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide (NIST SP 800-62 rev. 2). http://dx.doi.org/10.6028/NIST.SP.800-61r2 SIFERS-GRAYSON CYBERSECURITY INCIDENT REPORT FORM 7. Contact Information for the Incident Reporter and Handler – Name – Role – Organizational unit (e.g., agency, department, division, team) and affiliation – Email address – Phone number – Location (e.g., mailing address, office room number) 8. Incident Details – Status change date/timestamps (including time zone): when the incident started, when the incident was discovered/detected, when the incident was reported, when the incident was resolved/ended, etc. – Physical location of the incident (e.g., city, state) – Current status of the incident (e.g., ongoing attack) – Source/cause of the incident (if known), including hostnames and IP addresses – Description of the incident (e.g., how it was detected, what occurred) – Description of affected resources (e.g., networks, hosts, applications, data), including systems’ hostnames, IP addresses,
  • 13. and function – If known, incident category, vectors of attack associated with the incident, and indicators related to the incident (traffic patterns, registry keys, etc.) – Prioritization factors (functional impact, information impact, recoverability, etc.) – Mitigating factors (e.g., stolen laptop containing sensitive data was using full disk encryption) – Response actions performed (e.g., shut off host, disconnected host from network) – Other organizations contacted (e.g., software vendor) 9. Cause of the Incident (e.g., misconfigured application, unpatched host) 10. Cost of the Incident 11. Business Impact of the Incident 12. General Comments Final Project: Incident Response Exercise & Report Your Task You have been assigned to work incident clean-up as part of the Sifers-Grayson Blue Team. Your task is to assist in analyzing and documenting the incident described below. The Blue Team has already created a set of enterprise architecture diagrams (see figures 1-4) to help with your analysis of the incident and preparation of the incident report as required by the company’s contracts with the federal government. After completing their penetration tests, the Red Team provided Sifers-Grayson executives with a diagram showing their analysis of the threat environment and potential weaknesses in the company’s security posture for the R&D DevOps Lab (see figure 5).
  • 14. Your Deliverable Complete and submit the Incident Report form found at the end of this file. Consult the “Notes to Students” for additional directions regarding completion of the form. Overview of the Incident Sifers-Grayson hired a cybersecurity consulting firm to help it meet the security requirements of a contract with a federal agency. The consulting firm’s Red Team conducted a penetration test and was able to gain access to the engineering center’s R&D servers by hacking into the enterprise network through an unprotected network connection (see figure 2). The Red Team proceeded to exfiltrate files from those servers and managed to steal 100% of the design documents and source code for the AX10 Drone System. The Red Team also reported that it had stolen passwords for 20% of the employee logins using keylogging software installed on USB keys that were left on the lunch table in the headquarters building employee lounge (see Figure 3). The Red Team also noted that the Sifers-Grayson employees were quite friendly and talkative as they opened the RFID controlled doors for the “new folks” on the engineering staff (who were actually Red Teamers). The Red Team continued its efforts to penetrate the enterprise and used a stolen login to install malware over the network onto a workstation connected to a PROM burner in the R&D DevOps lab (See Figure 3). This malware made its way onto a PROM that was then installed in an AX10-a test vehicle undergoing flight trials at the Sifers-Grayson test range (See Figures 1 and 4). The malware “phoned home” to the Red Team over a cellular connection to the R&D center. The Red Team took control of the test vehicle and flew it from the test range to a safe landing in the parking lot at Sifers-Grayson headquarters. Background Sifers-Grayson is a family owned business headquartered in Grayson County, Kentucky, USA. The company’s physical
  • 15. address is 1555 Pine Knob Trail, Pine Knob, KY 42721. The president of the company is Ira John Sifers, III. He is the great- grandson of one of the company’s founders and is also the head of the engineering department. The chief operating officer is Michael Coles, Jr. who is Ira John’s great nephew. Mary Beth Sifers is the chief financial officer and also serves as the head of personnel for the company. Recent contracts with the Departments of Defense and Homeland Security have imposed additional security requirements upon the company and its R&D DevOps and SCADA labs operations. The company is now required to comply with NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The company must also comply with provisions of the Defense Federal Acquisition Regulations (DFARS) including section 252-204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. These requirements are designed to ensure that sensitive technical information, provided by the federal government and stored on computer systems in the Sifers-Grayson R&D DevOps and SCADA labs, is protected from unauthorized disclosure. This information includes software designs and source code. The contract requirements also mandate that Sifers-Grayson report cyber incidents to the federal government in a timely manner.SCADA Lab The SCADA lab was originally setup in 1974. It has been upgraded and rehabbed several times since then. The most recent hardware and software upgrades were completed three years ago after the lab was hit with a ransomware attack that exploited several Windows XP vulnerabilities. At that time, the engineering and design workstations were upgraded to Windows 8.1 professional. A second successful ransomware attack occurred three months ago. The company paid the ransom in both cases because the lab did not have file backups that it could use to recover the damaged files (in the first case) and did
  • 16. not have system backups that it could use to rebuild the system hard drives (in the second case). The SCADA Lab is locked into using Windows 8.1. The planned transition to Windows 10 is on indefinite hold due to technical problems encountered during previous attempts to modify required software applications to work under the new version of the operating system. This means that an incident response and recovery capability for the lab must support the Windows 8.1 operating system and its utilities.R&D DevOps Lab The R&D DevOps Lab was built in 2010 and is used to develop, integrate, test, support, and maintain software and firmware (software embedded in chips) for the company’s robots, drones, and non-SCADA industrial control systems product lines. The workstations in this lab are running Windows 10 and are configured to receive security updates per Microsoft’s monthly schedule. Enterprise IT Operations The company uses a combination of Windows 10 workstations and laptops as the foundation of its enterprise IT capabilities. The servers in the data center and the engineering R&D center are built upon Windows Server 2012. Issues Summary: 1. Newly won government contracts now require compliance with DFARS §252.204-7008, 7009, and 7012 · http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.ht m · http://www.acq.osd.mil/se/docs/DFARS-guide.pdf 2. Derivative requirements include: · Implementation of and compliance with NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8 00-171r1.pdf · Compliance with DFARS 252.239-7009 Representation of Use of Cloud Computing and 7010 Cloud Computing Services (see
  • 17. https://www.acq.osd.mil/dpap/dars/dfars/html/current/252239.ht m#252.239-7009 3. Additional Contractual Requirements for Lab Operations include: · Incident Response per NIST SP-800-61 (Computer Security Incident Handling Guide) · SCADA Security per NIST SP 800-82 (Guide to Industrial Control Systems Security) · Software / Systems Development Lifecycle (SDLC) Security per NIST SP 800-64 (Security Considerations in the System Development Life Cycle) · Configuration Management per NIST SP 800-128 (Guide for Security-Focused Configuration Management of Information Systems) Notes to Students: 1. Your final deliverable should be professionally formatted and should not exceed 10 pages. The goal is to be clear and concise in your reporting of your analysis of this incident. This report should reflect your learning and analysis. For that reason, the citation rules are relaxed and you may write from your own knowledge as an “expert.” BUT, if you paste exact phrases, sentences, or paragraphs from another document or resource, you must cite that source using an appropriate citation style (e.g. footnotes, end notes, in-text citations). 2. You may include annotated diagrams if necessary to illustrate your analysis and/or make your point(s). You may use the figures in this assignment as the foundation for diagrams in your final report (no citations required). 3. Use the NIST Incident Handling Process (see Table 1) to guide your incident analysis. You do not need to cite a source for this table. 4. You may assume that the company has implemented one or more of the IT products that you recommended in your Case Studies for this course. You may also assume that the company is using the incident response guidance documents that you
  • 18. wrote for your labs and that the associated operating systems utilities are in use (e.g. you can assume that system backups are being made, etc.). 5. DOCUMENT YOUR ASSUMPTIONS about people, processes, and technologies as if they were fact. But, don’t change any of the factual information provided in the incident report from the Red Team. 6. Use the incident report form that appears at the end of this file. Copy it to a new MS Word document. Insert a title page at the beginning of your file and include the title of the report, your name, and the due date. 7. After you perform your incident analysis, fill in the required information in the provided form (see the end of this file). Attach the file to your assignment folder entry, and submit it for grading as your final project. 8. For section 1 of the form, use your own name but provide reasonable but fictitious information for the remaining fields. 9. For section 2 of the form, assign IP addresses in the following ranges to any servers, workstations, or network connections that you need to discuss. a. R&D Center 10.10.120.0/24 b. Test Range 10.10.128.0/24 c. Corporate Headquarters 10.10.135.0/24 10. For sections 2, 3, and 5, you should use and interpret information provided in this file (Overview, Background, Issues Summary). You may use a judicious amount of creativity, if necessary, to fill in any missing information. 11. For section 4 of the form you may provide a fictitious cost estimate based upon $100 per hour for IT staff to perform “clean-up” activities. Reasonable estimates are probably in the range of 150 to 300 person hours. What’s important is that you document how you arrived at your cost estimate. 12. Discuss the contract requirements and derivative requirements for cybersecurity at Sifers-Grayson in 3 to 5 paragraphs under “Section 6 General Comments.”
  • 19. Words for the Wise … Do not let “perfection” be a barrier to completing this assignment. It’s more important to be on-time and provide SOME analysis in a professional format than to find and document every single possible vulnerability. · Figure 1. Overview of Sifers-Grayson Enterprise IT Architecture Figure 2. Combined Network and Systems Views: Sifers-Grayson Headquarters, R&D Center, and Data Center Figure 3. Combined Network and Systems View for Sifers- Grayson R&D DevOps Lab Figure 4. Combined Communications and Systems Views for Sifers-Grayson Test Range
  • 20. Figure 5. Threat Landscape for Sifers-Grayson R&D DevOps Lab NIST Incident Handling Checklist by Phase Detection and Analysis 1. Determine whether an incident has occurred 1.1 Analyze the precursors and indicators 1.2 Look for correlating information 1.3 Perform research (e.g., search engines, knowledge base) 1.4 As soon as the handler believes an incident has occurred, begin documenting the investigation and gathering evidence 2. Prioritize handling the incident based on the relevant factors (functional impact, information impact, recoverability effort, etc.) 3. Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery 4. Acquire, preserve, secure, and document evidence 5. Contain the incident 6. Eradicate the incident 6.1 Identify and mitigate all vulnerabilities that were exploited 6.2 Remove malware, inappropriate materials, and other
  • 21. components 6.3 If more affected hosts are discovered (e.g., new malware infections), repeat the Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then contain (5) and eradicate (6) the incident for them 7. Recover from the incident 7.1 Return affected systems to an operationally ready state 7.2 Confirm that the affected systems are functioning normally 7.3 If necessary, implement additional monitoring to look for future related activity Post-Incident Activity 8. Create a follow-up report 9. Hold a lessons learned meeting (mandatory for major incidents, optional otherwise) Source: NIST SP 800-61r2 Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide (NIST SP 800-62 rev. 2). http://dx.doi.org/10.6028/NIST.SP.800-61r2 SIFERS-GRAYSON CYBERSECURITY INCIDENT REPORT FORM 1. Contact Information for the Incident Reporter and Handler – Name – Role – Organizational unit (e.g., agency, department, division, team) and affiliation – Email address – Phone number
  • 22. – Location (e.g., mailing address, office room number) 2. Incident Details – Status change date/timestamps (including time zone): when the incident started, when the incident was discovered/detected, when the incident was reported, when the incident was resolved/ended, etc. – Physical location of the incident (e.g., city, state) – Current status of the incident (e.g., ongoing attack) – Source/cause of the incident (if known), including hostnames and IP addresses – Description of the incident (e.g., how it was detected, what occurred) – Description of affected resources (e.g., networks, hosts, applications, data), including systems’ hostnames, IP addresses, and function – If known, incident category, vectors of attack associated with the incident, and indicators related to the incident (traffic patterns, registry keys, etc.) – Prioritization factors (functional impact, information impact, recoverability, etc.) – Mitigating factors (e.g., stolen laptop containing sensitive data was using full disk encryption) – Response actions performed (e.g., shut off host, disconnected host from network) – Other organizations contacted (e.g., software vendor) 3. Cause of the Incident (e.g., misconfigured application, unpatched host) 4. Cost of the Incident 5. Business Impact of the Incident 6. General Comments
  • 23. Rubric Name: Final Project - Incident Report Criteria Excellent Section 1: Contact Information 10 points Provided an acceptable title page for the file. Provided a complete section 1 of the Incident Report Form that included realistic but fictionalized data for all of the following fields: · Name · Role · Organizational Unit and affiliation · Email address · Phone Number · location Section 2: Incident Details 25 points Provided an excellent report of the incident details as required by the NIST template. Responses for all items were clear, concise, and reflected the analysis of the Blue Team with additional contributions by this student. Section 3: Cause of the Incident 25 points Provided an excellent report of the incident causes using information reported by the Red Team (from the assignment) and additional analysis performed by the Blue Team and this student. Appropriately used information from the Sifers- Grayson Overview and Enterprise Architecture diagrams. Reporting of the analysis was clear, concise, and reflected the analysis of the Blue Team with additional contributions by this student. Sections 4 & 5: Cost and Impact 10 points
  • 24. Provided an excellent analysis of the potential costs and impacts of the incident as reported by the Red Team. Analysis was clear and concise. Included information from the Blue Team and supplemented it with additional analysis by this student. Section 6: General Comments 10 points Provided an excellent discussion of the contract requirements and derivative requirements for cybersecurity at Sifers-Grayson (clear, concise, accurate). Included information from the Blue Team and supplemented it with additional analysis by this student. Included additional information as necessary to provide explanations and improve overall clarity for the incident response report. Professionalism: Execution 20 points Work is professional in appearance and organization (appropriate and consistent use of fonts, headings, color). No word usage, grammar, spelling, or punctuation errors. All quotations (copied text) are properly marked and cited using a professional format. (APA format recommended but not required.) RESOURCES Computer security incident handling guide (NIST SP 800-61 rev. 2)- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8 00-61r2.pdf