Threat Analysis and Exploitation

1.1 The Financial Services Threat – Jeremy McGary

1. Describe the specific threat and impact on the specific financial institution or part of the financial services CI.

2. Then describe the impact that the threat would generally have on the financial services sector.

3. Provide relevant submissions from the Information Sharing Analysis Council related to the financial sector.

1.2 Financial Services Critical Infrastructure (Step 3)

2. The importance and impact of Industrial Control Systems on the financial services CI.

3. Other CIs which may be affected by attacks on the financial services CI (include diagrams).

1.3 Scope Covered in Security Assessment Report (include why)

2. ASSESSING SUSPICIOUS ACTIVITY IN THE CRITICAL INFRASTRUCTURE (Step 2) – All Team Members

1. What are critical information systems in the U.S. CI? Which are predominant in the financial sector?

2. What cyberthreats and vulnerabilities are facing the U.S. critical infrastructure? Which are particularly significant in the financial sector?

3. What port scanning, network scanning and traffic analyzation tools and data are available to assess any suspicious network activity and network vulnerabilities? How would they be used? (Use your lab experiences and lab data from your 600 and 610 courses to identify the tools and methods here and actual data throughout the report.)

3. LAW ENFORCEMENT (Step 4) – Marcy Swan

1. Describe the impact that the specific threat and other threats could have on the law enforcement sector.

2. How did this specific attack affect the law enforcement sector?

3. How might these be mitigated or prevented?

4. THE INTELLIGENCE COMMUNITY (Step 5) – Charlotte Olaniyi

4.1 Threat Actor Definition and Rationale

1. What is a threat actor?

2. What are the reasons why threat actors would attack the U.S. and its financial services CI? Provide real current examples which support these reasons.

3. Provide a possible list of nation-state actors that have targeted the U.S. financial services industry before. What has each done that supports the reasons given?

4. What nation-state or other threat actors were involved in the incident?

5. What were their reasons for attacking the U.S. and its financial services institution or CI in the incident?

1. Provide an overview of the life cycle of a cyberthreat.

2. Identify the stage of the cyberthreat life cycle where you would observe different threat behaviors. (The SAR includes ways to defend and protect against the threat. The AAR looks at and evaluates what was done for your specific incident.)

3. Propose an analytical method in which you can detect the threat, identify the threat, and perform threat response and recovery. (The AAR looks at and evaluates what was done for your specific incident.)

4. What specific threat behaviors were observed in each part of the life cycle in your incident?

5. What was in place or missing to defend and protect against the threat in each part?

6. What methods were used to detect the threat, identify the threat, and perform threat response and recovery in each part? How successful were they? What was deficient?

4.3 Tools, Techniques and Procedures (What is used by threats to attack? Real current examples would be excellent to include.)

[Provide intelligence on the nation-state actor and the actor's cyber tools, techniques, and procedures, using available threat reporting such as from FireEye, Mandiant, and other companies and government entities that provide intelligence reports.]

1. Explain the different threat vectors that cyber actors use. What was used in your specific event?

2. Explain cyber tools, techniques, and procedures used by nation state actors on the critical infrastructure. What was used in your specific event?

3. List example social engineering attacks used by threats against U.S. (Real current examples would be excellent to include.) What was used in your specific event?

6. EXPLOITATION METHODS (HOMELAND SECURITY) (Step 6) – Tyler Twaddell

[Use the US-CERT and similar resources to discuss the vulnerabilities and exploits that might have been used by the attackers in your incident.]

1. Provide a definition and an overview of exploitation.

6.1 Example Threats and Exploits

6.2 Example Vulnerabilities

1. List and summarize vulnerabilities of web financial services applications. Which may have been present in your specific event?

2. Discuss how you would apply these findings. (Your AAR should report whether and how well any were applied to your specific event.)

(Identify risks created by threats exploiting vulnerabilities. Real current examples, including in your incident, would be excellent to include.)

6.4 Countermeasures

(Identify remediation approaches for the threats and vulnerabilities. Remember that there are multiple methods of addressing any one threat or vulnerability. You can point these out now. By the time you get to your recommendations you should select which method and justify why.)

1. What responses and risk mitigation steps should be taken if an entity suffers the same types of attacks as in your incident? Which were taken in your specific event? (The AAR would have and assess the responses and risk mitigation steps taken in your event.)

2. What security tools might be used in each of these measures? What was used in your specific event? (The AAR would have and assess the tools used in your event.)

[What are your recommendations to the White House Cyber National security staff regarding the Financial Services Sector current situation and potential mitigation and prevention measures and tools which address the threats and vulnerabilities? Use of a table with discussion of key aspects is effective. You’ll reserve specific recommendations to the Financial Services Sector, for your specific event, for inclusion in the AAR.]

[Provide your summary list of references using proper APA format. (Remember: You must also use in-line citations with proper APA format throughout the report.)]

Page 5 of 6