Please look at the attachment
Project 1
Student Name:
Date:
Project 1: Requires the Following THREE Deliverables
Grade
1. Security Assessment Report (including relevant findings from Lab)
2. Non-Technical Presentation Slides
3. Lab Experience Report with Screenshots
GENERAL OBJECTIVES
Project 1 – Evaluation Criteria
1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem.
5.4: Identify potential threats to operating systems and the security features necessary to guard against them
Areas to Improve
1. Security Assessment Report
Discuss all topics below. Consider using the topic headers ( in green) as subheaders to organize your report.
Purpose and Scope
Section Objective
To be able to succintly summarize (e.g. to your organization) the reason for performing this security assesment
Based on your scenario (i.e. hypothetical or real), briefly explain why is there a need for a security assessment in your organization (purpose) and explain which components will be assessed (scope)
OS Overview
Section Objective
To be able to explain main concepts of an operating system
Checklist
In your SAR, provide the leadership of your organization a brief explanation of operating systems (OS) fundamentals and information systems architectures. Include the following:
1. Explain the user’s role in an OS.
2. Explain the differences between kernel applications of the OS and the applications installed by an organization or user.
3. Describe the embedded OS.
4. Describe how operating systems fit in the overall information systems architecture, of which cloud computing is an emerging, distributed computing network architecture.
OS Vulnerabilities
Section Objective
To be able to discuss/describe OS vulnerabilities
Checklist
Provide the leadership of your organization with an overview of OS vulnerabilities to include the following:
1. Explain Windows vulnerabilities and Linux vulnerabilities.
2. Explain the Mac OS vulnerabilities, and vulnerabilities of mobile devices.
3. Explain the motives and methods for intrusion of MS and Linux operating systems.
4. Explain the types of security management technologies such as intrusion detection and intrusion prevention systems.
5. Describe how and why different corporate and government systems are targets.
6. Describe different types of intrusions such as SQL PL/SQL, XML, and other injections
Preparing for the Vulnerability Scan
Section Objective
To be able to explain the objectives of a vulnerability scan
Checklist
Provide the leadership of your organization with the following:
1. Include a description of the methodology you proposed to assess the vulnerabilities of the operating systems.
2. Provide an explanation and reasoning of how the methodology you propose, will determine the existence of those vulnerabilities in the organization’s OS.
3. Include a description of the applicable tools to be used, limitations, and analysis.
4. Provide an explanation and reasoning of how the applicable tools you propose will determine the existence of those vulnerabilities in the organization’s OS.
5. In your report, also discuss:
the strength of passwords
any Internet Information Sevices’ administrative vulnerabilities
SQL server administrative vulnerabilities,
security updates and management of patches as they relate to OS vulnerabilities
Vulnerability Assessment Tools for OS and Applications (Lab)
Section Objective
To be able to interpret and integrate the lab results in this SAR
Checklist
Use the vulnerability scanning tool to complete/determine the following for Window OS:
1. Determine if Windows administrative vulnerabilities are present.
2. Determine if weak passwords are being used on Windows accounts.
3. Report which security updates are required on each individual system.
4.The tool provides dynamic assessment of missing security updates. Scan one or more computers by domain, IP address range, or other grouping.
5. Once complete, provide a detailed report and recommendations on how to make your system a more secure working environment. In this case, a tool such as OpenVAS will create and store individual XML security reports for each computer scanned and will display the reports in the graphical user interface in HTML.
For the Linux OS:
1. Determine if Linux vulnerabilities are present.
2. Determine if weak passwords are being used on Linux systems.
3. Determine which security updates are required for the Linux systems.
4.You noticed that the tool you used for Linux OS (i.e., OpenVAS) provides dynamic assessment of missing security updates. Scan one or more computers by domain, IP address range, or other grouping.
5.Once complete, provide a detailed report and recommendations on how to make your system a more secure working environment
Findings and Recommendations *
Section Objective
To be able to clearly state your findings and propose mitigation
Checklist
1.Include a section where the findings (i.e. your lab findings) and your recommendations are enumerated. This is an important section of your report, since your feedback/report will help the leadership of your organization allocate the necessary resources to ensure the risks you identified will be mitigated. Each finding should have a corresponding recommendation. E.g. Finding 1. It was found that …. Recommendation 1. It is recommended that …. Finding 2…. Recommendation 2……
2. Include a brief risk assessment associated with the security recommendations to propose ways to address the risk either by accepting it, transferring it, mitigating it, or eliminating it. Explain your answer.
Security Assessment Report Overall Feedback
Strenghts
Opportunities
2. Presentation Slides (narration not required)
Section Objective
To be able to, at a high-level, present/summarize the SAR to a leadership audience
Checklist
Design a presentation directed to the leadership of your organization (technical and non-technical audience) that includes:
1. Title Slide
2. Use of Readable Fonts and Color
3. Summarized SAR
4. Summary of Findings and Recommendations at High Level
Presentation Slides Overall Feedback
Strenghts
Opportunities
3. Lab Experience Report
Section Objective
To demonstrate to your professor that you performed and understood the lab for this project
Checklist
Your lab report should include:
1. Summary of lab experience
2. Vulnerabilities identified and explained for both Windows and Linux systems
3. Provide screenshots of key results for both systems
4. Ensure a summary of your results is included in your SAR
5. Capture the timestamp when lab was performed
6. Ensure the screenprints are readable
7. Answer lab questions (when applicable) and integrate results in your SAR and Presentation
Lab Experience Report Feedback
Strenghts
Opportunities
* Findings and recommendations are the most important information of this type of report. Your audience needs to clearly understand the security issues you found and the mitigation steps (that you recommend) that need to be taken in order to secure (ultimately) the organization’s information.
Project 2
Student Name:
Date:
Project 2: Requires the Following THREE Deliverables
Grade
1. Security Assessment Report (including relevant findings from Lab)
2. Risk Assessment Report (compile findings from Project 1 & Project 2)
3. Lab Experience Report with Screenshots
GENERAL OBJECTIVES
Project 2 – Evaluation Criteria
1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
1.2: Develop coherent paragraphs or points so that each is internally unified and so that each functions as part of the whole document or presentation.
1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas.
1.4: Tailor communications to the audience.
1.5: Use sentence structure appropriate to the task, message and audience.
1.6: Follow conventions of Standard Written English.
5.2: Knowledge of architectural methodologies used in the design and development of information systems, including the physical structure of a system’s internal operations and interactions with other systems and knowledge of standards that either are compliant with or derived from established standards or guidelines.
5.6: Explore and address cybersecurity concerns, promote awareness, best practice, and emerging technology.
7.3: Knowledge of methods and tools used for risk management and mitigation of risk.
8.1: Demonstrate the abilities to detect, identify, and resolve host and network intrusion incidents.
8.2: Possess knowledge and skills to categorize, characterize, and prioritize an incident as well as to handle relevant digital evidence approporiately.
Areas to Improve
1. Security Assessment Report
Discuss all topics below. Consider using the topic headers as subheaders to organize your report.
Purpose and Scope
OBJECTIVE
To be able to succintly summarize (e.g. to your organization) the reason for performing this security assesment
Based on your scenario (i.e. hypothetical or real), briefly explain why is there a need for this security assessment in your organization (purpose) and explain which components will be assessed (scope).
Enterprise Network Diagram
OBJECTIVE
To be able to explain a basic network and its main components
Propose a local area network (LAN) and a wide area network (WAN) for the organization, define the systems environment, and incorporate this information in a network diagram. Discuss the security benefits of your chosen network design.
Threats & Threat Identification
OBJECTIVE
To be able to discuss security threats in the context of networks and access control
1. Identify the potential hacking actors of threat attacks on vulnerabilities in networks and information systems and the types of remediation and mitigation techniques available in your industry, and for your organization.
Firewalls and Encryption
1. Identify the purpose and function of firewalls for organization network systems, and how they address the threats and vulnerabilities you have identified.
2. Determine the role of firewalls, encryption, and auditing
3. Identify the purpose and function of encryption, as it relates to files and databases and other information assets on the organization’s networks.
Databases
1. RDBMS that could assist in protecting information and monitoring the confidentiality, integrity, and availability of the information in the information systems.
2. Discuss the value of using access control, database transaction and firewall log files.
Passwords
1. Provide an analysis of the strength of passwords used by the employees in your organization.
2. Are weak passwords a security issue for your organization?
OPM Case Study
OBJECTIVE
To be able to explain the OPM breach and discuss lessons learned
1. Define threat intelligence and explain what kind of threat intelligence is known about the OPM breach.
2. Differentiate between the external threats to the system and the insider threats.
3. Identify where these threats can occur in the previously created diagrams.
4. Review the OIG report on the OPM breach (i.e. a historical fact). Use it to justify the need for a security assessment in order to avoid, in your organization, similar situations. Relate the OPM threat intelligence to your organization. How likely is it that a similar attack will occur at your organization?
Findings and Recommendations *
OBJECTIVE
To be able to clearly state your findings and propose mitigation
1.Include a section where the findings (i.e. your lab findings) and your recommendations are enumerated. This is an important section of your report, since your feedback/report will help the leadership of your organization allocate the necessary resources to ensure the risks you identified will be mitigated. Each finding should have a corresponding recommendation. E.g. Finding 1. It was found that …. Recommendation 1. It is recommended that …. Finding 2…. Recommendation 2……
Security Assessment Report Overall Feedback
Strenghts
Opportunities
2. Risk Assessment Report
Risk and Remediation
OBJECTIVE
To be able to explain risk and risk mitigation
1.What is risk and what is remediation?
2. Summarize all the vulnerabilities found in Project 1 and Project 2. List them (e.g. table format) and include: description of each, likelyhood of each event occurring, impact to your organization (e.g. H, M, L), remediation, cost/benefit analysis of remediation for your organization
3. Make sure your RAR includes a compilation of all vulnerabilities/threats identified in the labs for Project 1 and Project 2 (i.e. all OS-related and Network-related vulnerabilities) .
4. Devise a high-level plan of action with intermin milestones (POAM)
Risk Assessment Report Feedback
Strenghts
Opportunities
3. Lab Experience Report
Lab
OBJECTIVE
To demonstrate to your professor that you performed and understood the tools for this project
Your report should include:
1. Respond to lab questions associated with each Wireshark file provided
2. Respond to Nmap questions associated to both target machines
3. Answer questions related to OS Fingerprinting
4. Include experience associated to multiple host and network scanning
5. Provide screenshots of key results associated with items listed above
6. Ensure a summary of your results is included in your SAR. Add these findings to the RAR analysis.
Lab Experience Report Feedback
Strenghts
Opportunities
* Findings and recommendations are the most important information of this type of report. Your audience needs to clearly understand the security issues you found and the mitigation steps (that you recommend) that need to be taken in order to secure (ultimately) the organization’s information.
Project 3
Student Name:
Date:
Project 3: Requires the Following FOUR Deliverables
Grade
1. Team Forming and Completion of Charter
.
2. Security Assessment Report
3. After Action Report
4. Presentation Slides (With Narration or In Class Presentation)
Project Objectives
Project 3 – Evaluation Criteria
1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem.
4.1: Lead and/or participate in a diverse group to accomplish projects and assignments.
4.3: Contribute to team projects, assignments, or organizational goals as an engaged member of a team.
8.4: Possess knowledge of proper and effective communication in case of an incident or crisis
Areas to improve
1. Team Forming and Completion of Charter
Upload completed Charter to Team Locker in Classroom & email it to your professor
2. Security Assessment Report
Listen closely to the scenario presented for Project 3
Financial Sector
Role: A representative from the financial services sector, who has discovered the network breach and the cyber attacks. These attacks include distributed denial-of-service attacks, DDOS, web defacements, sensitive data exfiltration, and other attack vectors typical of this nation-state actor.
Provide a description of the impact the threat would have on the financial services sector. These impact statements can include the loss of control of the systems, the loss of data integrity or confidentiality, exfiltration of data, or something else. Also provide impact assessments as a result of this security incident to the financial services sector.
Provide submissions from the Information Sharing Analysis Councils related to the financial sector.
Law Enforcement
Role: A representative from law enforcement, who has provided additional evidence of network attacks found using network defense tools
Provide a description of the impact the threat would have on the law enforcement sector. These impact statements can include the loss of control of systems, the loss of data integrity or confidentiality, exfiltration of data, or something else. Also provide impact assessments as a result of this security incident to the law enforcement sector.
The Intelligence Community
Role: A representative from the intelligence agency, who has identified the nation-state actor from numerous public and government-provided threat intelligence reports. This representative will provide threat intelligence on the tools, techniques, and procedures of this nation-state actor
Provide intelligence on the nation-state actor, their cyber tools, techniques, and procedures. Leverage available threat reporting such as from FireEye, Mandiant, and other companies and government entities that provide intelligence reports. Also include the social engineering methods used by the nation-state actor and their reasons for attacking US critical infrastructure.
Homeland Security
Role: A representative from the Department of Homeland Security, who will provide the risk, response, and recovery actions taken as a result of this cyber threat
Use the US-CERT and other similar resources to discuss the vulnerabilities and exploits that might have been used by the attackers.
Explore the resources for risk mitigation and provide the risk, response, and risk mitigation steps that should be taken if an entity suffers the same type of attack.
Provide a risk-threat matrix and provide a current state snapshot of the risk profile of the financial services sector.
Security Assessment Report Feedback
Strenghts
Opportunities
3. After Action Report
The purpose of the AAR is to share the systems life cycle methodology, rationale, and critical thinking used to resolve this cyber incident.
Identify the purpose and function of firewalls for organization network systems, and how they address the threats and vulnerabilities you have identified.
Also discuss the value of using access control, database transaction and firewall log files.
Identify the purpose and function of encryption, as it relates to files and databases and other information assets on the organization’s networks.
After Action Report Feedback
Strenghts
Opportunities
4. Presentation (Complete Set of Team Slides and Voice Narration)
Title Slide
Use of Readable Fonts and Color
Summarize SAR and AAR for non-technical audience
Summarizes Findings and Recommendations at High Level
Slide Narration or In Class Presentation (5-6 minutes or a portion of report)
Presentation Slides Feedback
Strenghts
Opportunities
Project 4
Student Name:
Date:
This form provides the same classroom instructions in a checklist form to help students and professors quickly evaluate a submission
Project 4: Requires the Following TWO Deliverables
Grade
1. Paper
2. Lab Experience Report with Screenshots
Project Objectives
Project 4 – Evaluation Criteria
1.5: Use sentence structure appropriate to the task, message and audience.
1.6: Follow conventions of Standard Written English.
1.7: Create neat and professional looking documents appropriate for the project or presentation.
2.1: Identify and clearly explain the issue, question, or problem under critical consideration.
2.2: Locate and access sufficient information to investigate the issue or problem.
2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem.
2.4: Consider and analyze information in context to the issue or problem.
3.2: Employ mathematical or statistical operations and data analysis techniques to arrive at a correct or optimal solution.
5.1: Knowledge of procedures, tools, and applications used to keep data or information secure, including public key infrastructure, point-to-point encryption, and smart cards
Areas to improve
1. Paper
IT Systems Architecture
1. Provide an introductory statement
2. In tabular format, provide a Network Security and Vulnerability Threat Table following guidance in Project 4 -> STEP 1
3.Include and define the following components of security in the architecture of your organization, and explain if threats to these components are likely, or unlikely:
LAN security
Identity management
physical security
personal security
availability
privacy
3. List the security defenses you employ in your organization to mitigate these types of attacks.
Plan of Protection
Learn more about the transmission of files that do not seem suspicious but that actually have embedded malicious payload, undetectable to human hearing or vision. This type of threat can enter your organization’s networks and databases undetected through the use of steganography or data hiding. You should include this type of threat vector to an organization in your report to leadership.
Provide the leadership of your organization with your plan for protecting identity, access, authorization and nonrepudiation of information transmission, storage, and usage
Data Hiding Technologies
Describe to your organization the various cryptographic means of protecting its assets.Provide an overview of each of the following.
Encryption Technologies
1. Shift / Caesar cipher
2. Polyalphabetic cipher
3. One time pad cipher/Vernam cipher/perfect cipher
4. Block ciphers
5. triple DES
6. RSA
7. Advanced Encryption Standard (AES)
8. Symmetric encryption
9. Text block coding
Data Hiding Technologies
1. Information hiding and steganography
2. Digital watermarking
3. Masks and filtering
Network Security Vulnerability
Discuss the following:
1. Security architecture of the organization
2. the cryptographic means of protecting the assets of the organization
3. the types of known attacks against those types of protections
4. means to ward off the attacks
Access Control Based on Smart Card
Describe how identity management would be a part of your overall security program and create your CAC deployment plan
Email Security Strategies
1. Provide an overview of the types of public-private key pairing, and show how this provides authentication and nonrepudiation. You will also add hashing and describe how this added security benefit ensures the integrity of messaging.
2. Briefly describe: PGP, GPG, PKI, digital sig, mobile dev encryption
3. Make recommendation for a deployment plan
Paper Feedback
Strenghts
Opportunities
2. Lab Experience Report
1. Summarize the Lab Experience and Findings
2. Responds to the Questions:
Stego: Compare the file properties of each of the pictures and notice the differences. Explain.
Encryption/Decryption: Discuss tools and include findings
3. Provides Screenshots of Key Results for:
Stegonography: OpenStego, QuickStego, OurSecret,
Encryption/Decryption: Bitlocker, AxCrypt, GPG
Lab Experience Report Feedback
Strenghts
Opportunities
Project 5
Student Name:
Date:
This form provides the same classroom instructions in a checklist form to help students and professors quickly evaluate a submission
GENERAL OBJECTIVES
Project 5- Evaluation Criteria
5.3: Uses defensive measures and information collected from a variety of sources to identify, analyze, and report events that occur or might occur within the network in order to protect information, information systems, and networks from threats.
8.6: Provides professional preparation for computer digital forensics, investigation of crime, and preservation of digital evidence in criminal and civil investigations and information security incident response.
8.7: Provide theoretical basis and practical assistance for all aspects of digital investigation and the use of computer evidence in forensics and law enforcement.
Project 5: Requires the Following TWO Pieces
Grades
1. Research Paper
2. Lab Experience Report with Screenshots
Areas to Improve
1. Research Paper
Abstract
Section Objective
To learn to write a research paper abstract
Introduction
Section Objective
To Introduce a research topic
Digital Forensics Methodology
Section Objective
To describe/explain the digital forensic methodology
1. Preparation
2. Extraction
3. Identification
4. Analysis
Tools and Techniques
Section Objective
Beyond the methodology, discuss/explain main concepts of digital forensics
1. Discuss the importance of using forensic tools to collect and analyze evidence (e.g., FTK Imager and EnCase)
2. Explain hashing in the context of digital forensics
3. How do you ensure that the evidence collected has not been tampered with (i.e., after collection)? Why and how is this important to prove in a court of law?
Conclusion
Section Objective
Summarize paper and provide concluding remarks
Paper Feedback
Strenghts
Opportunities
2. Lab Experience Report
Summarize the Lab Experience and Findings
Provides Screenshots of Key Results. Include screen shot of the Image Summary. Use your own name as the ‘Examiner’
Lab Experience Report Feedback
Strenghts
Opportunities
Running Head: Security Assessment Report (SAR)
1
Security Assessment Report (SAR) 2
threat analysis and exploitation
Jeremy McGary
Charlotte Olaniyi
Marcelina Swan
Tyler Twaddell
SECURITY ASSESSMENT REPORT (SAR)
Company name: CST 610 Team 1 Industry Sector: Financial Institution Period of Assessment: 1 February – 14 March 2023
Project 3
CST 610: Cyberspace and Cybersecurity Foundations
MARCH 14, 2023
University of Maryland Global Campus (UMGC) Professor Dr. Steven Richman
Table of Contents
1.0 BACKGROUND 4
1.1 Purpose 4
2.0 FINANCIAL SECTOR – JEREMY MCGARY 5
2.1 The Financial Services Threat 5
2.2 Financial Services Critical Infrastructure (CI) 5
2.3 Scope Covered In Security Assessment Report 5
3.0 FINANCIAL SECTOR ASSESSING SUSPCIOUS ACTIVITY IN THE CRITICAL INFRASTRUCTURE – ALL TEAM 1 MEMBERS 5
4.0 LAW ENFORCEMENT – MARCELINA SWAN 6
5.0 THE INTELLIGENCE COMMUNITY – CHARLOTTE OLANIYI 6
5.1 Threat Actor Definition and Rationale 6
5.2 Tools, Techniques and Procedures 6
6.0 THE INTELLIGENCE COMMUNITY CYBERTHREAT LIFECYCLE – ALL TEAM 1 MEMBERS 6
7.0 EXPLOITATION METHODS (HOMELAND SECURITY) – TYLER TWADDELL 6
7.1 Example Threats and Exploits 6
7.2 Example Vulnerabilities 6
7.3 Countermeasures 6
8.0 HOMELAND SECURITY RISK AND IMPACT – ALL TEAM 1 MEMBERS 7
9.0 RECOMMENDATIONS – ALL TEAM 1 MEMBERS 7
10.0 SUMMARY OF REFERENCES – ALL TEAM 1 MEMBERS 8
Table of Figures and Tables
No table of figures entries found.
1.0
BACKGROUND
According to our Project 3 assignment, Distributed Denial of Service attacks (DDoS), web defacements, sensitive data exfiltration and other attack vectors typical of nation state actor(s) on the U.S. financial network. The Team 1 collaborative efforts have found:
· The financial services sector discovered the network breach and the cyber-attacks.
· The law enforcement sector provided additional evidence of network attacks found using network defense tools.
· The intelligence agency identified the nation state actor from numerous public and government provided threat intelligence reports.
· The Department of Homeland Security provided the risk, response, and recovery actions taken as a result of this cyber threat.
Purpose
Our goal according to our Project 3 assignment is to provide education and security awareness to the financial services sector about the threats, vulnerabilities, risks, and risk mitigation and remediation procedures to be implemented to maintain a robust security posture, and take the lessons learned from this cyber incident and share that knowledge with the rest of the cyber threat analysis community using:
· Data and resources brought by each Team 1 representative.
· Test results from any prior lab testing done which is relevant to the financial institution. For example, leveraging network security skills by using past port scans, network scanning tools, and analyzing Wireshark files to assess any suspicious network activity and network vulnerabilities.
2.0
FINANCIAL SECTOR – JEREMY MCGARY
[Select and describe a specific, real, recent attack/network breach, “The Threat,” on a target financial institution or part of the financial services Critical Infrastructure (CI). The attack(s) could include distributed denial-of-service (DDOS) attacks, web defacements, sensitive data exfiltration, and/or other attack vectors typical of a nation-state actor per the given scenario in “Start.” This is your starting point and reason driving the Security Assessment Report (SAR) and is the specific focus of the After Action Report (AAR).]
The Financial Services Threat
· Describe the specific threat and impact on the specific financial institution or part of the financial services CI.
· Then describe the impact that the threat would generally have on the financial services sector.
· Provide relevant submissions from the Information Sharing Analysis Council related to the financial sector.
Financial Services Critical Infrastructure (CI)
·
General Description of Financial Services Critical Infrastructure (CI) (include diagrams). Where or how does the target financial institution or part of the financial services CI fit into this?
· The importance and impact of Industrial Control Systems on the financial services CI.
· Other CIs which may be affected by attacks on the financial services CI (include diagrams)
Scope Covered In Security Assessment Report
· Include Why?
3.0
FINANCIAL SECTOR ASSESSING SUSPCIOUS ACTIVITY IN THE CRITICAL INFRASTRUCTURE – ALL TEAM 1 MEMBERS
· What are critical information systems in the U.S. CI? Which are predominant in the financial sector?
· What cyberthreats and vulnerabilities are facing the U.S. critical infrastructure? Which are particularly significant in the financial sector?
· What port scanning, network scanning and traffic analyzation tools and data are available to assess any suspicious network activity and network vulnerabilities? How would they be used? (Use your lab experiences and lab data from your 600 and 610 courses to identify the tools and methods here and actual data throughout the report.)
4.0 LAW ENFORCEMENT – MARCELINA SWAN
· Describe the impact that the specific threat and other threats could have on the law enforcement sector.
· How did this specific attack affect the law enforcement sector?
· How might these be mitigated or prevented?
5.0
THE INTELLIGENCE COMMUNITY – CHARLOTTE OLANIYI
[Provide an overview of the life cycle of a cyberthreat. Explain the different threat vectors that cyber actors use and provide a possible list of nation-state actors that have targeted the U.S. financial services industry before.]
Threat Actor Definition and Rationale
·
What is a threat actor?
· What are the reasons why threat actors would attack the U.S. and its financial services CI? Provide real current examples which support these reasons.
· Provide a possible list of nation-state actors that have targeted the U.S. financial services industry before. What has each done that supports the reasons given?
· What nation-state or other threat actors were involved in the incident?
· What were their reasons for attacking the U.S. and its financial services institution or CI in the incident?
Tools, Techniques and Procedures
Procedures (What is used by threats to attack? Real current examples would be excellent to include.) [Provide intelligence on the nation-state actor and the actor’s cyber tools, techniques, and procedures, using available threat reporting such as from FireEye, Mandiant, and other companies and government entities that provide intelligence reports.]
· Explain the different threat vectors that cyber actors use. What was used in your specific event?
· Explain cyber tools, techniques, and procedures used by nation state actors on the critical infrastructure. What was used in your specific event?
· List example social engineering attacks used by threats against U.S. (Real current examples would be excellent to include.) What was used in your specific event?
6.0
THE INTELLIGENCE COMMUNITY CYBERTHREAT LIFECYCLE – ALL TEAM 1 MEMBERS
· Provide an overview of the life cycle of a cyberthreat.
· Identify the stage of the cyberthreat life cycle where you would observe different threat behaviors. (The SAR includes ways to defend and protect against the threat. The AAR looks at and evaluates what was done for your specific incident.)
· Propose an analytical method in which you can detect the threat, identify the threat, and perform threat response and recovery. (The AAR looks at and evaluates what was done for your specific incident.)
· What specific threat behaviors were observed in each part of the life cycle in your incident?
· What was in place or missing to defend and protect against the threat in each part?
· What methods were used to detect the threat, identify the threat, and perform threat response and recovery in each part? How successful were they? What was deficient?
7.0
EXPLOITATION METHODS (HOMELAND SECURITY) – TYLER TWADDELL
[Use the US-CERT and similar resources to discuss the vulnerabilities and exploits that might have been used by the attackers in your incident.] Provide a definition and an overview of exploitation.
Example Threats and Exploits
·
List and summarize real current threats and exploits to web applications. What may have been used in your specific event?
·
Discuss how you would apply these findings to the financial sector. (Your AAR should report whether and how well any were applied to your specific event.)
Example Vulnerabilities
·
List and summarize vulnerabilities of web financial services applications. Which may have been present in your specific event?
· Discuss how you would apply these findings. (Your AAR should report whether and how well any were applied to your specific event.)
Countermeasures
(Identify remediation approaches for the threats and vulnerabilities. Remember that there are multiple methods of addressing any one threat or vulnerability. You can point these out now. By the time you get to your recommendations you should select which method and justify why.)
· What responses and risk mitigation steps should be taken if an entity suffers the same types of attacks as in your incident? Which were taken in your specific event? (The AAR would have and assess the responses and risk mitigation steps taken in your event.)
· What security tools might be used in each of these measures? What was used in your specific event? (The AAR would have and assess the tools used in your event.)
8.0
HOMELAND SECURITY RISK AND IMPACT – ALL TEAM 1 MEMBERS
(Identify risks created by threats exploiting vulnerabilities. Real current examples, including in your incident, would be excellent to include.)
·
Provide the risks and impacts to an entity suffering the same types of attacks as in your incident.
·
Provide a risk-threat matrix and a current state snapshot of the risk profile of the financial services sector. Include current threats, current vulnerabilities, current risks and potential impact. (Your AAR would have a risk-threat matrix and the security posture snapshot for the incident in which the financial institution or part of the financial services CI was attacked.)
9.0
RECOMMENDATIONS – ALL TEAM 1 MEMBERS
[What are your recommendations to the White House Cyber National security staff regarding the Financial Services Sector current situation and potential mitigation and prevention measures and tools which address the threats and vulnerabilities? Use of a table with discussion of key aspects is effective. You’ll reserve specific recommendations to the Financial Services Sector, for your specific event, for inclusion in the AAR.]
10.0
SUMMARY OF REFERENCES – ALL TEAM 1 MEMBERS
????? University of Maryland Global Campus (UMGC) (n.d.). Distributed Computing: In Depth. Retrieved from
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/distributed-computing–in-depth.html
????? University of Maryland Global Campus (UMGC) (n.d.). Operating System Fundamentals. Retrieved from
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-topic-list/operating-system-fundamentals.html
image1
Threat Analysis and Exploitation
By Jeremy McGary, Charlotte Olaniyi, Marcelina Swan, Tyler Twaddell
Team 1 Project 3 Presentation
CST 610 Cyberspace and Cybersecurity Foundations
University of Maryland Global Campus
Professor Dr. Steven Richman
March 14, 2023
Second Page
Your Text here
Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo consequat.
Duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero eros et accumsan et iusto odio dignissim qui blandit praesent luptatum zzril delenit augue duis dolore te feugait nulla facilisi.
Click to add title
Your Text here
Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo consequat.
Duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero eros et accumsan et iusto odio dignissim qui blandit praesent luptatum zzril delenit augue duis dolore te feugait nulla facilisi.
image2
image1
image3
Running Head: After Action Report (AAR)
1
Security Assessment Report (SAR) 2
threat analysis and exploitation
Jeremy McGary
Charlotte Olaniyi
Marcelina Swan
Tyler Twaddell
after action report (aAR)
Company name: CST 610 Team 1 Industry Sector: Financial Institution Period of Assessment: 1 February – 14 March 2023
Project 3
CST 610: Cyberspace and Cybersecurity Foundations
MARCH 14, 2023
University of Maryland Global Campus (UMGC) Professor Dr. Steven Richman
Table of Contents
1.0 BACKGROUND 4
1.1 Purpose 4
2.0 FINANCIAL SECTOR – JEREMY MCGARY 5
2.1 The Financial Services Threat 5
2.2 Financial Services Critical Infrastructure (CI) 5
2.3 Scope Covered In The After Action Report 5
3.0 ASSESSING SUSPICIOUS ACTIVITY IN THE SPECIFIC EVENTS – ALL TEAM 1 MEMBERS 5
4.0 LAW ENFORCEMENT – MARCELINA SWAN 6
5.0 THE INTELLIGENCE COMMUNITY – CHARLOTTE OLANIYI 6
5.1 Threat Actor Definition and Rationale 6
5.2 Tools, Techniques and Procedures Used By The Threat Actors 6
5.3 Threat Actors Lessons Learned 6
5.4 The Intelligence Community Recommendations 6
6.0 THE INTELLIGENCE COMMUNITY CYBERTHREAT LIFECYCLE – ALL TEAM 1 MEMBERS 6
7.0 EXPLOITATION METHODS (HOMELAND SECURITY) – TYLER TWADDELL 6
7.1 Threats and Exploits In The Incident 7
7.2 Vulnerabilities In The Incident 7
7.3 Countermeasures Taken In The Incident 7
7.4 Exploitation Methods Lessons Learned 7
7.5 Homeland Security Recommendations 7
8.0 HOMELAND SECURITY RISK AND IMPACT – ALL TEAM 1 MEMBERS 7
9.0 SUMMARY OF RECOMMENDATIONS – ALL TEAM 1 MEMBERS 7
10.0 SUMMARY OF REFERENCES – ALL TEAM 1 MEMBERS 8
Table of Figures and Tables
No table of figures entries found.
1.0
BACKGROUND
According to our Project 3 assignment, Distributed Denial of Service attacks (DDoS), web defacements, sensitive data exfiltration and other attack vectors typical of nation state actor(s) on the U.S. financial network. The Team 1 collaborative efforts have found:
· The financial services sector discovered the network breach and the cyber-attacks.
· The law enforcement sector provided additional evidence of network attacks found using network defense tools.
· The intelligence agency identified the nation state actor from numerous public and government provided threat intelligence reports.
· The Department of Homeland Security provided the risk, response, and recovery actions taken as a result of this cyber threat.
Purpose
Our goal according to our Project 3 assignment is to provide education and security awareness to the financial services sector about the threats, vulnerabilities, risks, and risk mitigation and remediation procedures to be implemented to maintain a robust security posture, and take the lessons learned from this cyber incident and share that knowledge with the rest of the cyber threat analysis community using:
· Data and resources brought by each Team 1 representative.
· Test results from any prior lab testing done which is relevant to the financial institution. For example, leveraging network security skills by using past port scans, network scanning tools, and analyzing Wireshark files to assess any suspicious network activity and network vulnerabilities.
2.0
FINANCIAL SECTOR – JEREMY MCGARY
The Financial Services Threat
[Select and describe a specific, real, recent attack/network breach, “The Threat,” on a target financial institution or part of the financial services Critical Infrastructure (CI). The attack(s) could include distributed denial-of-service (DDOS) attacks, web defacements, sensitive data exfiltration, and/or other attack vectors typical of a nation-state actor per the given scenario in “Start.” This is your starting point and reason driving the Security Assessment Report (SAR) and is the specific focus of the After Action Report (AAR).]
· Describe the specific threat and impact on the specific financial institution or part of the financial services CI.
· Then describe the impact that the threat would generally have on the financial services sector.
· Provide relevant submissions from the Information Sharing Analysis Council related to the financial sector.
Financial Services Critical Infrastructure (CI)
·
General Description of Financial Services Critical Infrastructure (CI) (include diagrams). Where or how does the target financial institution or part of the financial services CI fit into this?
· The importance and impact of Industrial Control Systems on the financial services CI.
· Other CIs which may be affected by attacks on the financial services CI (include diagrams)
Scope Covered In The After Action Report
· Include Why?
3.0
ASSESSING SUSPICIOUS ACTIVITY IN THE SPECIFIC EVENTS – ALL TEAM 1 MEMBERS
· What were the critical information systems in the specific financial institution or part of the financial services Critical Infrastructure (CI) in your incident/event(s)?
· What cyberthreats and vulnerabilities were involved?
· What port scanning, network scanning and traffic analyzation tools and data were used to assess the suspicious network activity and network vulnerabilities? How were they used? (Use your lab experiences and lab data from your 600 and 610 courses to identify the tools and methods here and actual data throughout the report.)
4.0
LAW ENFORCEMENT – MARCELINA SWAN
· Describe the impact, if any, that the specific event(s) had on the law enforcement sector.
· How might this be mitigated or prevented?
5.0
THE INTELLIGENCE COMMUNITY – CHARLOTTE OLANIYI
[Identify the nation-state actors involved in the specific event(s) and explain the different threat vectors they used.]
Threat Actor Definition and Rationale
·
What nation-state or other threat actors were involved in the incident?
· What were their reasons for attacking the U.S. and its financial services institution or CI in the incident?
Tools, Techniques and Procedures Used By The Threat Actors
·
What threat vectors did the cyber actors use in your specific event(s)?
· What cyber tools, techniques, and procedures did the nation state actors use in your specific event?
· What social engineering attacks may have been used in your specific event(s)?
Threat Actors Lessons Learned
·
What was learned from successful attacks by the threat actors in your specific event(s)?
· What was learned from attacks by the threat actors that were successfully stopped in your specific event(s)
The Intelligence Community Recommendations
[Remember that there may be multiple methods of addressing any one threat actor or in different parts of the lifecycle. You should point these out select which method you recommend and justify why.]
6.0
THE INTELLIGENCE COMMUNITY CYBERTHREAT LIFECYCLE – ALL TEAM 1 MEMBERS
· Provide an overview of the life cycle of the specific cyberthreats in your incident.
· What specific threat behaviors were observed in each part?
· What was in place or missing to defend and protect against the threat in each part?
· What methods were used to detect the threat, identify the threat, and perform threat response and recovery in each part? How successful were they? What was deficient?
7.0
EXPLOITATION METHODS (HOMELAND SECURITY) – TYLER TWADDELL
[Use the US-CERT and similar resources to discuss the vulnerabilities and exploits that might have been used by the attackers in your incident.]
Threats and Exploits In The Incident
·
What threats and exploits to web applications were used in your specific event(s)?
·
How successful were the potential exploits in your specific event?
Vulnerabilities In The Incident
· What web financial services application vulnerabilities were present in your specific event?
· How well were other potential web financial services application vulnerabilities addressed to secure the financial institution or financial services CI in your specific event?
Countermeasures Taken In The Incident
· What responses and risk mitigation steps were taken in your specific event? Include your assessment of those responses and risk mitigation steps? What was missing and what should be changed for the future?
· What security tools were used in your specific event? What was missing and what should be changed for the future?
Exploitation Methods Lessons Learned
· What was learned from successful exploitation of the financial institution or part of the financial services CI in your specific event(s)?
Homeland Security Recommendations
[Remember that there may be multiple methods of addressing any one exploit. You should point these out, select which method(s) you recommend and justify why.]
8.0
HOMELAND SECURITY RISK AND IMPACT – ALL TEAM 1 MEMBERS
(Identify risks created by threats exploiting vulnerabilities in your incident.)
· Provide the risks and impacts to the financial institution or financial services CI in your specific event?
·
Provide a risk-threat matrix and the security posture snapshot for the incident in which the financial institution or part of the financial services CI was attacked.)
9.0
SUMMARY OF RECOMMENDATIONS – ALL TEAM 1 MEMBERS
[What are your specific recommendations to the Financial Sector regarding the specific event(s), mitigation and prevention measures, and tools which should be used to address the future threats and vulnerabilities as in the incident? Base these on risk and impact, as well as the resources and time required to implement. Use of a table with discussion of key aspects can be effective.]
10.0
SUMMARY OF REFERENCES – ALL TEAM 1 MEMBERS
????? University of Maryland Global Campus (UMGC) (n.d.). Distributed Computing: In Depth. Retrieved from
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-resource-list/distributed-computing–in-depth.html
????? University of Maryland Global Campus (UMGC) (n.d.). Operating System Fundamentals. Retrieved from
https://leocontent.umgc.edu/content/scor/uncurated/cst/2215-cst610/learning-topic-list/operating-system-fundamentals.html
image1
Project 3 – After Action Report (AAR)
CST 610: Cyberspace and Cybersecurity Foundations
[Your Name]
[date]
Professor Steven H Richman – Section 9044
University of Maryland University College
AFTER ACTION REPORT (AAR)
Financial Sector
[Period of Assessment]
[Report Date]
[Note: The purpose of an After Action Report (AAR) is to analyze the management or response (i.e., security controls) to an incident, training exercise or event by identifying strengths to be retained and possibly enhanced, as well as identifying potential areas of response that may have been lacking. Parts of the AAR will normally contain material found in the Security Assessment Report (SAR). Both cover the incident. The SAR is directed to the White House Cyber National security staff and is a broader assessment of security in the financial sector and the critical infrastructure, the need for which may have been brought on by a specific incident. The AAR is directed to the Financial Services sector with a focus on what worked well and needs improvement, if another such specific incident were to occur. Feel free to use your SAR and AARP material interchangeably, as is or modified.]
1.
BACKGROUND
1.1 The Financial Services Threat – Jeremy McGary
[Select and describe a specific, real, recent attack/network breach, “The Threat,” on a target financial institution or part of the financial services Critical Infrastructure (CI). The attack(s) could include distributed denial-of-service (DDOS) attacks, web defacements, sensitive data exfiltration, and/or other attack vectors typical of a nation-state actor per the given scenario in “Start.” This is your starting point and reason driving the Security Assessment Report (SAR) and is the specific focus of the After Action Report (AAR).]
1.
Describe the specific threat and impact on the specific financial institution or part of the financial services CI.
2. Then describe the impact that the threat would generally have on the financial services sector.
3. Provide relevant submissions from the Information Sharing Analysis Council related to the financial sector.
1.2 Financial Services Critical Infrastructure (Step 3)
1. General Description of Financial Services Critical Infrastructure (CI) (include diagrams). Where or how does the target financial institution or part of the financial services CI fit into this?
2.
The importance and impact of Industrial Control Systems on the financial services CI.
3. Other CIs which may be affected by attacks on the financial services CI (include diagrams).
1.3 Scope Covered in the After Action Report (include why)
2.
ASSESSING SUSPICIOUS ACTIVITY IN THE SPECIFIC EVENT(S) (Step 2) –
All Team Members
1. What were the critical information systems in the specific financial institution or part of the
financial services Critical
Infrastructure (CI) in your incident/event(s)?
2. What cyberthreats and vulnerabilities were involved?
3. What port scanning, network scanning and traffic analyzation tools and data were used to assess the suspicious network activity and network vulnerabilities? How were they used? (Use your lab experiences and lab data from your 600 and 610 courses to identify the tools and methods here and actual data throughout the report.)
3.
LAW ENFORCEMENT (Step 4) –
Marcy Swan
1. Describe the impact, if any, that the specific event(s) had on the law enforcement sector.
2. How might this be mitigated or prevented?
4.
THE INTELLIGENCE COMMUNITY (Step 5) –
Charlotte Olaniyi
[Identify the nation-state actors involved in the specific event(s) and explain the different threat vectors they used.]
4.1
Threat Actor Identification and Rationale
1. What nation-state or other threat actors were involved in the incident?
2. What were their reasons for attacking the U.S. and its financial services institution or CI in the incident?
4.2
Cyberthreat Lifecycle – All Team Members
1. Provide an overview of the life cycle of the specific cyberthreats in your incident.
2. What specific threat behaviors were observed in each part?
3. What was in place or missing to defend and protect against the threat in each part?
4. What methods were used to detect the threat, identify the threat, and perform threat response and recovery in each part? How successful were they? What was deficient?
4.3 Tools, Techniques and Procedures Used by the Threat Actors
1. What threat vectors did the cyber actors use in your specific event(s)?
2. What cyber tools, techniques, and procedures did the nation state actors use in your specific event?
3. What social engineering attacks may have been used in your specific event(s)?
4.4 Threat Actors Lessons Learned
1. What was learned from successful attacks by the threat actors in your specific event(s)?
2. What was learned from attacks by the threat actors that were successfully stopped in your specific event(s)
4.5 Recommendations
[Remember that there may be multiple methods of addressing any one threat actor or in different parts of the lifecycle. You should point these out select which method you recommend and justify why.]
5.
EXPLOITATION METHODS (HOMELAND SECURITY) (Step 6) –
Tyler Twaddell
[Use the US-CERT and similar resources to discuss the vulnerabilities and exploits that might have been used by the attackers in your incident.]
5.1 Threats and Exploits in the Incident
1.
What threats and exploits to web applications were used in your specific event(s)?
2.
How successful were the potential exploits in your specific event?
5.2 Vulnerabilities in the Incident
1. What web financial services application vulnerabilities were present in your specific event?
2. How well were other potential web financial services application vulnerabilities addressed to secure the financial institution or financial services CI in your specific event?
5.3 Risks and Impact – All Team Members
(Identify risks created by threats exploiting vulnerabilities in your incident.)
1. Provide the risks and impacts to the financial institution or financial services CI in your specific event?
2.
Provide a risk-threat matrix and the security posture snapshot for the incident in which the financial institution or part of the financial services CI was attacked.)
5.4 Countermeasures Taken in the Incident
1. What responses and risk mitigation steps were taken in your specific event? Include your assessment of those responses and risk mitigation steps? What was missing and what should be changed for the future?
2. What security tools were used in your specific event? What was missing and what should be changed for the future?
5.5 Exploitation Methods Lessons Learned
1. What was learned from successful exploitation of the financial institution or part of the financial services CI in your specific event(s)?
5.6 Recommendations
[Remember that there may be multiple methods of addressing any one exploit. You should point these out, select which method(s) you recommend and justify why.]
6.
Summary of Recommendations
–
All Team Members
[What are your specific recommendations
to the Financial Sector regarding the specific event(s), mitigation and prevention measures, and tools which should be used to address the future threats and vulnerabilities as in the incident? Base these on risk and impact, as well as the resources and time required to implement. Use of a table with discussion of key aspects can be effective.]
7.
SUMMARY OF REFERENCES – All Team Members
[Provide your summary list of references using proper APA format. (Remember: You must also use in-line citations with proper APA format throughout the report.)]
Page 5 of 6
Project 3 – Security Assessment Report (SAR)
CST 610: Cyberspace and Cybersecurity Foundations
[Your Name]
[date]
Professor Steven H Richman – Section 9044
University of Maryland University College
SECURITY ASSESSMENT REPORT
Financial Sector
[Period of Assessment]
[Report Date]
[Note: The purpose of an After Action Report (AAR) is to analyze the management or response (i.e., security controls) to an incident, training exercise or event by identifying strengths to be retained and possibly enhanced, as well as identifying potential areas of response that may have been lacking. Parts of the AAR will normally contain material found in the Security Assessment Report (SAR). Both cover the incident. The SAR is directed to the White House Cyber National security staff and is a broader assessment of security in the financial sector and the critical infrastructure, the need for which may have been brought on by a specific incident. The AAR is directed to the Financial Services sector with a focus on what worked well and needs improvement, if another such specific incident were to occur. Feel free to use your SAR and AARP material interchangeably, as is or modified.]
1.
BACKGROUND
1.1 The Financial Services Threat – Jeremy McGary
[Select and describe a specific, real, recent attack/network breach, “The Threat,” on a target financial institution or part of the financial services Critical Infrastructure (CI). The attack(s) could include distributed denial-of-service (DDOS) attacks, web defacements, sensitive data exfiltration, and/or other attack vectors typical of a nation-state actor per the given scenario in “Start.” This is your starting point and reason driving the Security Assessment Report (SAR) and is the specific focus of the After Action Report (AAR).]
1. Describe the specific threat and impact on the specific financial institution or part of the financial services CI.
2. Then describe the impact that the threat would generally have on the financial services sector.
3. Provide relevant submissions from the Information Sharing Analysis Council related to the financial sector.
1.2 Financial Services Critical Infrastructure (Step 3)
1.
General Description of Financial Services Critical Infrastructure (CI) (include diagrams). Where or how does the target financial institution or part of the financial services CI fit into this?
2. The importance and impact of Industrial Control Systems on the financial services CI.
3. Other CIs which may be affected by attacks on the financial services CI (include diagrams).
1.3 Scope Covered in Security Assessment Report (include why)
2.
ASSESSING SUSPICIOUS ACTIVITY IN THE CRITICAL INFRASTRUCTURE (Step 2)
– All Team Members
1. What are critical information systems in the U.S. CI? Which are predominant in the financial sector?
2. What cyberthreats and vulnerabilities are facing the U.S. critical infrastructure? Which are particularly significant in the financial sector?
3. What port scanning, network scanning and traffic analyzation tools and data are available to assess any suspicious network activity and network vulnerabilities? How would they be used? (Use your lab experiences and lab data from your 600 and 610 courses to identify the tools and methods here and actual data throughout the report.)
3.
LAW ENFORCEMENT (Step 4) –
Marcy Swan
1. Describe the impact that the specific threat and other threats could have on the law enforcement sector.
2. How did this specific attack affect the law enforcement sector?
3. How might these be mitigated or prevented?
4.
THE INTELLIGENCE COMMUNITY (Step 5) –
Charlotte Olaniyi
[Provide an overview of the life cycle of a cyberthreat. Explain the different threat vectors that cyber actors use and provide a possible list of nation-state actors that have targeted the U.S. financial services industry before.]
4.1
Threat Actor Definition and Rationale
1. What is a threat actor?
2. What are the reasons why threat actors would attack the U.S. and its financial services CI? Provide real current examples which support these reasons.
3. Provide a possible list of nation-state actors that have targeted the U.S. financial services industry before. What has each done that supports the reasons given?
4. What nation-state or other threat actors were involved in the incident?
5. What were their reasons for attacking the U.S. and its financial services institution or CI in the incident?
4.2
Cyberthreat Lifecycle – All Team Members
1. Provide an overview of the life cycle of a cyberthreat.
2. Identify the stage of the cyberthreat life cycle where you would observe different threat behaviors. (The SAR includes ways to defend and protect against the threat. The AAR looks at and evaluates what was done for your specific incident.)
3. Propose an analytical method in which you can detect the threat, identify the threat, and perform threat response and recovery. (The AAR looks at and evaluates what was done for your specific incident.)
4. What specific threat behaviors were observed in each part of the life cycle in your incident?
5. What was in place or missing to defend and protect against the threat in each part?
6. What methods were used to detect the threat, identify the threat, and perform threat response and recovery in each part? How successful were they? What was deficient?
4.3 Tools, Techniques and Procedures (What is used by threats to attack? Real current examples would be excellent to include.)
[Provide intelligence on the nation-state actor and the actor’s cyber tools, techniques, and procedures, using available threat reporting such as from FireEye, Mandiant, and other companies and government entities that provide intelligence reports.]
1. Explain the different threat vectors that cyber actors use. What was used in your specific event?
2. Explain cyber tools, techniques, and procedures used by nation state actors on the critical infrastructure. What was used in your specific event?
3. List example social engineering attacks used by threats against U.S. (Real current examples would be excellent to include.) What was used in your specific event?
6.
EXPLOITATION METHODS (HOMELAND SECURITY) (Step 6) –
Tyler Twaddell
[Use the US-CERT and similar resources to discuss the vulnerabilities and exploits that might have been used by the attackers in your incident.]
1. Provide a definition and an overview of exploitation.
6.1 Example Threats and Exploits
1.
List and summarize real current threats and exploits to web applications. What may have been used in your specific event?
2.
Discuss how you would apply these findings to the financial sector. (Your AAR should report whether and how well any were applied to your specific event.)
6.2 Example Vulnerabilities
1. List and summarize vulnerabilities of web financial services applications. Which may have been present in your specific event?
2. Discuss how you would apply these findings. (Your AAR should report whether and how well any were applied to your specific event.)
6.3
Risks and Impact – All Team Members
(Identify risks created by threats exploiting vulnerabilities. Real current examples, including in your incident, would be excellent to include.)
1.
Provide the risks and impacts to an entity suffering the same types of attacks as in your incident.
2.
Provide a risk-threat matrix and a current state snapshot of the risk profile of the financial services sector. Include current threats, current vulnerabilities, current risks and potential impact. (Your AAR would have a risk-threat matrix and the security posture snapshot for the incident in which the financial institution or part of the financial services CI was attacked.)
6.4 Countermeasures
(Identify remediation approaches for the threats and vulnerabilities. Remember that there are multiple methods of addressing any one threat or vulnerability. You can point these out now. By the time you get to your recommendations you should select which method and justify why.)
1. What responses and risk mitigation steps should be taken if an entity suffers the same types of attacks as in your incident? Which were taken in your specific event? (The AAR would have and assess the responses and risk mitigation steps taken in your event.)
2. What security tools might be used in each of these measures? What was used in your specific event? (The AAR would have and assess the tools used in your event.)
7.
RECOMMENDATIONS – All Team Members
[What are your recommendations
to the White House Cyber National security staff regarding the Financial Services Sector current situation and potential mitigation and prevention measures and tools which address the threats and vulnerabilities? Use of a table with discussion of key aspects is effective. You’ll reserve specific recommendations to the Financial Services Sector, for your specific event, for inclusion in the AAR.]
8.
SUMMARY OF REFERENCES – All Team Members
[Provide your summary list of references using proper APA format. (Remember: You must also use in-line citations with proper APA format throughout the report.)]
Page 5 of 6