Threat Analysis and Exploitation
Hotmess
6-Project3AAR_Template-2231.docx
Project 3 – After Action Report (AAR)
CST 610: Cyberspace and Cybersecurity Foundations
[Your Name]
[date]
Professor Steven H Richman – Section 9044
University of Maryland University College
AFTER ACTION REPORT (AAR)
Financial Sector
[Period of Assessment]
[Report Date]
[Note: The purpose of an After Action Report (AAR) is to analyze the management or response (i.e., security controls) to an incident, training exercise or event by identifying strengths to be retained and possibly enhanced, as well as identifying potential areas of response that may have been lacking. Parts of the AAR will normally contain material found in the Security Assessment Report (SAR). Both cover the incident. The SAR is directed to the White House Cyber National security staff and is a broader assessment of security in the financial sector and the critical infrastructure, the need for which may have been brought on by a specific incident. The AAR is directed to the Financial Services sector with a focus on what worked well and needs improvement, if another such specific incident were to occur. Feel free to use your SAR and AARP material interchangeably, as is or modified.]
1. BACKGROUND
1.1 The Financial Services Threat – Jeremy McGary
[Select and describe a specific, real, recent attack/network breach, “The Threat,” on a target financial institution or part of the financial services Critical Infrastructure (CI). The attack(s) could include distributed denial-of-service (DDOS) attacks, web defacements, sensitive data exfiltration, and/or other attack vectors typical of a nation-state actor per the given scenario in “Start.” This is your starting point and reason driving the Security Assessment Report (SAR) and is the specific focus of the After Action Report (AAR).]
1. Describe the specific threat and impact on the specific financial institution or part of the financial services CI.
2. Then describe the impact that the threat would generally have on the financial services sector.
3. Provide relevant submissions from the Information Sharing Analysis Council related to the financial sector.
1.2 Financial Services Critical Infrastructure (Step 3)
1. General Description of Financial Services Critical Infrastructure (CI) (include diagrams). Where or how does the target financial institution or part of the financial services CI fit into this?
2. The importance and impact of Industrial Control Systems on the financial services CI.
3. Other CIs which may be affected by attacks on the financial services CI (include diagrams).
1.3 Scope Covered in the After Action Report (include why)
2. ASSESSING SUSPICIOUS ACTIVITY IN THE SPECIFIC EVENT(S) (Step 2) – All Team Members
1. What were the critical information systems in the specific financial institution or part of the financial services Critical Infrastructure (CI) in your incident/event(s)?
2. What cyberthreats and vulnerabilities were involved?
3. What port scanning, network scanning and traffic analyzation tools and data were used to assess the suspicious network activity and network vulnerabilities? How were they used? (Use your lab experiences and lab data from your 600 and 610 courses to identify the tools and methods here and actual data throughout the report.)
3. LAW ENFORCEMENT (Step 4) – Marcy Swan
1. Describe the impact, if any, that the specific event(s) had on the law enforcement sector.
2. How might this be mitigated or prevented?
4. THE INTELLIGENCE COMMUNITY (Step 5) – Charlotte Olaniyi
[Identify the nation-state actors involved in the specific event(s) and explain the different threat vectors they used.]
4.1 Threat Actor Identification and Rationale
1. What nation-state or other threat actors were involved in the incident?
2. What were their reasons for attacking the U.S. and its financial services institution or CI in the incident?
4.2 Cyberthreat Lifecycle – All Team Members
1. Provide an overview of the life cycle of the specific cyberthreats in your incident.
2. What specific threat behaviors were observed in each part?
3. What was in place or missing to defend and protect against the threat in each part?
4. What methods were used to detect the threat, identify the threat, and perform threat response and recovery in each part? How successful were they? What was deficient?
4.3 Tools, Techniques and Procedures Used by the Threat Actors
1. What threat vectors did the cyber actors use in your specific event(s)?
2. What cyber tools, techniques, and procedures did the nation state actors use in your specific event?
3. What social engineering attacks may have been used in your specific event(s)?
4.4 Threat Actors Lessons Learned
1. What was learned from successful attacks by the threat actors in your specific event(s)?
2. What was learned from attacks by the threat actors that were successfully stopped in your specific event(s)
4.5 Recommendations
[Remember that there may be multiple methods of addressing any one threat actor or in different parts of the lifecycle. You should point these out select which method you recommend and justify why.]
5. EXPLOITATION METHODS (HOMELAND SECURITY) (Step 6) – Tyler Twaddell
[Use the US-CERT and similar resources to discuss the vulnerabilities and exploits that might have been used by the attackers in your incident.]
5.1 Threats and Exploits in the Incident
1. What threats and exploits to web applications were used in your specific event(s)?
2. How successful were the potential exploits in your specific event?
5.2 Vulnerabilities in the Incident
1. What web financial services application vulnerabilities were present in your specific event?
2. How well were other potential web financial services application vulnerabilities addressed to secure the financial institution or financial services CI in your specific event?
5.3 Risks and Impact - All Team Members
(Identify risks created by threats exploiting vulnerabilities in your incident.)
1. Provide the risks and impacts to the financial institution or financial services CI in your specific event?
2. Provide a risk-threat matrix and the security posture snapshot for the incident in which the financial institution or part of the financial services CI was attacked.)
5.4 Countermeasures Taken in the Incident
1. What responses and risk mitigation steps were taken in your specific event? Include your assessment of those responses and risk mitigation steps? What was missing and what should be changed for the future?
2. What security tools were used in your specific event? What was missing and what should be changed for the future?
5.5 Exploitation Methods Lessons Learned
1. What was learned from successful exploitation of the financial institution or part of the financial services CI in your specific event(s)?
5.6 Recommendations
[Remember that there may be multiple methods of addressing any one exploit. You should point these out, select which method(s) you recommend and justify why.]
6. Summary of Recommendations – All Team Members
[What are your specific recommendations to the Financial Sector regarding the specific event(s), mitigation and prevention measures, and tools which should be used to address the future threats and vulnerabilities as in the incident? Base these on risk and impact, as well as the resources and time required to implement. Use of a table with discussion of key aspects can be effective.]
7. SUMMARY OF REFERENCES – All Team Members
[Provide your summary list of references using proper APA format. (Remember: You must also use in-line citations with proper APA format throughout the report.)]
Page 5 of 6
