Threat Analysis and Exploitation

Table of Figures and Tables

No table of figures entries found.

According to our Project 3 assignment, Distributed Denial of Service attacks (DDoS), web defacements, sensitive data exfiltration and other attack vectors typical of nation state actor(s) on the U.S. financial network. The Team 1 collaborative efforts have found:

· The financial services sector discovered the network breach and the cyber-attacks.

· The law enforcement sector provided additional evidence of network attacks found using network defense tools.

· The intelligence agency identified the nation state actor from numerous public and government provided threat intelligence reports.

· The Department of Homeland Security provided the risk, response, and recovery actions taken as a result of this cyber threat.

Our goal according to our Project 3 assignment is to provide education and security awareness to the financial services sector about the threats, vulnerabilities, risks, and risk mitigation and remediation procedures to be implemented to maintain a robust security posture, and take the lessons learned from this cyber incident and share that knowledge with the rest of the cyber threat analysis community using:

· Data and resources brought by each Team 1 representative.

· Test results from any prior lab testing done which is relevant to the financial institution. For example, leveraging network security skills by using past port scans, network scanning tools, and analyzing Wireshark files to assess any suspicious network activity and network vulnerabilities.

· Describe the specific threat and impact on the specific financial institution or part of the financial services CI.

· Then describe the impact that the threat would generally have on the financial services sector.

· Provide relevant submissions from the Information Sharing Analysis Council related to the financial sector.

· The importance and impact of Industrial Control Systems on the financial services CI.

· Other CIs which may be affected by attacks on the financial services CI (include diagrams)

· Include Why?

· What are critical information systems in the U.S. CI? Which are predominant in the financial sector?

· What cyberthreats and vulnerabilities are facing the U.S. critical infrastructure? Which are particularly significant in the financial sector?

· What port scanning, network scanning and traffic analyzation tools and data are available to assess any suspicious network activity and network vulnerabilities? How would they be used? (Use your lab experiences and lab data from your 600 and 610 courses to identify the tools and methods here and actual data throughout the report.)

4.0 LAW ENFORCEMENT – MARCELINA SWAN

· Describe the impact that the specific threat and other threats could have on the law enforcement sector.

· How did this specific attack affect the law enforcement sector?

· How might these be mitigated or prevented?

Threat Actor Definition and Rationale

· What are the reasons why threat actors would attack the U.S. and its financial services CI? Provide real current examples which support these reasons.

· Provide a possible list of nation-state actors that have targeted the U.S. financial services industry before. What has each done that supports the reasons given?

· What nation-state or other threat actors were involved in the incident?

· What were their reasons for attacking the U.S. and its financial services institution or CI in the incident?

Tools, Techniques and Procedures

Procedures (What is used by threats to attack? Real current examples would be excellent to include.) [Provide intelligence on the nation-state actor and the actor's cyber tools, techniques, and procedures, using available threat reporting such as from FireEye, Mandiant, and other companies and government entities that provide intelligence reports.]

· Explain the different threat vectors that cyber actors use. What was used in your specific event?

· Explain cyber tools, techniques, and procedures used by nation state actors on the critical infrastructure. What was used in your specific event?

· List example social engineering attacks used by threats against U.S. (Real current examples would be excellent to include.) What was used in your specific event?

· Provide an overview of the life cycle of a cyberthreat.

· Identify the stage of the cyberthreat life cycle where you would observe different threat behaviors. (The SAR includes ways to defend and protect against the threat. The AAR looks at and evaluates what was done for your specific incident.)

· Propose an analytical method in which you can detect the threat, identify the threat, and perform threat response and recovery. (The AAR looks at and evaluates what was done for your specific incident.)

· What specific threat behaviors were observed in each part of the life cycle in your incident?

· What was in place or missing to defend and protect against the threat in each part?

· What methods were used to detect the threat, identify the threat, and perform threat response and recovery in each part? How successful were they? What was deficient?

Example Threats and Exploits

Example Vulnerabilities

· Discuss how you would apply these findings. (Your AAR should report whether and how well any were applied to your specific event.)

Countermeasures

(Identify remediation approaches for the threats and vulnerabilities. Remember that there are multiple methods of addressing any one threat or vulnerability. You can point these out now. By the time you get to your recommendations you should select which method and justify why.)

· What responses and risk mitigation steps should be taken if an entity suffers the same types of attacks as in your incident? Which were taken in your specific event? (The AAR would have and assess the responses and risk mitigation steps taken in your event.)

· What security tools might be used in each of these measures? What was used in your specific event? (The AAR would have and assess the tools used in your event.)

(Identify risks created by threats exploiting vulnerabilities. Real current examples, including in your incident, would be excellent to include.)

[What are your recommendations to the White House Cyber National security staff regarding the Financial Services Sector current situation and potential mitigation and prevention measures and tools which address the threats and vulnerabilities? Use of a table with discussion of key aspects is effective. You’ll reserve specific recommendations to the Financial Services Sector, for your specific event, for inclusion in the AAR.]