Lockdown

profilebwilson
NewGroup4IntelligenceDebriefing.docx

Intelligence Debrief 13

Project 3 Intelligence Debrief

Department of Cybersecurity, UMGC

CYB 670: Capstone in Cybersecurity

Professor Karl Olson

June 02, 2022

Table of Contents Introduction 3 Current System Standings 4 Modifications 5 Reputation and Brand Name 6 Lost Productivity 6 System Availability 7 Root Causes 9 System Restoration 10 Compliance and Regulatory Failure Costs 11 Conclusion 12 Video link 12 References 13

INTRODUCTION

Alliance Summit networks have been attacked, and operations have been impacted since establishing independent FIVE EYE (FVEY) Alliance Summit networks. The Intelligence Debrief aims to provide all technical staff with a basic grasp of recent cyber-attacks. New Zealand was exposed to three well-known attacks: denial of service, data exfiltration, and a ransomware attack. This debrief will detail the current system status, the team's remediation efforts, the impact on the New Zealand reputation, lost productivity, system availability issues, the root causes of the attacks, system restoration support, and the associated costs with compliance and regulatory failures.

CURRENT SYSTEM STANDINGS

The damages and source attribution will remain ongoing and are currently being assessed. However, multiple systems remain unavailable, while others have been restored or recreated using backup storage systems. Penetration testing and vulnerability assessments are being performed on systems that have shown any symptoms of infection or direct damage from the attacks. The attack limited to a single workstation, and no ransom was paid. Analysts are currently examining photos from both affected and unaffected systems. The system administrators investigate the activity's characteristics to see if there is any malware that the intrusion detection system (IDS) missed. The ports and protocols targeted; sizes, file names, and content of executables discovered; versions of affected operating systems, devices, and applications; and program actions on the host, such as propagation, infection, and setting configurations, are all examples of anomalous activity that can be attributed to a specific type of malware. Uninfected systems' is being reviewed to see if it reflects any discovered material. Following the end of the analytic procedure, the findings will be presented.

MODIFICATIONS THAT CAN BE MADE TO STOP THIS STYLE OF THE THREAT UNTIL A PATCH IS CREATED

Creating standard operating procedures for users can assist in short-term and long-term deterrence of this form of attack. The standard operating procedure includes fundamentals of using organizational systems, outlines secure practices while using a specific operating system, how and when software updates and patch updates are conducted and lists users' responsibilities utilizing the organization's systems. These procedures will outline user best practices and how users can report incidents concerning malware, viruses, DDoS, and other vulnerabilities that could be used as attack vectors. Other immediate solutions include blocking unauthorized ports 8080 and 80 and configuring the IPS with new rules matching the malware found, deploying antivirus software on the systems, and organizing cybersecurity training for all users and management. Implementing backup storage and Performing endpoint scans looking for malware entering the network are also needed.

REPUTATION AND BRAND IMAGE

Organizations and companies rely heavily on reputation and consumer trust. Being the victims of a successful cybercrime can diminish and even ruin an organization's reputation. For government organizations to fall victim to successful cyberattacks can cause even more distrust among the public and their partner nation allies. The main reason for distrust among the public due to a successful cyberattack is that these organizations collect and retain user data and are responsible for protecting this data. If we as a government organization had decided to pay the ransom, this would have set a negative precedent. It would have negatively affected New Zealand and the reputation of all the members at the Summit.

LOST PRODUCTIVITY

Because of the numerous attacks during the GES, the workers lost productivity. This is because technical workers were diverted from GES efforts with other FVEY nations to deal with a distributed denial of service (DDoS) attack, a data exfiltration attempt, and a ransomware attack rather than focusing on GES operations with other FVEY states. Each attack caused varied degrees of productivity loss.

Network engineers re-engineered firewalls to protect against tens of thousands of Internet Control Message Protocol (ICMP) packets following the DDoS attack. The web server was overloaded with these ICMP packets, making it difficult for the Summit's administrative staff to accomplish their tasks. Furthermore, the webserver administrators have taken time off from their usual duties to set up the server and make it available to summit participants. The objective of the webserver is to convey data from New Zealand delegates to the web servers of the other FVEY countries, affecting the whole Summit.

Engineers were charged with reconfiguring network firewalls to prevent unauthorized data transmission, which resulted in an extra loss of productivity. This prompted system administrators to look through their logs to determine what data had been attempted to be erased from the network. Once again, the administrative team was forced to evaluate their data to confirm what data had been lost and the level of sensitivity.

In the final attack, ransomware was deployed. As a result, the desktop operations team's routine activities were diverted to reimage malware-infected machines. The desktop operations employees and the New Zealand delegates who had their devices confiscated and reimaged were all affected by the loss of productivity. They could not provide everyday help desk support to others since they were revamping, resulting in even more lost productivity.

SYSTEM AVAILABILITY

The confidentiality, integrity, and availability (CIA) triangle include data and system availability, which indicates that authorized users have access to the data they need to perform their assigned obligations whenever they need it. This concept was frequently violated throughout the GES. Due to DDoS and Ransomware attacks, the network infrastructure and data of the FVEY states were briefly unavailable to authorized users. Before the start of the GES, there were indications of malicious activity on the network. The Intrusion Detection and Prevention System (IDS/IPS) alerted cybersecurity specialists to potential data exfiltration indicators, prompting the Internet service provider (ISP) to notify the Chief Information Security Officers of the FVEY nations (CISO).

Our CISO issued warnings to the team and directed them to investigate the problem further. Authorized users can no longer access data that has left the network to perform their tasks. Even if the attacker just provided copied data, the data's confidentiality and maybe integrity are still in doubt. Wireshark protocol analyzer was used to determine which system was leaking information and how to stop it. Evidence shows that after ceasing the exfiltration, the malicious actor initiated a DDoS assault from within the network against the web server, causing it to become overwhelmed. This assault rendered internet searches almost difficult since it restricted user access to third-party organizations authorized to use the resource.

According to the Service Level Agreement (SLA), the ISP failed to increase the bandwidth after being notified of the attack, which would have helped absorb the impact of the DDoS attack. Because the network failed to absorb the attack, this caused a work stoppage for all the New Zealand delegation members at the Summit and forced us to shift focus and resources from mitigating the data exfiltration to bringing the webserver back online. The DDoS attack appeared to be a diversion for something more malicious.

The Human Resources (HR) department was the first to report a phishing attempt on delegation members via an email attachment containing an Excel spreadsheet. The email seemed to be a standard invoice from a known vendor to the HR manager, but the spreadsheet had virus macro code that encrypted HR data on the shared drive. The code linked to an external end system downloaded malware and then used the same webserver to introduce the Reveton ransomware into the New Zealand network. Other employees said they couldn't access it because HR data was encrypted. While the incident response (IR) team worked to wipe the systems, reimage them, and restore data from the most recent backups.

ROOT CAUSES

Determining the root cause of these attacks was very difficult, as the hacker was in our systems before the GES began. The issue could have been a software vulnerability, Potential insider threat, a supply chain issue with the IT equipment, a Lack of solid antivirus or group policies, Insufficient user training, or a fault with the ISP during the initial setup. Once the attacks were mitigated, the IR team gathered as much evidence as possible by interviewing personnel and reviewing system logs, alerts, and packet capture from protocol analyzers to establish a timeline of events. The completed timeline narrowed down the root cause for the original infiltration and the subsequent ransomware attack. The GES summit happens every January for one week in the United Kingdom. Attackers can predict and plan optimal times to compromise as many vectors as possible. The original infiltration appeared to have originated through the ISP router. All FVEY Nations had the same problem, and as previously mentioned, the attacker appeared to have been in the networks before the Summit began. As for the ransomware attack, this was a phishing attempt on unsuspecting users. In this case, the user was the weakest link because they did not notice the fake email address, did not question an Excel spreadsheet as an invoice instead of an Adobe PDF, and ignored the warnings that popped up stating opening this file could potentially compromise the system. Increasing user awareness and training is the only way to minimize human error.

TECHNICAL SUPPORT TO RESTORING SYSTEMS

Restoring a system to a previously confirmed image is critical for businesses' continuous operations and eradicating this Reveton ransomware. The New Zealand Web Development Team has now returned the GES internal web server, its content files, and configuration management to a "known-good" state. Furthermore, the Desktop Operations Team, Digital Investigation Team, and Malware Response Team adhere to tight processes while collecting and reimaging affected workstations. Before a forensic backup is processed, a chain-of-custody form will be generated for each workstation requesting restoration and patching will all be updated in all the systems, according to New Zealand investigation guidelines. Furthermore, any forensic backups or evidence collected will be kept in a physically locked safe, with the key held by the team leader. A network specialist will restore the operating system and user files to a "known-good" backup. However, restoring a system does not guarantee that an issue will be repaired.As a result, functionality checks will be run on all data, hardware components, and software applications to confirm that vulnerabilities have been fixed and that the system is free of dangerous routes. Our staff predicts that this procedure will take three days from start to end. Meanwhile, workstation owners will be interrogated and forced to undergo further cybersecurity awareness training to learn from our mistakes and prevent a repetition of this incident.

COMPLIANCE AND REGULATORY FAILURE COSTS

Failure to achieve regulatory compliance standards can have serious consequences for an organization. In fact, according to Kaufmann (2021), the average cost of a singular non-compliance incident is estimated at $4 million in revenue. However, this does not include the hidden financial impacts of business disruption, productivity loss, employee trust, reputation damages, and additional fines or penalties.

Recognizing this daunting fiscal responsibility, governing entities need to implement compliance standards adhering to the General Data Protection Regulation (GDPR), Federal Information Security Management Act (FISMA), PCI DSS, or their respective Nation's governing regulations. The GDPR, which went into effect in 2018, is widely considered one of the world's most strict privacy and security rules, highlighting the importance of lawful transparency, data security, compliance responsibility, regulatory control, and privacy rights. It is most often used in European domains, although it applies to any country processing or storing European data, regardless of where their company is located. FISMA, on the other hand, was enacted in 2002 under US federal legislation and required US agencies to implement managed security and compliance systems linked with this regulatory act to ensure a network's CIA. Regardless, we must guarantee that we follow these standards since failing to do so might result in the loss of joint foreign relations, reputations, or the nation's reliability. As a result, nation-capacity states are hindered from responding to incidents and deploying eradication tactics to prevent malicious actors.

CONCLUSION

The recent attacks against the FVEY nations at the Global Economic Summit have showcased the importance of securing the network from known and unknown threat vectors. Threat agents directly targeted the information system's confidentiality, integrity, and availability. This debrief has emphasized the system's status following the attacks. Furthermore, the team has reported the root causes of the attacks and what modifications could be made to mitigate the effects. Moreover, it shows the impact these attacks have had on the system's productivity due to unexpected downtime and what the team accomplished to restore the system to operational status. Moreover, this debrief has shown how the New Zealand'sreputation and brand name were tarnished because of these targeted attacks. Finally, the team reported what the costs could be for failing to meet compliance with compulsory regulations.

Video link

https://www.youtube.com/watch?v=zp-lY-FKuec

References Derek Mohammed, Ronda Mariani, Shereeza Mohammed. ( 2015, February 20). Cybersecurity Challenges and Compliance Issues within the U.S. Healthcare Sector. Retrieved from www.semanticscholar.org: https://www.semanticscholar.org/paper/Cybersecurity-Challenges-and-Compliance-Issues-the-Mohammed-Mariani/a3f3f2643ac8a0e23c1a87469a05565edb80d618 Murugiah Souppaya,Karen Scarfone. ((July 2013, July 10). Guide to Malware Incident Prevention and Handling for Desktops and Laptops. Retrieved from nvlpubs.nist.gov: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-83r1.pdf Purrington, J. (2022, May 10). saviynt.com. Retrieved from saviynt.com: https://saviynt.com/the-true-cost-of-non-compliance/ Ross, W. L. (2020, September 10). Security and Privacy Controls for Information Systems and Organizations. Retrieved from nvlpubs.nist.gov: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf