Project 2: Nations Behaving Badly
Despite work that cyber management teams perform in regard to systems design, network security protocols, hardware and software maintenance, training, policies, implementation, maintenance, and monitoring, breaches can and do occur. In this project, you will work with a team of other cyber professionals to analyze and respond to anomalous network activities.
The graded submission for Project 2 is a packaged deliverable to the CISO about risk and network intrusion, to be completed as a team. The deliverable to the CISO will include the following five parts:
Cybersecurity Risk Assessment including Vulnerability Matrix
Incident Response Plan
FVEY Indicator Sharing Report
Final Forensic Report
The project will take 15 days to complete. After reading the scenario below, proceed to Step 1, where you will establish your team agreement plan.
The US reports data exfiltration has been detected in the IDS (intrusion detection system). All nations will perform forensic analysis and collect corroborating information to identify the bad actor.
Prior to the summit, your nation team was tasked with setting up its own independent secure comms network. Now, at 3 a.m., just hours before the summit begins, you receive a text message from your CISO that reads: “I need to meet with the team immediately about an urgent matter. Please come to the conference room next to my hotel room now so we can discuss it.”
You quickly dress and head to the conference room. When you arrive, she breaks the news to your team: The nation hosting the summit has detected data exfiltration in its IDS (intrusion detection system). It is likely that this pattern of network traffic could also result in buffer overflows or other attacks such as denial of service. Each nation’s server is at risk.
“The report shows that the pattern of network traffic is anomalous,” says the CISO. “And the point of origin is internal. Someone at the summit is involved in this.”
Given the nature of the summit, participants understand that all nations have a common goal. “None of the FVEY members would have done this,” says a colleague. “It’s got to be the Russians or the Chinese. Friends don’t read each other’s mail.”
The CISO says, “No one is above suspicion here. Our FVEY partners have been known to both collect intelligence and seek to embarrass other partners when it suited their strategic needs. It could have been anyone. Until we know for sure, though, we will continue to regard them as allies.”
Leaders of the nations at the summit agree they all need to perform forensic analysis on their respective systems to identify the bad actor.
Your CISO continues. “Let’s get to the bottom of this. We’re all familiar with data exfiltration attacks; do you think that’s part of what we’re dealing with here? Or do you think there’s more? Use our packet sniffing tools to analyze the network traffic. Additionally, we need to identify attack vectors and attributes. Give me any information you can find on the tools, techniques, and the identity of this bad actor. Also, establish an incident response plan that we can use in case of another cyber event.”
“Our systems went down due to this attack. We need to examine the service-level agreement to see what it will take to get the summit back up and running. After our analysis, we need to quickly let our allies know how to protect their networks through an indicator sharing report.
“Remember, no one is above suspicion—not even our allies. Got it?”
Everyone nods in agreement. The CISO says, “Good. Now get to work. I’m going to try to go back to sleep for a few hours.”
When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.
Project 2: Nations Behaving Badly
Step 1: Establish Team Agreement Plan
As a part of your nation team, an agreement needs to be established in order to work efficiently on each project. Begin by revisiting your current team agreement document, which includes a suggested schedule for project completion. Update your team agreement with roles and assignments for this project. Your team will use this document as a guide to establish a plan for completing and submitting the group tasks. When you have completed the plan, resubmit it for review in the dropbox below.
In the next step, you will identify attack vectors.
Step 2: Identify Attack Vectors
You and your nation state have just suffered an intrusion attack. As a cybersecurity professional, one of the first steps is to identify potential attack vectors. For each known cybersecurity vulnerability and known threats (addressing cybersecurity threats through risk management, international cybersecurity approaches, you and your team members need to identify attack vectors via information systems hardware, information systems software, operating systems (operating system fundamentals, operating system protections), telecommunications (internet governance), and human factors (intrusion motives/hacker psychology). Then, you must determine if any attribution is known for the threat actor most likely involved in exploiting each weakness.
Review the materials on attack vectors if a refresher is needed. Once you’ve identified the attack vectors in this step, you will be able to participate in the next step, in which you will discuss your findings with colleagues and compare the findings with their analyses.
Step 3: Discuss Attack Vectors and Known Attribution
In light of your research in the last step, you will now use your group’s discussion board to share your thoughts with other members of your nation team. Review the findings of classmates in your group, noting points of agreement or disagreement, asking critical questions, and making suggestions for improvement or further research.
You should research incidents of known attribution of the hackers and actors who employ the attack vectors previously discussed by your group. This step provides a variety of options and perspectives for your group to consider when drafting the Attack Vector and Attribution Analysis in the next step.
This step also provides the foundation for research into known attribution, which will help you to discern the motivation for intrusion as well as the identity of the hackers and actors who employ the attack vectors noted.
Step 4: Analyze Attack Vectors and Known Attribution
You’ve discussed attack vectors and attribution with your nation state team members. In this step, your group will prepare an Attack Vector and Attribution Analysis of your group’s findings in the previous steps. The analysis should first identify all possible attack vectors via hardware, software, operating systems, telecommunications, and human factors. Next, you should discuss whether attribution is known for the threat actor (hackers and actors) likely involved in exploiting each weakness. Integrate supporting research via in-text citations and a reference list. This analysis will play a key role in the development of a Vulnerability Assessment Matrix and Cybersecurity Risk Assessment in the next few steps.
Step 5: Develop the Vulnerability Assessment Matrix
With the Attack Vector and Attribution Analysis complete, in this step your nation team will assess the impact of identified threats and prioritize the allocation of resources to mitigate or prevent risks. As a group, you will collaborate to develop and submit one Vulnerability Assessment Matrix for your nation. This spreadsheet includes the following:
characterization of current and emerging vulnerabilities and threats (cybersecurity vulnerability)
identification of the attack vector(s) employed
your assessment (high, medium, or low) of the impact the vulnerability could have on your organization
Submit your team’s matrix for feedback. This matrix will be included in the final project deliverable, the Cybersecurity Risk Assessment.
In the next step, you and your nation team members will conduct research on best practices and countermeasures for the kind of attack your nation team sustained at the summit.
Step 6: Research Industry Best Practices and Countermeasures
At this point, you and your team members have analyzed attack vectors and used your research to construct a vulnerability assessment matrix. The next step in the process of analyzing the intrusion is to look at common practices and countermeasures that can be used for the type of attack your team incurred at the summit.
In this step, you and your team members will perform research on current best practices for authentication, authorization, and access control methods. You will also research possible countermeasures and cyber offense strategies that may be available. Review the materials on countermeasures and cyber offensives/warfare if needed. This research will help you make recommendations in the cybersecurity risk assessment, which you develop in the next step. Approach your research with transparency to support trust among your team. Review these resources on risk assessment and risk assessment approaches to prepare for the next step. The following links will provide you with resources on industry standards and best practices:
Software Development Security
Security Assessment and Testing
Step 7: Develop the Cybersecurity Risk Assessment
In this step, your team will prepare the Cybersecurity Risk Assessment in the form of a PowerPoint presentation. This is one of your three final deliverables, which you will submit for feedback as a group, and then for individual assessment at the end of the project.
The presentation should identify current measures for authentication, authorization, and access control, and clearly explain weaknesses in your organization’s security (to include people, technology, and policy) that could result in successful exploitation of vulnerabilities and/or threats. The presentation should conclude with recommendations (e.g., continue to accept risks, accept some risks (identify them), mitigate some risks (identify them), mitigate all risks, etc.). Include the attack vector and attribution analysis, and the vulnerability matrix from the previous steps. Don’t try to shoehorn every point into your presentation. For guidance on creating presentations, refer to the following:
Creating and Delivering Professional Presentations
Record a Slide Show with Narration and Slide Timings
Converting PowerPoint and Uploading to YouTube
Submit your Cybersecurity Risk Assessment PowerPoint for feedback by uploading it to YouTube. At the end of this project, your team will submit the presentation in the form of a YouTube link for grading.
Step 8: Define Incident Response, Part 1
It’s time to begin work on the next phase of the final analysis of the intrusion, which will include an incident response plan. Such a plan provides a method for containing the impact from a cybersecurity incident. It includes a plan for file recovery and remediation from an incident. All the actions will start from the security baseline analysis, which has been defined for all the nations’ network topologies at the summit, using a network security baseline analyzer.
Your nation team will work together to develop an eight- to 10-page Incident Response Plan to use in the event of a cyber incident. This is one of your three final deliverables, which you will submit for feedback as a group, and then for individual assessment at the end of the project.
Begin your first half of the plan by focusing on the environmental conditions and coordination mechanisms. Include:
roles and responsibilities
phases of incident response
scenario—provide an incident response plan in the case of distributed data exfiltration attacks, specifically the case of loss of communications
activities, authorities pertaining to roles and responsibilities
triggering conditions for actions
triggering conditions for closure
reports and products throughout the incident response activity
tools, techniques, and technologies
communications paths and parties involved
coordination paths and parties involved
external partners and stakeholders, and their place in the coordination and communication paths
security controls and tracking
recovery objectives and priorities
Your team will continue working on the incident response plan in the next step. You will consider the processes of an active response.
Step 9: Define Incident Response, Part 2
Your team in this step will continue developing the Incident Response Plan. The second half of your report will focus on events and processes of your active response plan. Include the following:
14. incident response checklist. Refer to the NIST Computer Security Incident Handling Guide for an example.
15. data protection mechanisms
16. integrity controls (system integrity checks) after recovery
17. a plan to investigate the network behavior and a threat bulletin that explains this activity
18. defined triggering mechanisms for continuing alerts and notifications throughout the cyber incident
19. additional aspects of the incident response plan necessary to contain a cyber incident on the international domain
20. diagrams of swim lanes of authorities, activities and process flows, coordination and communication paths. Review the Swim Lane Template to familiarize yourself with the concept of swim lanes and swim lane diagrams.
You will complete your incident response plan in the next step. Your incident response plan is critical in outlining your activities during a cyberattack as well as providing direction for recovery.
Step 10: Execute Incident Response
The intrusion activity apparently is not over yet. The CIOs of the nations are still detecting high-volume traffic on their networks. Almost as soon as there is a surge in activity, network functions and websites immediately become nonoperational. Communications are also affected between the nation teams.
The CIOs have provided information on the anomalous activity. Enter Workspace to obtain the lab materials describing the network traffic activity.
After obtaining and reviewing the lab materials, collaborate with your nation team to decide the next course of action as determined by the eight- to 10-page Incident Response Plan you’ve been developing. Include an analysis of the lab materials, describing your findings. Provide this information with the Incident Response Plan.
The Incident Response Plan is one of your three final deliverables, which you will submit for feedback as a group, then for individual assessment at the end of the project.
Step 11: Analyze Cyber Defense Information
This step includes a mandatory lab exercise. The teams should work together on the exercise, relying on each other’s expertise in the subject area of the exercise. The findings will be included in your team’s Security Baseline Report.
The attack continues. Now the CIO reports high-volume activity shutting down web access to the summit and to the attending nations’ government websites. In addition, the volume impact has also caused latency in third-party websites whose processes and data sharing are linked to the summit and to the nations’ government websites.
Your team now enters Workspace to analyze the .pcap files the CIOs had provided. You will analyze the .pcap files to understand some of the conditions that may have led to this high-volume traffic, an apparent DoS attack.
Compile screenshots and your analyses of the DoS events affecting the summit, the nations’ government web pages, and third-party websites as well, where relevant. Maintain your Wireshark packet analysis for any future investigations.
Step 12: Share the Cyber Defense Information With Nations
Now that you have analyzed the .pcap contents, you and your team of analysts will prepare mitigation (risk analysis and mitigation) for this current attack as well as any future attacks. You will also provide risk countermeasure implementation to a data exfiltration attack. Compile these strategies in a FVEY Indicator Sharing Report to be shared with your FVEY allies. Include Snort rules signatures and prepare rules for firewalls that would have prevented the data exfiltration attack. Review these resources on intrusion detection and prevention (IDS/IPS) systems and IDS/IPS classification to refresh your understanding of communications and network security, intrusion detection, and intrusion prevention.
Your report should include the following:
other possible sources of vulnerabilities and best practices to protect endpoints.
indicators for data exfiltration.
methods for protection in bring your own device (BYOD) mobile security.
an explanation of the importance of authorization and authentication mechanisms like CAC-PIV card readers. Review these resources on common access card (CAC) and multifactor authentication technologies if you need a refresher.
best practices for database protection (data loss prevention), which serves as the backbone to information sharing and communications. How can obfuscation and masking be used to ensure database security?
You don’t want to just build a wall and block everything. Your team has conducted a risk assessment and developed an approach. In your report, share the tools, methods, and the actual net defenses your nation team has used.
In Project 1, your team identified the nations performing the malicious activities. At this point, it is necessary to protect the network and defend against the attacks. You must devise a plan and pull from the suite of net defense tools available to you. For intrusion detection and prevention, you must program rule sets in firewalls.
Now that your nation team has identified the bad actors, your nation will then build out Snort rules based on the traffic you have analyzed to allow the permitted communications while keeping out malicious traffic and activities.
Once your team has completed the sharing report, post it to the FVEY discussion where other nation teams can view it.
Step 13: Evaluate and Execute the Data Exfiltration Service-Level Agreement (SLA)
You’ve communicated the attack to your other nation teams, your team has determined that all the nation teams were under data exfiltration attack, and they sustained latency or even unavailability of their networks. Now the CIOs have directed that the service-level agreements (SLAs) be reviewed on what the attack means to the cost and services rendered. Technologically trained professionals increase their marketability and hire-ability when they can demonstrate business acumen as well as technical expertise. And with more integrated environments following services on-demand structures such as cloud computing, it is imperative that cybersecurity professionals be able to assess if their organization is getting what it paid for.
You may have determined a network topology for your nation team, or you may have researched a network topology and are using that to base your analysis, citing the researched information using APA format. In these topologies, you will research the operating system vulnerabilities (operating system fundamentals, operating system protections). You will identify requirements for operating system security to address these vulnerabilities.
You will then formulate a service-level agreement to mitigate the vulnerabilities, particularly for data exfiltration activities.
Produce a three- to five-page Service-Level Agreement (SLA) that you believe is best to serve the nation teams’ security protections. If you research sample SLAs, provide citations.
an agreement not to engage in testing data exfiltration without notifying the internet service provider (ISP)
metrics for availability
monitoring from the ISP’s network
traffic reports to be received and access to ISP information on net defense and best practices
testing nation teams’ configurations by ISP
other components needed to fulfill your nation team’s requirements
Perform an evaluation of the SLA that you created, and in a checklist format, report on the performance of the ISP during the data exfiltration attack. Conduct independent research if a checklist example is needed. If you model your checklist after an existing resource, cite and reference it using APA format. Estimate costs of services or any compensation owed to the nation team. Include written justification to the ISP for the downtime due to data exfiltration. This evaluation is included in the three- to five-page requirement.
In the next step, you will take on “packet sniffing” in the lab, as you move to a digital forensics role in the investigation.
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we\'ll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.