CSIA 310: Cybersecurity Processes & Technologies
Lab Activity #2: Investigate Incident Detection and Analysis Tools
Purpose: Assess and Document Incident Detection & Analysis Tools for Windows 8.1 Workstations.
1. Assess and document the uses of the Windows 8.1 Windows Defender utility as part of the incident response process.
2. Assess and document the uses of the Microsoft Baseline Security Analyzer (MBSA) tool to detect and analyze software and configuration vulnerabilities in Windows 8.1 systems during the incident response process.
Overview:
There are many different types of tools which perform automated detection and analysis of known threats (Cichonski, Millar, Grance, & Scarfone, 2012). For this activity, we will focus upon assessing and documenting two such tools which can be used in the detection and analysis phase of the Incident Response Process (as defined in NIST SP 800-61r2).
First, we will examine the host-based anti-virus (malware detection) and host-based intrusion detection and prevention capabilities that are built into Windows 8.1 in the Windows Defender utility. This tool can be used to detect threats to confidentiality of information, threats to system integrity, and threats to system availability. Windows Defender also provides containment, eradication, and recovery capabilities that can automatically return Windows 8.1 workstations to known-good states (restoring system integrity) by removing or quarantining files that have been infected by malware. Windows Defender is usually configured to start during the workstation boot process and runs in the background to provide real-time threat detection and response.
Microsoft Baseline Security Analyzer (MBSA) is a scanning tool that can be used to analyze system configuration parameters and detect when the parameter settings are outside allowable ranges or if combinations of settings will result in vulnerabilities that can be exploited by attackers. This tool examines the system registry and other configuration files and compares the settings for key parameters to a system security configuration baseline established by the operating system vendor, Microsoft. MBSA is run on-demand and can also be run on a scheduled basis using the operating system’s task scheduler.
Reference
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide (NIST SP 800-62 rev. 2). http://dx.doi.org/10.6028/NIST.SP.800-61r2
Situation Report:
Recent contracts with the Departments of Defense and Homeland Security have imposed additional security requirements upon the company and its SCADA lab operations. The company is now required to comply with NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The company must also comply with provisions of the Defense Federal Acquisition Regulations (DFARS) including section 252-204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. These requirements are designed to ensure that sensitive technical information, provided by the federal government and stored on computer systems in the Sifers-Grayson SCADA lab, is protected from unauthorized disclosure. This information includes software designs and source code for Industrial Control Systems for which Sifers-Grayson is providing software support and maintenance. The contract requirements also mandate that Sifers-Grayson report cyber incidents to the federal government in a timely manner.
The engineering and design workstations in the Sifers-Grayson SCADA Lab were upgraded from Windows XP to Windows 8.1 professional three years ago after the lab was hit with a ransomware attack that exploited several Windows XP vulnerabilities. A second successful ransomware attack occurred three months ago. The company paid the ransom in both cases because the lab did not have file backups that it could use to recover the damaged files (in the first case) and did not have system backups that it could use to rebuild the system hard drives (in the second case).
The SCADA Lab is locked into using Windows 8.1. The planned transition to Windows 10 is on indefinite hold due to technical problems encountered during previous attempts to modify required software applications to work under the new version of the operating system. This means that an incident response and recovery capability for the lab must support the Windows 8.1 operating system and its utilities.
Your Task
Prepare draft incident response guidance to be included in the Sifers-Grayson Incident Responder’s Handbook. Your draft guidance will explain the use of Windows Defender and Microsoft Baseline Security Analyzer and then describe how each could be used as part of an incident response process.
You will create two separate procedures. The first will explain how to configure and use Windows Defender to detect and analyze malware and detect, block, and analyze intrusion attempts. The second will explain how to configure and use Microsoft Baseline Security Analyzer (MBSA) to scan for vulnerabilities arising from misconfigurations of system parameters.
Instructions
Part (a): Using Windows Defender to Detect and Analyze Threats
1. Investigate the use of Windows Defender to detect and analyze potential viruses, spyware, and other forms of malware. Your investigation should include researching best practices for configuring and using the scanning, detection, and analysis capabilities for this host-based anti-malware software. At a minimum, your research should address the following
a. Update requirements for anti-virus definition files
b. Configuration requirements to enable real-time scanning
c. Procedures for conducting full system scans
d. Fast or quick scan for high vulnerability areas of the system
e. Removable media scanning
f. Reviewing scan results including reviewing any quarantined files or detected malware
2. Identify how the tool could be used during the incident response and recovery process (it may be useful in more than one phase). Typical uses include:
a. Detecting malware at the point of entry to the system (e.g. in an email message or web page)
b. Detecting intrusion attempts in real-time
c. Analyzing files and file systems to detect and identify malware
d. Quarantining files suspected of carrying threat payloads
e. Deleting Infected Files
f. Scanning removable media
Part (b): Using Microsoft Baseline Security Analyzer (MBSA) to Detect and Analyze System Vulnerabilities
1. Investigate the use of MBSA to detect vulnerabilities in a Windows 8/8.1 system. As you do this, identify appropriate sources of information (e.g. Windows Help, Microsoft Technet, etc.) for instructions for configuring MBSA to scan a Windows 8/8.1 system. Using those sources, research how MBSA performs the following tasks:
a. Scan single or multiple computer systems
b. Check for Windows administrative vulnerabilities
c. Check for weak passwords
d. Check for Internet Information Services (IIS) administrative vulnerabilities
e. Check for SQL administrative vulnerabilities
f. Check for security updates (missing updates)
g. Copy, save and print scan reports
2. Identify how the tool could be used during the incident response and recovery process (it may be useful in more than one phase). Typical uses include:
a. Identify and report on recommended remediation steps for vulnerabilities
b. Identify and report on specific vulnerabilities by CVE numbers
c. Detect and analyze weak passwords
d. Detect and analyze misconfigured system parameters
e. Analyze impacts of multiple (cascading) vulnerabilities
3. Write a guidance document that identifies the tool, explains the capabilities it provides, and then lists and briefly describes the recommended uses identified under item #2. Add a list of resources that can be consulted for additional information. Next, summarize the procedures required to perform the tasks listed under item #1 (do not provide step-by-step instructions). Close your guidance document with a Notes / Warnings / Restrictions section that answers the question “Is there anything else the incident responder needs to be aware of when using this tool?”
Finalize Your Deliverable
1. Using the grading rubric as a guide, refine your incident response guidance. Your final products should be suitable for inclusion in the organization’s Incident Responder’s Handbook.
2. As appropriate, cite your sources using footnotes or another appropriate citation style.
3. Use the resources section to provide information about recommended readings and any sources that you cite. Use a standard bibliographic format (you may wish to use APA since this is required in other CSIA courses). Information about sources and recommended readings, including in-text citations, should be formatted consistently and professionally.
4. Your submission file for this assignment should start with a title page which lists the following information:
· Lab Title and Number
· Date
· Your Name
5. The CSIA 310 Template for Lab Deliverable.docx file is set up to provide the required title page and two incident response guidance templates. Use the first template for your “Windows Defender” guidance. Use the second procedure template for your “MBSA” guidance.
Rubric Name: Lab Activity Rubric
|
|
|
|
|
|
|
|
|
|
|
First Incident Response Guidance Document (40%)
|
Excellent
|
Outstanding
|
Acceptable
|
Needs Improvement
|
Needs Significant Improvement
|
Missing or Unacceptable
|
|
Title, Tool Identification, Description of the Tool
|
10 points
Provided an acceptable title and accurate tool identification (name). Provided an excellent description which clearly, concisely, and accurately described the tool’s features and capabilities.
|
8.5 points
Provided an acceptable title and accurate tool identification (name). Provided an outstanding description which clearly and accurately described the tool’s features and capabilities.
|
7 points
Provided an acceptable title and accurate tool identification (name). Provided an acceptable description which described the tool’s features and capabilities.
|
6 points
Provided an acceptable title and accurate tool identification (name). Provided a description but this paragraph did not adequately address tool’s features and capabilities.
|
4 points
Provided a title and brief description. Description lacked details or was incorrect / inadequate. OR, this section was not well supported by authoritative sources.
|
0 points
Sections were missing OR no work submitted.
|
|
Recommended Uses of the Tool During Incident Response Phases of the Tool During Incident Response Phases
|
15 points
Provided an excellent description of how this tool can be used to support the Incident Response Process for the phases listed in the lab assignment. Listed and briefly explained 5 or more appropriate uses.
|
13 points
Provided an outstanding description of how this tool can be used to support the Incident Response Process for the phases listed in the lab assignment. Listed and briefly explained 4 or more appropriate uses.
|
11 points
Provided an acceptable description of how this tool can be used to support the Incident Response. Listed and briefly explained at least one appropriate use for each phase listed in the assignment.
|
8 points
Provided a brief description of how this tool can be used to support the Incident Response. Mentioned uses of the tool in at least one of the phases listed in the assignment.
|
4 points
Description of tool use for incident response lacked details or was incorrect / inadequate. OR, this section was not well supported by authoritative sources.
|
0 points
This section was missing or not relevant to the assignment.
|
|
Notes, Warnings, & Restrictions
|
10 points
Provided an excellent "notes, warnings, and restrictions" section with clear, concise, and accurate information to aid the reader in understanding what should or should not be done when using this procedure.
|
8.5 points
Provided an outstanding "notes, warnings, and restrictions" section with clear and accurate information to aid the reader in understanding what should or should not be done when using this procedure.
|
7 points
Provided an adequate "notes, warnings, and restrictions" section which included information about what should or should not be done when using this procedure.
|
6 points
Provided a "notes, warnings, and restrictions" section which provided some information about the harm that could occur when using this procedure.
|
4 points
Section present but content was severely lacking in detail, inappropriate, or grossly inaccurate. OR, this section was not well supported by authoritative sources.
|
0 points
Section was missing or blank.
|
|
Resources
|
5 points
Provided an excellent resources section which described and listed three or more relevant resource documents; section also included complete publication information (reference list entry) for all cited sources.
|
4 points
Provided an outstanding resources section which described and listed two or more relevant resource documents; section also included complete publication information (reference list entry) for all cited sources.
|
3 points
Provided a resources section which listed publication information (reference list entry) for two or more relevant resource documents.
|
2 points
Provided a resources section which mentioned two or more source documents or Internet resources containing relevant information.
|
1 point
Provided a resources section which mentioned at least one relevant source document or Internet resource.
|
0 points
Section was missing or blank.
|
|
Second Incident Response Guidance Document (40%)
|
Excellent
|
Outstanding
|
Acceptable
|
Needs Improvement
|
Needs Significant Improvement
|
Missing or Unacceptable
|
|
Title, Tool Identification, Description of the Tool
|
10 points
Provided an acceptable title and accurate tool identification (name). Provided an excellent description which clearly, concisely, and accurately described the tool’s features and capabilities.
|
8.5 points
Provided an acceptable title and accurate tool identification (name). Provided an outstanding description which clearly and accurately described the tool’s features and capabilities.
|
7 points
Provided an acceptable title and accurate tool identification (name). Provided an acceptable description which described the tool’s features and capabilities.
|
6 points
Provided an acceptable title and accurate tool identification (name). Provided a description but this paragraph did not adequately address tool’s features and capabilities.
|
4 points
Provided a title and brief description. Description lacked details or was incorrect / inadequate. OR, this section was not well supported by authoritative sources.
|
0 points
Sections were missing OR no work submitted.
|
|
Recommended Uses of the Tool During Incident Response Phases
|
15 points
Provided an excellent description of how this tool can be used to support the Incident Response Process for the phases listed in the lab assignment. Listed and briefly explained 5 or more appropriate uses.
|
13 points
Provided an outstanding description of how this tool can be used to support the Incident Response Process for the phases listed in the lab assignment. Listed and briefly explained 4 or more appropriate uses.
|
11 points
Provided an acceptable description of how this tool can be used to support the Incident Response. Listed and briefly explained at least one appropriate use for each phase listed in the assignment.
|
8 points
Provided a brief description of how this tool can be used to support the Incident Response. Mentioned uses of the tool in at least one of the phases listed in the assignment.
|
4 points
Description of tool use for incident response lacked details or was incorrect / inadequate. OR, this section was not well supported by authoritative sources.
|
0 points
This section was missing or not relevant to the assignment.
|
|
Notes, Warnings, & Restrictions
|
10 points
Provided an excellent "notes, warnings, and restrictions" section with clear, concise, and accurate information to aid the reader in understanding what should or should not be done when using this procedure.
|
8.5 points
Provided an outstanding "notes, warnings, and restrictions" section with clear and accurate information to aid the reader in understanding what should or should not be done when using this procedure.
|
7 points
Provided an adequate "notes, warnings, and restrictions" section which included information about what should or should not be done when using this procedure.
|
6 points
Provided a "notes, warnings, and restrictions" section which provided some information about the harm that could occur when using this procedure.
|
4 points
Section present but content was severely lacking in detail, inappropriate, or grossly inaccurate. OR, this section was not well supported by authoritative sources.
|
0 points
Section was missing or blank.
|
|
Resources
|
5 points
Provided an excellent resources section which described and listed three or more relevant resource documents; section also included complete publication information (reference list entry) for all cited sources.
|
4 points
Provided an outstanding resources section which described and listed two or more relevant resource documents; section also included complete publication information (reference list entry) for all cited sources.
|
3 points
Provided a resources section which listed publication information (reference list entry) for two or more relevant resource documents.
|
2 points
Provided a resources section which mentioned two or more source documents or Internet resources containing relevant information.
|
1 point
Provided a resources section which mentioned at least one relevant source document or Internet resource.
|
0 points
Section was missing or blank.
|
|
Professionalism (20%)
|
Excellent
|
Outstanding
|
Acceptable
|
Needs Improvement
|
Needs Significant Improvement
|
Missing or Unacceptable
|
|
Organization & Appearance
|
10 points
Submitted work shows excellent organization. The use of color, fonts, titles, headings and sub-headings, etc. is appropriate to the assignment type.
|
8.5 points
Submitted work has minor style or formatting flaws but still presents a professional appearance. Submitted work is well organized and appropriately uses color, fonts, and section headings (per the assignment’s directions).
|
7 points
Organization and/or appearance of submitted work could be improved through better use of fonts, color, titles, headings, etc. OR Submitted work has multiple style or formatting errors. Professional appearance could be improved.
|
6 points
Submitted work has multiple style or formatting errors. Organization and professional appearance need substantial improvement.
|
4 points
Submitted work meets minimum requirements but has major style and formatting errors. Work is disorganized and needs to be rewritten for readability and professional appearance.
|
0 points
No work submitted for this assignment.
|
|
Execution
|
10 points
No formatting, grammar, spelling, or punctuation errors.
|
8.5 points
Work contains minor errors in formatting, grammar, spelling or punctuation which do not significantly impact professional appearance.
|
7 points
Errors in formatting, spelling, grammar, or punctuation which detract from professional appearance of the submitted work.
|
6 points
Submitted work has numerous errors in formatting, spelling, grammar, or punctuation. Work is unprofessional in appearance.
|
4 points
Submitted work is difficult to read / understand and has significant errors in formatting, spelling, grammar, punctuation, or word usage.
|
0 points
No work submitted for this assignment.
|
|
Overall Score
|
Excellent
100 or more
|
Outstanding
90 or more
|
Acceptable
75 or more
|
Needs Improvement
65 or more
|
Needs Significant Improvement
50 or more
|
Missing / Unacceptable
0 or more
|
|
|
|
|
|
|
|
|
|
Copyright ©2017 by University of Maryland University College. All Rights Reserved