Your nation's technical staff expects you to report on all summit events once you return to your nation's capital. The CISO has requested that each analyst work independently to create an Intelligence Debriefing for technical staff. This debriefing is a comprehensive report and is comprised of your BCP, SITREP 1, SITREP 2, and SITREP 3.
Each team member should develop his or her own briefing and submit independently. You may, however, use your team's discussion area to share your findings with your peers.
Step 11: Develop the Intelligence Debriefing
our nation's technical staff expects you to report on all summit events once you return to your nation's capital. The CISO has requested that each analyst work independently to create an Intelligence Debriefing for technical staff. This debriefing is a comprehensive report and is comprised of your BCP, SITREP 1, SITREP 2, and SITREP 3.
Each team member should develop his or her own briefing and submit independently. You may, however, use your team's discussion area to share your findings with your peers.
Refer to the CISO Deliverable Overview for a full list of requirements for the debriefing.
When you have completed your Intelligence Debriefing, submit it for feedback. The next step will be one of reflection, in which you will create a presentation on what you and your team members have learned from the ransomware attack and the mitigation and recovery activities that followed.
2. Intelligence Debriefing
Using the Business Continuity Plan and Situation Reports you created throughout the project, you will create an Intelligence Debriefing and a Lessons Learned Video Presentation to share with your CISO.
This report will be from all information from all events that occurred during the summit. In the report, it will detail all technical information that was derived and any linkage to impacted systems identified in the BCP, possible methods of intrusion, and if events can be linked to one another. Write eight to 10 pages describing the events throughout the summit and all indicators shared by fellow nations. Determine what the malware types were and how they can be discovered in the future, and how they can be mitigated whether by detection systems or simply by having end users take awareness training.
Items below are required in the report for technical staff.
· current system standings
· modifications that can be made to stop this style of threat until a patch is created
· reputation and brand damage
· lost productivity due to downtime or system performance
· system availability problems
· determining root causes
· technical support to restore systems
· compliance and regulatory failure costs
2
Project 3, Step 9: SITREP #3
Team United Kingdom: Michael Arizieh, Julian Chandler, Justin Basagic, Ayman Gismalla Mohammed,
Oluwasegun “Saji” Ijiyemi
University of Maryland Global Campus
CMP 670 9047 Capstone in Cybersecurity (2231)
Prof. Thaddeus Janicki
Mar 9, 2023
Table of contents
Table of contents……………………………………………………………………………………………………………………2
Introduction…………………………………………………………………………………………………………………………..3
Security Incident Report – SITREP #3………………………………………………………………………………………4
Summary..……………………………………………………………………………………………………………………………..5
Introduction
Malware known as ransomware keeps users from being able to utilize their machines (or recover information). After the attacker acquires illegal access by introducing malware into the victim's system, ransomware attacks are typically used to encrypt or destroy crucial data. In most cases, even if the ransom is turned over, the files are rarely unlocked, and access returned. To mitigate this situation, the most important files and data should always be kept in a current offline backup because of these reasons.
Security Incident Report – SITREP #3
Our UK team will discuss the early findings and lay out the steps our organization plans to take considering the mentioned indications in this study. In order to communicate incident data and obtain this report, the Five Eyes (FVEY) Alliance institutions can access US-CERT databases for more intricate details. Also, our UK team will describe any indicators, such as file system alterations, the timing of the occurrence, services, IP addresses, and other actions, that could be used by affected parties to search within their networks for the ransomware.
|
Security Incident Report / SITREP #2017-Month-Report# |
||||
|
Incident Detector’s Information |
||||
|
Date/Time of Report |
3/10/2023/Time:0100 UTC |
|||
|
First Name |
Team |
|||
|
Last Name |
UK |
|||
|
OPDIV |
United Kingdom |
|||
|
Title/Position |
Cyber Analyst |
|||
|
Work Email Address |
||||
|
Contact Phone Numbers |
Work 425-434-7986 |
Government Pager |
Other |
|
|
Reported Incident Information |
||||
|
Initial Report Filed With (Name, Organization) |
Global Economic Summit CISO |
|||
|
Start Date/Time |
3/9/2023 1200 UTC |
|||
|
Incident Location |
Global Economic Summit United Kingdom |
|||
|
Incident Point of Contact (if different than above) |
N/A |
|||
|
Priority |
Level 1 |
|||
|
Possible Violation of ISO/IEC 27002:2013 |
Control A.12.2.1 (Controls against Malware) YES- Improper security awareness & system controls, as well as a Failure to Implement a Security Policy |
|||
|
Privacy Information – ISO 27000 (Country Privacy Act Law) |
Was the incident a violation of ISO 27000? No Did the target suffer an adverse effect? / As a result, was the OPDIV the direct or proximate cause of the adverse effect? – No Was the violation intentional or willful? – Willful / Was the personally identifiable information used maliciously? -No |
|||
|
Incident Type |
Dos Attack resulted in lockdown of the system until ransom was paid (Reveton Attack) |
|||
|
US-CERT Category |
Category 2- DoS attack Category 3 Ransomware |
|||
|
CERT Submission Number, where it exists |
Identify and document CERT that represented nation would report to, where it exists; otherwise relevant organization (ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973) |
|||
|
Description |
– Identity of attacker/group responsible for the attack remains unknown. – A USB devices were found in the server rack with multiple partitions that wasn’t issued by the organization. – A list of URL’s has been provided from the compromised account that is in question – A single machine was used by multiple people in an open setting with a password list attached |
|||
|
Additional Support Action Requested |
||||
|
Method Detected |
Wireshark, IPS, Log Review, Summit computers |
|||
|
Number of Hosts Affected |
Numerous |
|||
|
OPDIV / Department Impact |
N/A |
|||
|
Information Sharing |
Entities within the Five Eyes (FVEY) Alliance US-CERT can share incident data. |
|||
|
System |
Human Resources Server and other possible nodes |
|||
|
Status |
Ongoing |
|||
|
Attacking Computer(s) Information |
||||
|
IP Address / Range |
Host Name |
Operating System |
Ports Targeted |
System Purpose |
|
192.168.10.112 |
NIXRCC01 |
CENTOS |
49810 |
Attacking Platform |
|
Victim's Computer(s) Information |
||||
|
IP Address / Range |
Host Name |
Operating System |
Ports Targeted |
System Purpose |
|
192.168.10.211 |
Internal.nationstate.cyb670/r/n |
Windows 10 |
80 |
HR Computer |
|
Action Plan |
||||
|
Action Description |
Per CISO’s directions, continue to monitor for possible data exfiltration; SLA is in place and approved for network monitoring. |
|||
|
Requestor |
Summit CISO |
|||
|
Assignee |
Team United Kingdom |
|||
|
Time Frame |
Immediately |
|||
|
Status |
Urgent |
|||
|
Conclusion / Summary |
||||
|
Entities Notified |
All FVEY Summit Members |
|||
|
Resolution |
Identify the insider threat, multiple actors; Assist officials with the investigation with expert analysis related to this event. (see the questions answered below) |
Summary Questions:
· What actually happened? What do you know as fact?
An employee's laptop was left in public areas unattended, with the passwords taped to the computer and only visible when it was opened.
· What was said in the letter of resignation? Can this document be trusted as representing the true intentions of Ms. Grascholtz? Why or why not?
No. Even though the letter was password secured, there is no way to prove Ms. Grascholtz typed it. The resignation letter seemed dubious, while there isn't a set pattern or flow for this kind of paper.
From worries about a terrible sickness to complaining to management about being extorted and experiencing her family threatened with "germ warfare packages," the letter cuts back and forth quickly. The information in the letter is not specific nor accurate according to online searches. The order and convenience of the list of URLs visited for the acts conducted during the ransomware attack seem appropriate.
· Several staff have commented that the USB devices found in Ms. Grascholtz's work area are of the same type and brand as the USB found inside the server cabinet. Is this significant? Why or why not?
Actually, it is impossible to determine the USB device's genuine source. It does, however, cast a doubtful shadow over everyone who has access to the server cabinet. With the precise knowledge of the tool a business utilizes, this may be an inside job.
· What is the significance of the list of passwords found taped to the laptop?
The fact that the list was visible indicates that several people have the authorization needed to use the device and access the network. The account was formed in accordance with the rules, as stated in the report, but without higher rights. This strengthens the idea that someone with admin rights created the account because no supporting evidence was provided.
· What is the significance of a multipartition USB storage device?
This can indicate the purpose for which the USB was intended to be used. Although it is not unusual, the multipartition was designed to conceal information due to the nature and seriousness of the circumstance.
· What conclusions can be drawn from your analysis of the browsing history?
It was a feeble effort to leave a digital trail. This trail was intended to be misleading, but failed in its attempt.
· Is there sufficient evidence to show a link between the Reveton malware and Ms. Grascholtz?
While there may be a fair amount of circumstantial evidence to suggest that Ms. Grascholtz was involved, there is no way to determine, definitively that she had a hand in the attack(s).
· Is there evidence supporting the supposition that an insider other than Ms. Grascholtz may have been responsible for the Reveton malware's entry onto the organization's networks?
Yes, but determining that individual would require other methods of investigation and reporting.
· What other conclusions can be drawn from the information you have at hand?
It is reasonable to conclude that this attack was a planned, multi-faceted, and multi-actor inside job.
· What are the next steps that the CISO and staff should take to further this investigation into the Reveton malware?
I advise utilizing CCTV footage to compare network activity time stamps with employee movements within the facility. There is only one device under consideration (at this moment), and it was used to determine who was around, particularly those who had no need to be there.
,
2
Project 3, Step 9: SITREP #2
Team United Kingdom: Michael Arizieh, Julian Chandler, Justin Basagic, Ayman Gismalla Mohammed,
Oluwasegun “Saji” Ijiyemi
University of Maryland Global Campus
CMP 670 9047 Capstone in Cybersecurity (2231)
Prof. Thaddeus Janicki
Mar 9, 2023
Table of contents
Table of contents……………………………………………………………………………………………………………………2
<p