Bowling Green State Lockdown Security Incident Report and Intelligence Briefing Paper
In Project 3, your team is focused on preventing future incursions into the network and developing a business continuity plan to be deployed in case a breach occurs. There are 14 steps to be completed by the team, with the project culminating in the production of a video and forensics report that summarizes the lessons learned from the recent network breach. This project should take 14 days to complete. After reading the scenario below, proceed to Step 1 where you will establish your team agreement plan.
Before the summit, each nation set up its own secure comms network. As summit events began, your team responded to anomalous network activity that was detected on your agency's server.Now, to make matters worse, the next day you awaken to the news that summit attendees are unable to get access to the confidential summit data needed for the conference. All of the computer screens show a pop-up message that says:"Your Computer has been involved in Computer Fraud Activity!!! and has been locked down by the FBI and the Justice Department. Unless you pay the sum of $500 (FIVE HUNDRED DOLLARS)—in Bitcoin you will be arrested immediately! You have 48 hours to pay up via email - fines@fbi.gov."Your CISO has called an emergency meeting with your team. She begins to speak to the group."We've just been hit with the Reveton ransom attack, which pretends to be a warning from a country's law enforcement agency. It locks you out of your PC and threatens criminal proceedings within 48 hours based upon very serious offenses. The message informs you that you can avoid prosecution by paying a fine to the attackers via Bitcoin. Based on the time of the incident, we believe that a single threat actor or group is responsible. This person or group is still unidentified."The CISO continues to brief you on the attack, confirming that no further information is known about the file, permissions, or tools used. Currently, systems show no signs of infection or additional malicious indicators.The attendees at the summit are divided on what should be done. Some of them want to pay the money—it's a small sum to be holding up the proceedings. However, cyber insiders know that once you pay a ransom, you set a precedent for further attacks since you appear vulnerable.In addition, you want to know how the attackers were able to infiltrate the system and plant the malware. What current protections are in place for systems at the summit? What methods and procedures are your team employing in response to the current attack? What is the plan if protections fall short? These are the questions pouring in from leadership, down to your CISO—and now, to you.Your CISO continues: "I need your team to provide a series of reports that will track this incident from start to recovery. Risk management briefings. Forensic reports. Situational reports. I need it all. They'll all come in handy when it's time to debrief our nation's leaders."CompetenciesYour work will be evaluated using the competencies listed below.1.8: Create clear oral messages.2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem.6.4: Systems Life Cycle: Explain systems life cycle management concepts used to plan, develop, implement, operate, and maintain information systems.5.3: Demonstrate the appropriate use of multiple digital forensic tools and techniques for imaging.6.1: Knowledge of methods and procedures to protect information systems and data by ensuring their availability, authentication, confidentiality, and integrity.7.1: Develop, implement, and maintain business continuity planning.These are the part of this project that I'm responsible for;1. You've begun your response to the ransomware attack. Intelligence gathered from this investigation can be shared with the other nation teams so they can search through their systems to see if they have the same activity. As a team, you will now create documentation that can be used by others for threat information for investigations.Using this situational report template, create your first situational report (SITREP #1) of the initial findings, and steps that are going to occur with the identified indicators that were presented. This report will be given to the rest of the nation teams. Describe the ransomware malicious activities such as file system alterations, services, IP addresses, and any other indicator that can be used by affected communities to search within their own networks.The SITREP will be used for information sharing across nations/partner business operations. The SITREP should contain, but is not limited, to the following information:when the problem was first detected and by whomscope of the incidentindicators of compromise (IP address, file hash, protocols, registry edits)how it was contained and eradicatedThe findings will be used to supply a situation report to internal staff along with external agencies/nations that could be experiencing the same type of attack. This information will speed the process of the incident response team by narrowing the search for specific indicators, whether they are targeting individuals, vulnerabilities, or resources such as web servers, databases, or even phone lines. These reports also keep management apprised of what is occurring so leaders can continue to address questions..When you have finished gathering the initial information and have compiled the document, your designated team member should submit SITREP #1 for review and feedback. The SITREP #1 will be used in the intelligence briefing that you will develop in a later step.Submission for Group 4: Project 3: SITREP #1Previous submissions0Drop files here, or click below.Add FilesIn the meantime, a number of operations need to take place so you and your team members can understand the reasons behind the ransomware attack. Those operations will include several steps, including the creation of a business continuity plan (BCP), in which you will address supply chain risks and the software development life cycle. In a later step, you will conduct digital forensics exercises in the lab.For now, we will begin the first parts of the BCP. In the next step, you will examine software life cycle processes en route to creating a software development matrix—a key portion of the BCP and a component of the final forensic investigation report.2. Meanwhile, as you and your team have been working on the various parts of the overall analysis of the systems as a result of the attack, the CISO has been notified by credible sources that malware has been located inside the network. The CISO has also received new intelligence regarding the ransomware attacker's demands. The attacker has raised the ransom from $500 to $5,000 in Bitcoin per nation state. Conference participants are split on whether to pay the ransom. You know that this decision requires an understanding of virtual currency and the financial implications of virtual currency. While leadership is contemplating options, the CISO needs to act quickly to facilitate operations recovery.The CISO needs a report on findings and further indicators that can be shared with allies. The indicators can be found for each team in this malware indicator file. Based on the findings, the CISO would like your team to generate documentation regarding defense mechanisms needed to stop this style of attack. This documentation will be your second situation report, or SITREP #2.In one to two pages, SITREP #2 should describe threat information and any other information that fellow nations could use to speed their investigations. It will be used for information-sharing across nations/partner business operations and will help incident response teams and operations centers narrow their search based on findings. The report should include:when the problem was detected and by whomscope of the incidentindicators of compromise (IP address, file hash, protocols, registry edits)how it was contained and eradicateduser screen captures (e.g., error messages or dialog boxes)Take findings from all files, hashes, IP addresses, URLs and any other indicators presented and investigate while using the following files provided to you:this curated list of malware analysis toolsmalware identification examplesituation report templateThese findings will be used to determine what other evidence can be derived from evidence provided in the form of indicators and possible files.This data sharing checklist for submitting and sharing information is available for all to use as nations become confident sharing information with fellow countries at the summit. Review it to ensure that your nation is exercising best practices in information sharing. Providing too much information could pose a threat to the nation's cybersecurity posture.Your team's level of detail could be the difference between a benign incident and a catastrophic breach/mission critical resource failure.When you and the other team members have finished compiling the second situational report, the designated team member should submit SITREP #2 for review and feedback. Your SITREP #2 will be used in the intelligence briefing that you develop in a later step.In the meantime, the team is going to work on digital forensics to help identify sources of the attack. You'll work on a lab exercise in the next step.Submission for Group 4: Project 3: SITREP #23. Your nation's technical staff expects you to report on all summit events once you return to your nation's capital. The CISO has requested that each analyst work independently to create an Intelligence Debriefing for technical staff. This debriefing is a comprehensive report and is comprised of your BCP, SITREP 1, and SITREP 2.Each team member should develop his or her own briefing and submit independently. You may, however, use your team's discussion area to share your findings with your peers.Refer to the CISO Deliverable Overview for a full list of requirements for the debriefing.When you have completed your Intelligence Debriefing, submit it for feedback. The next step will be one of reflection, in which you will create a presentation on what you and your team members have learned from the ransomware attack and the mitigation and recovery activities that followed.Submission for Group 4: Project 3: Intelligence Debriefing