This document summarizes key aspects of cybersecurity incident response based on a chapter from the textbook "Protecting National Infrastructure". It discusses the importance of both front-loaded prevention and back-loaded recovery in incident response processes. It also covers the roles of incident response teams, forensic analysis, disaster recovery planning, and national response program coordination. Maintaining situational awareness is highlighted as important for understanding an organization's security posture and risk levels over time.

1. Running Head: Personal Reflection 1
Personal Reflection 1
Personal Reflection
By
Anil Kumar Bandi
Professor Dr. Giovanni Silvestri
University of Cumberlands
Emerging Threats & Countermeas (ITS-834-07)
Abstract
This practical connect assignment is based on my learnings and
take-aways from this course. This paper addresses the various
aspects of my learnings and how I can apply the learnings in my
workplace. Further, major learnings and some important
concepts that I have learnt have been discussed. Importance of
security issues of IT systems have been discussed as well.

2. Information Technology has started to affect all aspects of
human life in various manners. The impact of this is that IT has
become an integral part of the lives of everyone in their
professional as well as personal space. As a professional
working with the development of IT, my job as a software
engineer requires me to have a detailed knowledge of all the
changes that are being introduced in the area of information
technology and the new tools that have been developed for
assisting the professionals in the technical area.
I took up this course for the sake of increasing and expanding
my knowledge in the different areas of implementing IT
services at a workplace. Through the course, I learned about the
different types of security measures that are important for a
company. I learned about some of the basic types of attacks that
can happen on the companies like the one I work for. I also
understood about the ways in which the hackers and cyber
attackers have changed their ways of stealing data and
information and the measures that an IT professional can take in
order to protect the information of their company from such
attacks (Stallings, 2016).
One of the most important concepts that I leaned from this
course is about the details of developing a security unit IT
system. As the nature of the cyber-attacks has become much
diverse than it was a few years back, installing firewalls on the
IT unit cannot guarantee a complete protection from these kinds
of attacks. Apart from this, there are many new kinds of attacks
that have started to be practiced because it is difficult to detect
them for a system administrator like the DDoS attacks. Through
this course, I learned about some of these types of attacks and

3. the ways in which the effect of such attacks can be mitigated
while ensuring that the threats are reduced for the future as well
(Graham et al., 2016).
Another important aspect of IT that I learned about in the
course that I found very interesting was that of the protection of
National Infrastructure. through the course, I learned that there
are much complicated and sophisticated systems that the various
national departments of the country are using. Considering that
these systems affect the life of the common people due to the
abundance of information stored in them, the security of these
systems be a major challenge. However, in order to overcome
these challenges, experts are continuously working on
techniques like separation, correlation, diversity, commonality
and depth (Bullock et al., 2017).
By learning all these concepts, I believe that I have become a
better informed professional and I can use the information that I
have gained from this course into my personal work space.
Through these methods, I am already contribution to a much
safer security system that s being developed by the IT unit of
my company. I have also learned about the importance of
information and staying updated during the course which I will
continue to do on my own level after it is over (Mingst et al.,
2018).
References
Bullock, J. A., Haddow, G. D., & Coppola, D. P.
(2017). Homeland security: the essentials. Butterworth-
Heinemann.
Graham, J., Olson, R., & Howard, R. (2016). Cyber security
essentials. Auerbach Publications.
Mingst, K. A., McKibben, H. E., & Arreguin-Toft, I. M.
(2018). Essentials of international relations. WW Norton &
Company.
Stallings, W. (2016). Network security essentials: applications
and standards. Pearson.

4. 1
Copyright © 2012, Elsevier Inc.
All Rights Reserved
Chapter 11
Response
Cyber Attacks
Protecting National Infrastructure, 1st ed.
2
• Incident response process is the most familiar
component of any cyber security program
• A cyber security program will contain at least the
following
– Incident trigger
– Expert gathering
– Incident analysis
– Response activities
Copyright © 2012, Elsevier Inc.

5. All rights Reserved
C
h
a
p
te
r 1
1
–
R
e
s
p
o
n
s
e
Introduction
3
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te

6. r 1
1
–
R
e
s
p
o
n
s
e
Fig. 11.1 – General incident response
process schema
4
• There are two fundamental types of triggers
– Tangible, visible effects of an attack
– Early warning and indications information
• Thus, two approaches to incident response processes
– Front-loaded prevention
– Back-loaded recovery
• The two approaches should be combined for
comprehensive response picture
• Protecting national assets is worth suffering a high
number of false positives

7. Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
1
–
R
e
s
p
o
n
s
e
Pre- Versus Post-Attack Response
5
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h

8. a
p
te
r 1
1
–
R
e
s
p
o
n
s
e
Fig. 11.2 – Comparison of front-loaded
and back-loaded response processes
6
• Front-loaded prevention critical to national
infrastructure protection
• Taxonomy of early warning process triggers
– Vulnerability information
– Changes in profiled behavioral metrics
– Match on attack metric pattern
– Component anomalies

9. – External attack information
• Front-loaded prevention have a high sensitivity to
triggers
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
1
–
R
e
s
p
o
n
s
e
Indications and Warning
7
Copyright © 2012, Elsevier Inc.

10. All rights Reserved
C
h
a
p
te
r 1
1
–
R
e
s
p
o
n
s
e
Fig. 11.3 – Comparison of trigger
intensity threshold for response
8
• Optimal incident response team includes two
components
– A core set of individuals
– A set of subject matter experts
• In complex settings, with multiple incidents,
important for team to not work at cross-purposes

11. Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
1
–
R
e
s
p
o
n
s
e
Incident Response Teams
9
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h

12. a
p
te
r 1
1
–
R
e
s
p
o
n
s
e
Fig. 11.4 – Management of
simultaneous response cases
10
• Response teams in a national setting must plan for
multiple concurrent attacks aimed at a company or
agency
• Considerations for proper planning include
– Avoidance of a single point of contact individual
– Case management automation
– Organizational support for expert involvement
– 24/7 operational support

13. Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
1
–
R
e
s
p
o
n
s
e
Incident Response Teams
11
• Questions addressed in the forensic analysis process
include
– Root cause
– Exploits

14. – State
– Consequences
– Action
• Great care must be taken to protect and preserve
evidence
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
1
–
R
e
s
p
o
n
s
e
Forensic Analysis

15. 12
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
1
–
R
e
s
p
o
n
s
e
Fig. 11.5 – Generic high-level forensic
process schema
13
• Internal expert most likely the best to lead a
company investigation
• Forensic analysts need the following

16. – Culture of relative freedom
– Access to interesting technology
– Ability to interact externally
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
1
–
R
e
s
p
o
n
s
e
Forensic Analysis
14
• Should law enforcement be involved and called upon

17. for support?
• Carefully review local, regional, and national laws
regarding when law enforcement must be contacted
• Figure 11.6 outlines a decision process
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
1
–
R
e
s
p
o
n
s
e
Law Enforcement Issues
15

18. Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
1
–
R
e
s
p
o
n
s
e
Fig. 11.6 – Decision process for law
enforcement involvement in forensics
16
• Three Components of a Disaster Recovery Program
– Preparation
– Planning
– Practice

19. Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
1
–
R
e
s
p
o
n
s
e
Disaster Recovery
17
Fig. 11.7 – Disaster recovery exercise
configurations
Copyright © 2012, Elsevier Inc.
All rights Reserved

20. C
h
a
p
te
r 1
1
–
R
e
s
p
o
n
s
e
18
• National programs can provide centralized
coordination
– Intrasector coordination should be encouraged
• Currently, coordination is not the main focus of most
national emergency response team programs
Copyright © 2012, Elsevier Inc.
All rights Reserved
C

21. h
a
p
te
r 1
1
–
R
e
s
p
o
n
s
e
National Response Program
19
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
1

22. –
R
e
s
p
o
n
s
e
Fig. 11.8 – National response program
coordination interfaces
1
Copyright © 2012, Elsevier Inc.
All Rights Reserved
Chapter 10
Awareness
Cyber Attacks
Protecting National Infrastructure, 1st ed.
2
• Situational awareness is the real-time understanding
within an organization of its security risk posture

23. • Awareness of security posture requires consideration
of the following
– Known vulnerabilities
– Security infrastructure
– Network and computing architecture
– Business environment
– Global threats
– Hardware and software profiles
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
0
–
A
w
a
re
n

24. e
s
s
Introduction
3
Fig. 10.1 – Optimal period of system
usage for cyber security
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
0
–
A
w
a
re
n
e
s

25. s
4
• Factoring in all elements of situational awareness
should create an overview of current security risk
• Descriptors such as high, medium, and low are too
vague to be helpful
• Security risk levels should be linked with actionable
items
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
0
–
A
w
a
re
n

26. e
s
s
Introduction
5
Fig. 10.2 – Rough dashboard estimate
of cyber security posture
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
0
–
A
w
a
re
n
e
s

27. s
6
Fig. 10.3 – Security posture changes
based on activity and response
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
0
–
A
w
a
re
n
e
s
s

28. 7
Detecting Infrastructure Attacks
• No security task is more difficult and complex than
the detection of an ongoing attack
• Many tools for detecting attack, yet none
comprehensive or foolproof
• Determination of risk level is a fluid process
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
0
–
A
w
a
re
n
e
s
s

29. 8
Fig. 10.4 – Attack confidence changes
based on events
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
0
–
A
w
a
re
n
e
s
s
9

30. Managing Vulnerability Information
• Situational awareness for national infrastructure
protection requires a degree of attention to daily
trivia around vulnerability information
• Practical heuristics for managing vulnerability
information
– Structured collection
– Worst case assumptions
– Nondefinitive conclusions
– Connection to all sources
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
0
–
A
w
a
re

31. n
e
s
s
10
Fig. 10.5 – Vulnerability management
structure
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
0
–
A
w
a
re
n
e
s

32. s
11
Managing Vulnerability Information
• Three basic rules for managers
– Always assume adversary knows as much or more about
your infrastructure
– Assume the adversary is always keeping vulnerability-
related secrets from you
– Never assume you know everything relevant to the
security of your infrastructure
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
0
–
A
w

33. a
re
n
e
s
s
12
Cyber Security Intelligence Reports
• Daily cyber security intelligence reports are standard
in government agencies
• They would be useful in enterprise settings
• A cyber security intelligence report would include
– Current security posture
– Top and new security risks
– Automated metrics
– Human interpretation
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p

34. te
r 1
0
–
A
w
a
re
n
e
s
s
13
Cyber Security Intelligence Reports
• Tasks for creating a cyber security intelligence report
– Intelligence gathering
– Interpretation and publication
– Dissemination and archiving
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h

35. a
p
te
r 1
0
–
A
w
a
re
n
e
s
s
14
Fig. 10.6 – Cyber security intelligence
report creation and dissemination
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te

36. r 1
0
–
A
w
a
re
n
e
s
s
15
Risk Management Process
• Security risks must be tracked and prioritized
• Generally agreed upon approach to measuring risk
associated with specific components begins with two
estimations
– Liklihood
– Consequences
• Actual numeric value of risk less important than
overall relative risk
• A useful construct compares security risk against cost
of recommended action

37. Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
0
–
A
w
a
re
n
e
s
s
16
Fig. 10.7 – Risk versus cost decision
path structure
Copyright © 2012, Elsevier Inc.
All rights Reserved

38. C
h
a
p
te
r 1
0
–
A
w
a
re
n
e
s
s
17
Risk Management Process
• Increasing risks likely incur increased costs
• Summary of management considerations
– Maintaining a prioritized list of security risks
– Justifying all decisions
Copyright © 2012, Elsevier Inc.

39. All rights Reserved
C
h
a
p
te
r 1
0
–
A
w
a
re
n
e
s
s
18
Security Operations Centers
• The security operations center (SOC) is the most
visible realization of real-time security situational
awareness
• Most SOC designs begin with centralized model – a
facility tied closely to operation

40. • A global dispersal of SOC resources is an around-the-
clock real-time analysis of security threats
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
0
–
A
w
a
re
n
e
s
s
19
Fig. 10.8 – Security operations center
(SOC) high-level design
Copyright © 2012, Elsevier Inc.

41. All rights Reserved
C
h
a
p
te
r 1
0
–
A
w
a
re
n
e
s
s
20
• A national-level view of security posture will require
consideration of the following
– Commercial versus government information
– Information classification
– Agency politics

42. – SOC responsibility
Copyright © 2012, Elsevier Inc.
All rights Reserved
C
h
a
p
te
r 1
0
–
A
w
a
re
n
e
s
s
National Awareness Program
Your final research paper assignment is to write a research
paper that explains how defense-in-depth (chapter 6) and
awareness (chapter 10) are complimentary techniques to detect
emerging threats and strengthen countermeasures.
To complete this assignment, upload a Microsoft Word
document (.doc or .docx) that contains your complete paper.

43. Remember that your list of sources must be in APA format, and
you MUST cite your reference in the body of the paper using
APA in-text citation format. A source is any paper or article
that you will reference in your paper. If you need more
information on APA format (for references list AND in-text
citations), visit this reference:
https://owl.english.purdue.edu/owl/resource/560/01/
This assignment must be YOUR OWN WORK! This is an
individual assignment. Plagiarism detected in your work will
result in a grade of zero for the entire paper. (Originality report
should be at least 35% or less.)
Here are a few details about the overall research paper Please
look at the attached rubric for details on how the paper will be
graded.
You must reference two (2) peer-reviewed articles or papers
that support your thesis statement. One of these papers may be
from your annotated bibliography assignment. The final paper
must be at least 500 words in length. (DO NOT exceed 500
words by a material amount. Excessive words or too many
references will NOT impress me.)
So in summary, here are the research paper requirements:
· 2 peer reviewed resources (articles or papers) (1 may be from
your annotated bibliography assignment)
· Paper MUST address: How defense-in-depth (chapter 6) and
awareness (chapter 10) are complimentary techniques to detect
emerging threats and strengthen countermeasures
· Cited sources must directly support your paper (i.e. not
incidental references)
· At least 500 words in length (but NOT longer than 1000
words)
· Originality report should be at least 35% or less.
Admin Notes:
APA Paper Formatting guidelines
1.Title page
2.Abstract
3.Body

44. 4.Text citation and references
Additionally
-As usual, the text is typed on standard white paper that has
familiar parameters of 8.5" x 11".
-The APA style requires using an easy to read font and
recommends using a 12pt Times New Roman font.
-Double spacing is required on both the title page and
throughout the paper.
-Margins should be 1" concerning all sides of the page.
-Paragraph indentation should be set to one half inch from the
left side of the page.
-The unique aspect is in creating a special page header that
consists of the page number and the running head as typed on
the title page in all capitals.