Cyber Security Cyberwarfare & Kill Chain Task 2

Anonymous
timer Asked: Feb 5th, 2019
account_balance_wallet $9.99

Question Description

Thank you for finishing Task 1 ahead of time.
Here's Task 2

INTRODUCTION


Using the scenarios provided in each task, you will compose each of the three components of a cyberwarfare defense report. Your report should be formatted in Arial 12-point font and double spaced. The defense report in its entirety should be written for the Department of Defense (DoD) Chief Information Officer (CIO). The defense report has been broken into three tasks; each task should be submitted independently for scoring. For this task, you will write the mission assurance portion of the defense report.

SCENARIO


You are a cybersecurity analyst on a security team at Red Cell 637 Defense, a DoD contractor specializing in cyber operations and defensive strategies.

High-ranking federal government officials informed your team that recent intelligence shows an advanced persistent threat (APT) is looking at exploiting supply chain vulnerabilities against the computers that operate the Western Interconnection power grid. You are to assume that this APT originates from either a well-funded nation state or terrorist group. The APT has been able to probe and map the network over the course of several months. The officials have given your team access to classified intelligence indicating that the currently unidentified group may be planning to install malicious malware within the grid’s computer network that will disrupt power to eleven states.

Your team has been asked to work closely with the DoD, Department of Homeland Security (DHS), and other federal stakeholders to strengthen the security and safety of the power grid and its related computer information systems.

The federal agencies responsible for critical infrastructure protection want to ensure that the Western Interconnection power grid computer network has the strongest possible defense while ensuring continued operation. They formally request that your team analyze common vulnerabilities in SCADA networks such as the western power connection grid, and then apply the Cyber Kill Chain to determine how this adversary could have exploited the vulnerabilities to attack the network. In addition, you will utilize the NSA’s information assurance–based “Defense in Depth” strategy as it relates to the power grid’s computer networks to make recommendations for implementing stronger information assurance measures and actions. You will compose a report with graphics, detailing your recommendations for securing the network against future cyberattacks.


REQUIREMENTS


Your submission must be your original work. No more than a combined total of 30% of the submission and no more than a 10% match to any one individual source can be directly quoted or closely paraphrased from sources, even if cited correctly. An originality report is provided when you submit your task that can be used as a guide.

You must use the rubric to direct the creation of your submission because it provides detailed criteria that will be used to evaluate your work. Each requirement below may be evaluated by more than one rubric aspect. The rubric aspect titles may contain hyperlinks to relevant portions of the course.

A. ICS Vulnerabilities and Cyber Kill Chain

1. Summarize plausible active gathering, passive gathering, and active reconnaissance techniques that the adversary could have executed to gain intelligence on the target in the scenario.

2. Explain how the adversary could use the exploited intelligence to create a malicious payload, including plausible delivery methods of the payload to the target.

3. Describe the series of events that could occur during the exploitation and installation of a malicious payload, including where the payload could be delivered on the network to accomplish the adversary’s goals as described in the scenario.

4. Create a visual representation of channels through which an adversary could use tools to exploit a compromised network and create an “at will” entry point for sending and receiving information. Be sure to clearly indicate each component represented in your visual.

5. Describe how the adversary is likely collecting and exfiltrating information from the Western Interconnection power grid, including how that information could be used to successfully execute an attack.

B. “Defense in Depth” Recommendations

1. Recommend policies or procedures for information assurance specific to the facilities and personnel security that control and monitor access to facilities and critical infrastructures for the Western Interconnection power grid. Be sure to explain how each policy and procedure will raise information assurance levels.

2. Recommend policies or procedures for technology acquisition that the Western Interconnection power grid should use to detect and protect against cyberattacks. Be sure to explain how these policies or procedures will raise information assurance levels.

3. Recommend policies or procedures for sustaining the security posture of the Western Interconnection power grid on a day-to-day basis. Be sure to explain how these policies or procedures will raise information assurance levels.

C. Acknowledge sources, using APA-formatted in-text citations and references, for content that is quoted, paraphrased, or summarized.

RUBRIC


ARTICULATION OF RESPONSE (CLARITY, ORGANIZATION, MECHANICS):

NOT EVIDENT

Responses are unstructured or disjointed. Vocabulary and tone are unprofessional or distract from the topic. Responses contain pervasive errors in mechanics, usage, or grammar.

APPROACHING COMPETENCY

Responses are poorly organized or difficult to follow. Terminology is misused or ineffective. Responses contain errors in mechanics, usage, or grammar that cause confusion.

COMPETENT

Responses are organized and focus on the main ideas presented in the assessment. Word choice is pertinent and clearly conveys the intended meaning to the audience. Responses reflect attention to detail. Mechanics, usage, and grammar promote understanding and readability.

A. EVOLUTION OF CYBERWARFARE:

NOT EVIDENT

An evaluation is not provided, or the evaluation is not related to cyber-related capabilities.

APPROACHING COMPETENCY

The evaluation of the evolution of cyber-related capabilities and technologies in warfare since 1998 includes inaccurate information or is not supported with academic or scholarly research.

COMPETENT

The evaluation of the evolution of cyber-related capabilities and technologies in warfare since 1998 is accurate and uses academic or scholarly research to support evaluation findings.

B. CHARACTERISTICS OF AN APT:

NOT EVIDENT

An explanation is not provided, or the explanation does not address the characteristics of an APT.

APPROACHING COMPETENCY

The explanation addresses the characteristics of an APT but the information provided is inaccurate or does not include specific examples of the tradecraft commonly used to accomplish intended goals.

COMPETENT

The explanation accurately addresses the characteristics of an APT, including specific examples of the tradecraft commonly used to accomplish intended goals.

C. EFFECT OF THE INTERNET ON ATTACKS:

NOT EVIDENT

An explanation is not provided.

APPROACHING COMPETENCY

The explanation addresses how the characteristics of a current APT are different than threats or attacks attempted before the prevalence of the internet but the explanation contains inaccuracies, or the characteristics chosen do not reflect the period of time before the prevalence of the internet.

COMPETENT

The explanation accurately addresses how the characteristics of a current APT are different than threats or attacks attempted before the prevalence of the internet.

D. ATTACK ORIGINATION AND PERPETRATOR:

NOT EVIDENT

A description is not provided.

APPROACHING COMPETENCY

The description addresses where on the network the attack likely originated but the information provided is not correct, or examples that support claims are not provided or are not common vulnerabilities or exposures.

COMPETENT

The description accurately addresses where in the network the attack likely originated and provides examples of common vulnerabilities and exposures that support the claims.

E. PROFILE OF ATTACKER:

NOT EVIDENT

A created profile is not provided.

APPROACHING COMPETENCY

The created profile of the attacker is not plausible for the scenario or does not include research-based descriptions of the attacker’s probable resources and capabilities, as well as physical and logical access, or the information contains inaccuracies.

COMPETENT

The created profile of the attacker is plausible for the scenario and includes research-based descriptions of the attacker’s probable resources and capabilities, as well as physical and logical access.

F. APA SOURCES:

NOT EVIDENT

The submission does not provide in-text citations and references according to APA style.

APPROACHING COMPETENCY

The submission includes in-text citations and references but does not demonstrate a consistent application of APA style.

COMPETENT

The submission includes in-text citations and references and demonstrates a consistent application of APA style.


Unformatted Attachment Preview

© Rodolfo Clix/Dreamstime.com CHAPTER Defense-in-Depth Strategies 9 L IKE TRADITIONAL WARFARE, cyberwarfare is fought both offensively and defensively. Defending against cyberattacks is a complex task because of the broad range of attackers, the number of potential targets, and the huge variety of ways in which attacks are conducted. When you factor in that people also create vulnerabilities that can be leveraged to attack computers and networks, cyberdefense can seem nearly impossible. The adversaries that network and systems defenders face vary. Nation-states, corporations, insurrectionists, and hacktivists each have goals in cyberwarfare. They may choose different targets and different methods. They also bring different levels of capability. They might attack using targeted malware or massive brute-force network attacks. Or they might attack via subtler methods that leverage human factors in addition to technological means over weeks or months. If they succeed, they may quietly gather data; continue their attacks to gain greater access; or immediately use their access to damage systems, networks, or infrastructure. In traditional information security operations, security professionals warn their employers that there is no way to be perfectly secure. If a system is usable and useful, it has the potential to be attacked—no matter how well defended the networks, systems, and other cyberassets are. Worse, organizations have a finite amount of resources to spend on cyberdefense, and cyberdefense can often only defend effectively against threats that are known and understood. With technology’s complexity and rate of progress, staying abreast of an organization’s defensive needs is a challenge. When you consider the potential to have far more attackers than defenders, and for those aggressors to have far greater resources than your own organization possesses, defense can feel like a losing battle. Despite these challenges, you can use methods to effectively defend assets, to reduce the chances of compromise, to detect those attacks that do occur, and to provide a competent response. Computer network defense (CND) strategies 177 attempt to first identify likely opponents, then to enumerate the threats and risks that an organization will face from those attackers. Once an organization has a good understanding of what it may face, it can design strategies to counter them using policies, procedures, technology, training, and a variety of other defensive options. Since the creation of cyberwarfare as a concept, one of the key concepts for many CND strategies has been defense in depth. Defense in depth is the idea that defenses should have more than a single layer of protection between an attacker and the protected systems, data, or networks. Defense in depth in cyberwar is much like defense in depth in conventional military operations. It employs layers that use different methods to stop attackers so that a single attack or technology cannot succeed simply by penetrating a single system or layer of protection. In addition, it offers real advantages to those who are defending, as they can use simpler, easier-to-understand, and sometimes less-expensive defenses in each layer. Network defense in depth often starts with a strong design that involves network security devices. These include firewalls, intrusion detection and prevention systems, antivirus, authentication, logging, response, and restoration capabilities. Network defense in depth can also include the policies, procedures, training, and knowledge of the staff who use and support computer networks and systems. This chapter looks at how modern computer networks and systems implement defense in depth by using a variety of strategies and technologies. It explores U.S. Department of Defense and National Security Agency strategies and concepts, as well as civilian know-how regarding the way in which people, technology, and operations influence defense strategies. You’ll also learn where defense in depth can fail and why some experts have begun to claim that defense in depth is no longer the strong cyberwarfare defense strategy it once was. Chapter 9 Topics This chapter covers the following topics and concepts: • What defense in depth is • What the defense-in-depth strategies and concepts are • Where and why defense in depth fails • What the design elements of a modern defense-in-depth strategy are 178 Chapter 9 Goals When you complete this chapter, you will be able to: • Describe defense in depth and why it is important • Explain common elements of defense-in-depth strategies • Describe how and why defense in depth can fail • Explain the concept of dynamic defense • Describe common elements in a modern defense-in-depth design Defense in Depth From ancient Roman fortifications to medieval castles, the concept of providing defense in depth by layering protective capabilities has been in use for thousands of years. The earliest motte and bailey fortifications used by the Norman invaders in England in the eleventh century are recognizable as the predecessors of the mighty medieval castles you are probably familiar with. This design layered ditches, mounds of earth, and wooden palisades around a central multistory, defensible house (keep). The Normans ruled the recently conquered countryside from these very early castles. They relied on the multiple layers to keep them safe even if attackers successfully crossed the ditch and burned the palisade down. Over the next 200 years, those early fortifications evolved as technology and strategies for attacking castles changed. Castles became increasingly more complex as attackers became more organized and the technologies used to attack them became more effective. Stone replaced wood to avoid fire, and layers of defenses became deeper and stronger to combat larger, more organized armies. By the thirteenth century, concentric castles like those shown in Figure 9-1 had layers of stone walls, strong towers, and heavily fortified gatehouses with drawbridges, strong doors, strong internal gates that could divide invading groups, and a myriad of ways to attack enemies trapped inside. These concentric castles are a common sight when describing defense in depth because they so clearly show the layered defenses available to a medieval lord, and thus are a useful metaphor for how to layer modern defenses. The weapons and strategies used in warfare have never stood still for long, and changes were already beginning to occur even as these mighty stone castles were being built. By the middle of the fifteenth century in Europe, cannons and gunpowder had begun to change the balance of power in warfare. Traditional castles, keeps, and city walls with their tall stone construction were particularly vulnerable to this new form of warfare. 9 Defense-in-Depth Strategies 179 180    PART 2 | Offensive and Defensive Cyberwarfare FIGURE 9-1 Concentric castles provided defense in depth using stone walls, moats, gates, and terrain features like hilltops and raised earthen mounds. Note the layered walls, strongpoints near entrances, and narrow pathway to the castle. For example, a cannon-equipped army could reduce the mighty fortifications to rubble from a distance. Designers realized this, and they developed an updated castle design that specifically addressed the new world of cannon and siege warfare. They recognized that traditional defenses were no longer relevant, and that a new type of layered defense was necessary. Their fortification style, known as star forts (see Figure 9-2), changed how fortifications were designed and remained in use until the nineteenth century. The constant change in both the weapons and technologies attackers use, and the ways in which defenders attempt to counter them, is the same challenge faced by information system defenders today. In fact, the experts assigned to defend modern computer networks and individual computers have often adopted similar strategies for the same reasons that fortress builders and defenders have throughout history: Enemies can often breach one layer of the defense. Layered defenses make it less likely that a single attack can completely compromise a network or system. They also allow for weaknesses and mistakes on the parts of both defenders and those who provide defenders’ software, hardware, and devices. Modern defense-in-depth strategies still use layers, but the layers are no longer stone walls and ditches. Figure 9-3 shows the U.S. Computer Emergency Readiness Team’s recommended practice for defense in depth against vulnerabilities like a buffer overflow attack. Here, the strong outer layer relies on humans who are trained and know policies that will help prevent behaviors that allow attacks to succeed. Successive layers implement a combination of technologies, as well as human knowledge, to prevent and detect attacks. CHAPTER 9 | Defense-in-Depth Strategies 181 FIGURE 9-2 Star forts like the Italian fort in Nicosia, Cyprus, marked a major change in defensive strategies due to technological change. Note the multiple layers of low angled walls to defeat cannon fire, the dry moat and ditches to prevent foot-soldier assaults, and the angled projections that allowed defenders to fire sideways at attackers. Security Policies and Procedures Host Layer Firmware Updates Courtesy of Homeland Security Operational Layer Patched OS I D S Vulnerability Awareness Updated Antivirus S I E M 9 Secure Programming Techniques Effective Firewall Techniques Network Layer Training and Staff Expertise Security Risk FIGURE 9-3 The US-CERT’s defense-in-depth strategy for protecting individual systems (hosts) against a sample attack layers expert staff, firewalls, detection and monitoring, antivirus, and patching to prevent attacks. Defense-in-Depth Strategies Buffer Overflow Within Deployed Software 182    PART 2 | Offensive and Defensive Cyberwarfare FIGURE 9-4 Co nfi ty gri e Int de nti alit y The C-I-A triad shows the interaction between confidentiality, integrity, and availability when handling data and services. Availability The C-I-A Triad The NSA uses a common information security conceptual model known as the C-I-A triad as part of its design. The C-I-A triad consists of confidentiality, integrity, and availability, as shown in Figure 9-4. It is often a key part of defense-in-depth designs, as well as throughout information security and cyberwarfare theory and practice. The components of the C-I-A triad are: • Confidentiality ensures that information is not accessible or disclosed to unauthorized systems or individuals. • Integrity ensures that information has not been modified by unauthorized users or systems, and remains accurate and consistent. • Availability ensures the system, data, network, or service is available and can be used or accessed. The NSA and other information security practitioners also commonly add authentication or authenticity, which is the ability to validate that the system or user is who he or she claims to be, and nonrepudiation, which means that the sender cannot claim not to have sent the data or messages received. Some sources refer to this as the A-I-C triad to distinguish it from the U.S. Central Intelligence Agency (CIA). CHAPTER 9 | Defense-in-Depth Strategies 183 A buffer overflow attack attempts to overfill a memory location in a program. This causes the program or server to fail, or, in some cases, allows attackers to cause the system to run their program instead of the program it should be running. Defense-in-Depth Strategies Many groups and organizations have published defense-in-depth strategies. All have emphasized elements that are specific to their organizational goals, the technologies that they rely on, and the attackers and attack techniques they expect to face. The following sections examine publicly available defense-in-depth strategies from the U.S. National Security Agency (NSA), the NSA’s Information Assurance Division, and the Department of Defense. You’ll also examine how elements of the U.S. government’s defensive strategies and priorities mirror those of the SANS Critical Controls, a popular list of network security design considerations that the business world often uses in network security implementations. The NSA People, Technology, and Operations Defense Strategy 9 Defense-in-Depth Strategies The National Security Agency’s Information Assurance–based defense-in-depth strategy is based on the idea that people, technology, and operational security must be provided to ensure end-to-end defense. The NSA points to availability, confidentiality, integrity, authentication, and nonrepudiation services as key parts of the ability to protect against, detect, react to, and recover from attacks. As with most high-level conceptual security designs, the NSA’s Information Assurance strategy model is typically explained with a simple diagram. (See Figure 9-5.) Note the emphasis on robust and integrated measures and actions. The NSA realizes the importance of a strong defensive design, with multiple supporting layers that cover both the individuals who use technology; the technology itself; and how the daily operations that support, monitor, and maintain them work. Although the diagram looks simple, the underlying implementation can be quite complex, as you’ll see in looking at how these elements interact. 184    PART 2 | Offensive and Defensive Cyberwarfare Information Assurance Defense-in-Depth Strategy People Technology National Security Agency FIGURE 9-5 The NSA’s Information Assurance and defensein-depth conceptual model combines people, technology, and operations into a defense-in-depth strategy in support of information assurance. Operations Robust and Integrated Set of Information Assurance Measures and Actions People The NSA’s people-based strategy relies on hiring talented staff, training and rewarding them, and penalizing unauthorized and unacceptable behavior. To do this, the NSA built a framework that includes policies and procedures, training and awareness, system administration, physical security, personnel security, and facilities countermeasures. Combining these elements provides depth by ensuring that (1) the staff knows the right thing to do based on policies and procedures, (2) they know how to do it because of their training, and (3) they are in an environment that helps to enforce those requirements with effective system administration and physical security. These elements also help ensure security through personnel security. To do this, they use background checks and other review of their staff, and then ensure that staff work facilities can provide appropriate levels of security, oversight, and separation. Technology The technology portion of the NSA’s recommendations focuses on how technology is designed, acquired, configured, managed, and maintained. Technology focus areas emphasize the need to defend in multiple places at once, including: • • • • Defending the network and infrastructure Defending the enclave boundary Defending the computing environment Supporting infrastructure like key management, public key infrastructure (PKI), detection, and response The NSA’s defense-in-depth strategy uses layered defenses that work together to ensure that the failure of one layer of protection will not expose the data, service, or system to attack. The NSA emphasizes the need for each layer of defense to create unique barriers to access, so that a single attack cannot bypass multiple layers simultaneously. It also focuses on the need to detect and respond when a breach of a defense layer occurs. CHAPTER 9 | Defense-in-Depth Strategies 185 Key management and public key infrastructure are parts of an encryption strategy. Keys are the part of a cipher that is used with the algorithm to specify how the cipher’s encoding will transform the original unencrypted data. Public key infrastructure is the set of systems and software that make public key encryption work. PKI includes a certificate authority that issues and verifies certificates, registration authorities that verify whether the entity requesting a certificate is valid, directories of certificates, and the certificate-management system itself. Operations The operations leg of the three-part Information Assurance defense-in-depth strategy focuses on: • • • • • • • • • Security policy Certification and accreditation Security management Key management Readiness assessments Attack sensing Warning Response Recovery and reconstitution The Information Assurance Directorate (IAD) of the National Security Agency provides standards and a technical framework at https://www.iad.gov/iad/index.cfm. The Common Criteria Protection Profiles provide both configuration and testing certification information for systems, software, and other products tested to meet the Common Criteria. The Common Criteria make up an international standard for computer security certification and testing. You can find them at http://www.commoncriteriaportal.org/pps/. 9 Defense-in-Depth Strategies In essence, this is where the daily activities of the defense-in-depth strategy occur. Elements of this strategy include testing and validating configurations, systems, and software; ensuring that patching and updates occur; performing regular assessments; monitoring; and restoring normal functionality after a successful attack. When taken together, the People, Technology, and Operations design philosophy reflects common practices for most mature information security operations. It should come as no surprise that the threats the NSA faces mirror those that are found elsewhere, even though the NSA may face them in the form of cyberwarfare activities. 186    PART 2 | Offensive and Defensive Cyberwarfare The National Security Agency Information Assurance Directorate In addition to the Information Assurance plan discussed previously, the National Security Agency’s Information Assurance Directorate (IAD) provides a brief, highly focused “Confidence in Cyberspace” guide intended to provide guidance on how to fight attacks throughout their life cycle. To do so, the IAD identifies four major goal areas: • Device integrity helps to ensure that attackers have not modified or changed systems and devices. This includes ensuring that even difficult-to-detect attacks like those used by advanced persistent threats are not allowed to take over a device. • Damage containment helps when a compromise or intrusion does occur. It has a goal of limiting the damage done from the loss or modification of data, retaining functionality, and ensuring that successful attacks don’t lead to further compromises or damage. • Defense of accounts ensures that credentials are not exposed or misused. • Secure and available transport allows data to be sent and ensures that it isn’t modified or accessed during transit. These are obviously broad goal areas, and you can approach each of them in many ways. Given the scope of government activities and systems, nearly infinite combinations of threats and corresponding defenses exist. Thus, the IAD has defined a set of top strategies to fit these goals. They are: 3. Limit workstation-to-workstation communications by ensuring that workstations generally cannot monitor or send traffic to one other. This prevents attacks in which attackers compromise one workstation, and then use that workstation to compromise other workstations until they get the credentials or access they need to move up through the network. 4. Use antivirus (AV) file reputation services that use centralized antivirus company data to determine whether files and Web sites are malicious. CHAPTER 9 | Defense-in-Depth Strategies 9 Defense-in-Depth Strategies Th ...
Purchase answer to see full attachment

Tutor Answer

Tutor_Booth
School: UT Austin

Hey! Kindly find the ...

flag Report DMCA
Review

Anonymous
Excellent job

Similar Questions
Related Tags

Brown University





1271 Tutors

California Institute of Technology




2131 Tutors

Carnegie Mellon University




982 Tutors

Columbia University





1256 Tutors

Dartmouth University





2113 Tutors

Emory University





2279 Tutors

Harvard University





599 Tutors

Massachusetts Institute of Technology



2319 Tutors

New York University





1645 Tutors

Notre Dam University





1911 Tutors

Oklahoma University





2122 Tutors

Pennsylvania State University





932 Tutors

Princeton University





1211 Tutors

Stanford University





983 Tutors

University of California





1282 Tutors

Oxford University





123 Tutors

Yale University





2325 Tutors