Step 1: Establish Team Agreement Plan | Cybersecurity Risk Assessment including Vulnerability Matrix

Despite all of the work that a cyber management team may do with respect to systems design, network security protocols, hardware and software maintenance, training, policies, implementation, maintenance, and monitoring, breaches can and do occur. In this project, you will work with a team of other cyber professionals to analyze and respond to anomalous network activities.

The graded deliverable for Project 2 is a packaged deliverable to the CISO of the risk and network intrusion, to be completed as a team. The deliverable to the CISO will include the following five parts:

Cybersecurity Risk Assessment including Vulnerability Matrix

Incident Response Plan

Service-Level Agreement

FVEY Indicator Sharing Report

Final Forensic Report

After reading the scenario below, proceed to Step 1, where you will establish your team agreement plan.

Map of world with key cities marked in the United States, Europe, and Africa. Lines are drawn between cities to show cyber attacks.

The US reports exfiltration has been detected in the IDS (intrusion detection system). All nations will perform forensic analysis and collect corroborating information to identify who was the bad actor.

Prior to the summit, your nation team was tasked with setting up its own independent secure comms network. Now, at 3 a.m., just hours before the summit begins, you receive a text message from your CISO that reads: "I need to meet with the team immediately about an urgent matter. Please come to the conference room next to my hotel room now so we can discuss it."

You quickly dress and head to the conference room. When you arrive, she breaks the news to your team: The nation hosting the summit has detected exfiltration in its IDS (intrusion detection system). It is likely that this pattern of network traffic could result in buffer overflows or other vulnerabilities such as denial of service. Each nation`s server is at risk.

"The report shows that the pattern of network traffic is anomalous," says the CISO. "And the point of origin is internal. Someone at the summit is involved in this."

Given the nature of the summit, participants understand that all nations are allied and have a common goal. "None of the FVEY members would have done this," says a colleague. "It`s got to be the Russians or the Chinese. Friends don`t read each other`s mail."

The CISO says, "No one is above suspicion here. Our FVEY partners have been known to both collect intelligence and seek to embarrass other partners when it suited their strategic needs. It could have been anyone. Until we know for sure, though, we will continue to regard them as allies."

 

Leaders of the nations at the summit agree they all need to perform forensic analysis on their respective systems to identify the bad actor.

Your CISO continues. "Let`s get to the bottom of this. We’re all familiar with DDoS attacks; do you think that`s what we`re dealing with here? Or do you think there`s more? Use our packet sniffing tools to analyze the network traffic. Additionally, we need to identify attack vectors and attributes. Give me any information you can find on the tools, techniques, and the identity of this bad actor. Also, establish an incident response plan that we can use in case of another cyber event."

"Our systems went down due to this DDoS. We need to examine the service-level agreement to see what it will take to get the summit back up and running. After our analysis, we need to quickly let our allies know how to protect their networks through an indicator sharing report.

"Remember, no one is above suspicion—not even our allies. Got it?"

Everyone nods in agreement. The CISO says, "Good. Now get to work. I`m going to try to go back to sleep for a few hours."

When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.

2.2: Locate and access sufficient information to investigate the issue or problem.

4.4: Demonstrate diversity and inclusiveness in a team setting.

5.3: Support policy decisions with the application of specific cybersecurity technologies and standards.

8.1: Employ ethics when planning and conducting forensic investigations, and when testifying in court.

8.2: Incorporate international issues including culture and foreign language to plans for investigations.

5.8: Apply procedures, practices, and technologies for protecting web servers, web users, and their surrounding organizations.

6.1: Knowledge of methods and procedures to protect information systems and data by ensuring their availability, authentication, confidentiality, and integrity.

Step 1: Establish Team Agreement Plan

Step 2: Identify Attack Vectors

You and your nation state have just suffered an intrusion attack. As a cybersecurity professional, one of the first steps is to identify potential attack vectors. For each known cybersecurity vulnerability and known threats (addressing cybersecurity threats through risk management, international cybersecurity approaches, you and your team members need to identify attack vectors via information systems hardware, information systems software, operating systems (operating systems fundamentals, operating system protections), telecommunications (Internet Governance), and human factors (intrusion motives/hacker psychology). Then, you must determine if any attribution is known for the threat actor most likely involved in exploiting each weakness.

Review the materials on attack vectors if a refresher is needed. Once you`ve identified the attack vectors in this step, you will be able to participate in the next step, in which you will discuss your findings with colleagues and compare the findings with their analyses.

Step 3: Discuss Attack Vectors and Known Attribution

In light of your research in the last step, you will now use your group’s discussion board to share your thoughts with other members of your nation team. Review the findings of classmates in your group, noting points of agreement or disagreement, asking critical questions, and making suggestions for improvement or further research.

You should research incidents of known attribution of the hackers and actors who employ the attack vectors previously discussed by your group. This step provides a variety of options and perspectives for your group to consider when drafting the Attack Vector and Attribution Analysis in the next step.

This step also provides the foundation for research into known attribution, which will help you to discern the motivation for intrusion and the identity of the hackers and actors who employ the attack vectors noted.

Step 4: Analyze Attack Vectors and Known Attribution

You`ve discussed attack vector and attribution with your nation state team members. In this step, your group will prepare an Attack Vector and Attribution Analysis of your group`s findings in the previous steps. The analysis should first identify all possible attack vectors via hardware, software, operating systems, telecommunications, and human factors. Next, you should discuss whether attribution is known for the threat actor (hackers and actors) likely involved in exploiting each weakness. Integrate supporting research via in-text citations and a reference list. This analysis will play a key role in the development of a Vulnerability Assessment Matrix and Cybersecurity Risk Assessment in the next few steps. The designated team member should submit the analysis to the dropbox below.

Step 5: Develop the Vulnerability Assessment Matrix

With the Attack Vector and Attribution Analysis complete, in this step your nation team will assess the impact of identified threats and prioritize the allocation of resources to mitigate or prevent risks. As a group, you will collaborate to develop and submit one Vulnerability Assessment Matrix for your nation. This spreadsheet includes the following:

• characterization of current and emerging vulnerabilities and threats (cybersecurity vulnerability)
• identification of the attack vector(s) employed against each
• your assessment (high, medium, or low) of the impact the vulnerability could have on your organization

Submit your team`s matrix for feedback. It should be submitted by the team`s designated member. This matrix will be included in the final project deliverable, the Cybersecurity Risk Assessment.

In the next step, you and your nation team members will conduct research on best practices and countermeasures for the kind of attack your nation team sustained at the summit.

Step 6: Research Industry Best Practices and Countermeasures

At this point, you and your team members have analyzed attack vectors and used your research to construct a vulnerability assessment matrix. The next step in the process of analyzing the intrusion is to look at common practices and countermeasures that can be used for the type of attack your team incurred at the summit.

In this step, you and your team members will perform research on best practices for authentication, authorization, and access control methods. You will also research possible countermeasures and cyber offense strategies that may be available. Review the materials on countermeasures and cyber offensives/warfare if needed. This research will help you make recommendations in the cybersecurity risk assessment, which you develop in the next step. Review these resources on risk assessment and risk assessment approaches to prepare for the next step. The following links will provide you with resources on industry standards and best practices:

• Security Operations
• Software Development Security
• Security Assessment and Testing
• Security Engineering

Step 7: Develop the Cybersecurity Risk Assessment

In this step, your team will prepare the Cybersecurity Risk Assessment in the form of a PowerPoint presentation. This is one of your three final deliverables, which you will submit for feedback as a group, then for individual assessment at the end of the project.

The presentation should identify current measures for authentication, authorization, and access control, and clearly explain weaknesses in your organization`s security (to include people, technology, and policy) that could result in successful exploitation of vulnerabilities and/or threats. The presentation should conclude with recommendations (e.g., continue to accept risks, accept some risks (identify them), mitigate some risks (identify them), mitigate all risks, etc.). Include the attack vector and attribution analysis, and the vulnerability matrix from the previous steps.

• For guidance on creating presentations, refer to the following:
• Creating and Delivering Professional Presentations
• Narrated PowerPoint Presentation
• Converting PowerPoint and Uploading to YouTube

Submit your Cybersecurity Risk Assessment PowerPoint for feedback by uploading it to YouTube. At the end of this project, your team will submit the presentation in the form of a YouTube link for grading..

Step 8: Define Incident Response, Part 1

It`s time to begin work on the next phase of the final analysis of the intrusion, which will include an incident response plan. Such a plan provides a method for containing the impact from a cybersecurity incident. It includes a plan for file recovery and remediation from an incident. All the actions will start from the security baseline analysis, which has been defined for all the nations` network topologies at the summit, using a network security baseline analyzer.

Your nation team will work together to develop an eight- to 10-page Incident Response Plan to use in the event of a cyber incident. This is one of your three final deliverables, which you will submit for feedback as a group, and then for individual assessment at the end of the project.

Begin your first half of the plan by focusing on the environmental conditions and coordination mechanisms. Include:

• roles and responsibilities
• phases of incident response
• scenario: provide an incident response plan in the case of distributed denial-of-service (DDoS) attacks, specifically the case of loss of communications
• activities, authorities pertaining to roles and responsibilities
• triggering conditions for actions
• triggering conditions for closure
• reports and products throughout the incident response activity
• tools, techniques, and technologies
• communications paths and parties involved
• coordination paths and parties involved
• external partners and stakeholders, and their place in the coordination and communication paths
• security controls and tracking
• recovery objectives and priorities

 

Your team will continue working on the incident response plan in the next step. You will consider the processes of an active response.

Step 9: Define Incident Response, Part 2

Your team in this step will continue developing the Incident Response Plan. The second half of your report will focus on events and processes of your active response plan. Include the following:

• incident response checklist. Refer to the NIST Computer Security Incident Handling Guide for an example.
• data protection mechanisms
• integrity controls (system integrity checks) after recovery
• a plan to investigate the network behavior and a threat bulletin that explains this activity
• defined triggering mechanisms for continuing alerts and notifications throughout the cyber incident
• additional aspects of the incident response plan necessary to contain a cyber incident on the international domain
• diagrams of swim lanes of authorities, activities and process flows, coordination and communication paths. Review the Swim Lane Template to familiarize yourself with the concept of swim lanes and swim lane diagrams.

You will complete your incident response plan in the next step. Your incident response plan is critical in outlining your activities during a cyberattack as well as providing direction for recovery.

Step 10: Execute Incident Response

The intrusion activity apparently is not over yet. The CIOs of the nations are still detecting high-volume traffic on their networks. Almost as soon as there is a surge in activity, network functions and websites immediately become nonoperational. Communications are also affected between the nation teams.

The CIOs have provided information on the anomalous activity. Enter Workspace to obtain the lab materials describing the network traffic activity.

After obtaining and reviewing the lab materials, collaborate with your nation team to decide the next course of action as determined by the eight- to 10-page Incident Response Plan you`ve been developing. Include an analysis of the lab materials, describing your findings. Provide this information with your Incident Response Plan, which is one of three final deliverables in this project.

Once your team has completed the response plan, a designated team member should submit it for review and feedback. The Incident Response Plan is one of your three final deliverables, which you will submit for feedback as a group, then for individual assessment at the end of the project.

Step 11: Analyze Cyber Defense Information

Step 12: Share the Cyber Defense Information with Nations

Step 13: Evaluate and Execute the DDoS Service-Level Agreement (SLA)

Step 14: Conduct Wireshark Packet Capture Analysis

Step 15: Develop Final Forensic Report

Step 16: Deliver to Your CISO