Add to collection(s) Add to saved
  1. No category
Uploaded by Jordan Brown

IRP-Project 2-CMP670

advertisement 
Incident Response Plan
Jasmine Bundick
Umeko Johnson
Cliff Timpson
CMP 670
Purpose and Scope
The purpose of this document is to provide an Incident Response Plan due to the data breach that occurred at the Global
Summit on January 24 2023. According to NIST an Incident Response Plan is documentation of a predetermined set of instructions or
th
procedures to detect, respond to, and limit consequences of a malicious cyber-attacks against an organization’s information systems.
(incident response plan, n.d.) This plan is meant to be a living document that can be modified to adapt to the response in progress. This
document will provide information such as all parties involved in participating in the plan, their roles and responsibilities, tools,
technologies, and techniques used, and communication between parties.
Roles and Responsibilities
One of the first steps to take when creating an incident response plan is to establish specific roles and responsibilities for your
team. This is to create a clear understanding of everyone’s responsibilities and task for handling the incident.
Cybersecurity Incident Response Team (CIRT)
Cybersecurity Incident Response Team consists of individuals who are chosen to respond to crises within the company. For
data breach management, the CIRT should consist of members from the IT department to assess any technical damage, the Human
Resources department for compliance issues, members of the legal team, and lastly members in leadership or supervisory roles to
oversee the recovery process. It is important to not place too many employees on the CMT because you will need all available people
to help with the recovery process after the breach. For this data breach the CIRT will consist of the organization CISO, three
individuals who are currently attending the global summit, and a remote legal and compliance expert who is located at the team’s
home organization. The CISO will serve as the lead on response efforts as well as the primary point of contact for any
communications with external partners and stakeholders. They will be keeping these partners up to date on all efforts. The other three
members at the summit with the CISO will be handling the containment and recovery of the incident. Lastly the remote legal will be
sure to be in contact with the CISO to make sure that the team is operating within legal compliance.
External Partners /Stakeholders
The CIRT will not be the only people involved in the Incident Response Plan. The CIRT will be communicating with external
partners and stakeholders. The external partners include the neighboring nation-states attending the conference. While company
stakeholders (Business partners, CEO, etc,) will also be given information about the Incident Response Plan. They will mainly
communicate with the CISO and the legal expert.
Communication and Coordination
Communication between all parties involved will be a key component for the Incident Response Plan. Communications will be
split between internal and external communication. Internal communications will be between the members of the CIRT. This
communication will include all techniques and tools to contain the incident, information regarding network status and monitoring, and
any sensitive information regarding Australia. External information will consist of information shared with stakeholders, and external
partners. The CISO and the legal expert will work closely together to make sure all information shared is safe. Due to the unique
situation of the global summit information shared will be based on a Need-To-Know basis. This means sharing information between
other nation states attending the summit, will not be shared unless given specific permission by the CISO.
Phases
The Incident Response plan will be conducted in four phases. Preparation, Detection and Analysis, Containment, Eradication,
Recovery and Post Incident Activity. The purpose of the phases and organize all activities taking place to respond to the incident.
They also serve to give an organized timeline for when actions should be taking place.
Preparation
In the preparation phase an organization should be establishing an incident
response capability so that the organization is ready to respond to incidents, but also preventing incidents by ensuring that systems,
networks, and applications are sufficiently secure. (Cichonsk, Grance, Millar, & Scarfone, 2012) Tasks done in the preparation phase
include reviewing all compliance documents, looking at company policies, and in this case, reviewing international documentation.
Detection and Analysis
In this phase an organization will look for the cause for the incident and determine if an incident is occurring. Things such as
the location of origin of the incident, type of attack taking place, and attacking technique are all investigated during the incident. At
this stage no eradication should be taking place. The most important thing to remember for this phase is to gather as much
information. The team will want to gather information to determine what type of incident is occurring and how to handle it in the next
phases. For this scenario, since it has been determined an incident has occurred, the team will focus on confirming the type of attack,
its purpose and where data is being extracted to and from.
Containment, Eradication, Recovery
In this phase the focus is on containing the incident to make sure it does not spread to other parts of the network. It also focuses
on possible eradication methods and techniques, and any recovery operations that need to take place.
Security controls and Tracking
For the duration of the incident the Australian CIRT will track the behavior of the incident occurring. Because this is an
international summit protection of the Australian network from outsider has priority. As such security mechanism technologies will be
placed between the internet, summit network, and the Australian network. Firewalls will be placed at the gateway of the Australian
network domain. This firewall will filter packets traversing the network for any suspicious activity based on rule set by the network
administrator. Access controls will also be implemented for the country’s firewall with only one team member assigned to setting
rules and parameters.
Recovery
Tools, Techniques, and Technologies
Within this incident response plan numerous tools, techniques, and technologies will be used in various ways for the network.
The following tools will be used:
Anti-Virus software: Anti-Virus software can provide scheduled and automated scans for devices within the network. They can also
keep track of the network baseline and provide alerts, or prevention methods for viruses.
Email Filters: Emails filter can categorize all inbound and outbound email traffic. The filters scan messages based on rules set by the
organization. This can help detect any spam, malware, viruses, and imposters.
Firewalls: Being settled in between the internet and the organization’s network, firewalls can filter packets traversing the network for
any suspicious activity based on rule set by the network administrator.
Intrusion Detection System (IDS)/ Intrusion Prevention System (IPS): “An Intrusion Detection System (IDS)/ Intrusion
Prevention System is a system that monitors network traffic for suspicious activity and issues alerts or attempts to stop or block
malicious activity when discovered.” (Intrusion Detection System (IDS), 2022) Using these tools are ways to monitor the network in
real time. Some software such as OSSEC can even perform log monitoring, and Security Incident Management (SIM)/Security
Information and Event Management (SIEM) duties all into one software.
Analysis of Scenario
The group was able to run Wireshark on the summit network in order to determine and confirm the attack. According to the
results of the Wireshark scan, packets show evidence of a Dos attack. This differs from a Distributed Denial of Service (DDos) attack
by only having one host commence the attack. In a DDos attack multiple hosts would be attacking the system at the same time. While
a DoS attack has one host attacking a system. The Wireshark scan shows evidence of an UDP flood attack. A UDP flood attack is “a
type of Denial of Service (DoS) attack in which the attacker overwhelms random ports on the targeted host with IP packets containing
UDP datagrams. As the number of UDP packets are received and answered the system becomes overwhelmed thus becoming
unresponsive to other systems” (What is a UDP flood attack, 2023). In the diagram below shows a screenshot of the network attack
occurring. The capture shows a Dos attack taking place between the 192.168.10.101 ip address and the 192.168.10.111 ip address. The
capture shows the .101 ip doing an UDP flooding attack to the .111 ip within the summit network.
Figure 1: Wireshark Scan on Summit Network
Post Incident
The Post Incident phase is the last phase of the Incident Response Plan. In this phase, the organization will review any lessons
learned from the Incident Response Plan. The team will evaluate what went right, what went wrong, and any unexpected encounters
that occurred. The purpose of this is to make any appropriate changes to the Incident Response Plan. This will help with mitigation of
any future cyber incidents.
Post Incident Communications
Internal- In the post incident activity the internal communications will remain the same between the team. However, this
communication can be extended to other employees or potentially government representatives. Due to the uniqueness of this incident
taking place at an international summit, an Australian representative will be in communications for any legal and compliance issues.
The primary means for communicating with the government will include using encrypted emails only used on government issued
laptops and calls made on government issued phones.
External- External Communications will still follow the same communication plan mentioned earlier. External organizations
will communicate primarily with the CISO and the legal expert. Any data shared between nation states must be properly classified and
sanitized. If the nation state wishes to share Australian information within their own documents, then agreements will need to be
communicated between both nation’s legal experts.
Data Protection
The Australian team will be using various tools and techniques to protect sensitive data. The first method to be used is data
masking. According to Tech Target, data masking is “the process of turning sensitive data into fake, or masked, data that looks similar
to authentic data.” (Cobb, 2023) A common data masking technique is using encryption. Encryption is a common data mask
technique. Because often attackers do not have the right encryption key to access the data, they will not get to it. Another technique to
be used is access controls. Reducing the number of people accessing the data can reduce data loss. For the summit only members of
the Australian team will have access to the data during incident investigation. Lastly the use of endpoint protection software such as
Microsoft’s Windows Defender or Trend Micro will provide data protection with the use of filtering techniques and monitoring traffic.
Network Behavior Investigation Plan
As mentioned earlier, an Intrusion Detection System (IDS)/ Intrusion Prevention System (IPS): “An Intrusion Detection
System (IDS)/ Intrusion Prevention System is a system that monitors network traffic for suspicious activity and issues alerts or
attempts to stop or block malicious activity when discovered.” (Intrusion Detection System (IDS), 2022) This will be useful for taking
immediate action against any anomalies. A network logging software will also be used. This will serve as overwatch for all network
functions. Logging of events will help with analyzing with current malware trends as well as analyzing to prepare for future incidents.
OSSEC will continue to be the tool used during this incident. Along with the software, the CIRT will also be monitoring the network
to catch and malware that has been undetected by any of the security mechanisms.
System Integrity Checks
Once the incident has been deemed contained. The Cybersecurity Incident Response Team will run a series of system integrity
checks to make sure systems are running properly. A system integrity check is “a part of the system hardening process to confirm that
we have taken all the necessary measures to prevent any unauthorized access to our systems and files.” (What is System Integrity
Check?, 2023) The Information Security Manual(ISM) recommends a few ways to harden a system. Some techniques include the use
of multi-authentication, the use of anti-virus software, hardening operating systems with using PowerShell, Windows Script Host or
command line, and application management and controls.
Threat Bulletin
The following threat bulletin is an alert for all countries attending the Global Summit:
“The Australian Cyber Security Centre (ACSC) has been made aware of data infiltration attack occurring in the Global
Summit network. According to reports network activity shows either a buffer overflow attack or a DoS attack. A Dos attack had seem
to be coming from a single device within the Global Summit Network. Using Wireshark, the team discovered evidence of an UDP
flood attack. A UDP flood attack is “a type of Denial of Service (DoS) attack in which the attacker overwhelms random ports on the
targeted host with IP packets containing UDP datagrams. As the number of UDP packets are received and answered the system
becomes overwhelmed thus becoming unresponsive to other systems” (What is a UDP flood attack, 2023).
Background
The attack took place at the Global Summit on January 24th, 2023. Origins of the report currently remain unknown.
Threat Activity
This is the first time that this attack has been seen in the Global Summit network.
A The Australian Cyber Security Centre (ACSC) will provide information to enable organizations to undertake their own risk
assessments and take appropriate actions to secure their systems and networks. The ACSC will only revise and update this document
in the event of further significant information coming to light.
Triggering Mechanisms Throughout the Cyber Incident
Various triggering mechanisms will be used during the cyber incident. This is to make sure the team can maintain overwatch
of the network and respond to any new changes instantly. The main tool for this will be using the OSSEC software. Due to its multi
duty functions it will be easy for the team to have most incident threats. All host and devices will have organization’s access control
and configuration policies applied to them to maintain compliance and security. For added layers of defense firewalls will have
filtering rules and anti-virus will run in conjunction with OSSEC.
Timeline
The table below shows the proposed timeline for his Incident Response Plan to follow for the recent data breach.
Stage
Actions
Office of Primary Interest
Timeline
Preparation
Develop Cybersecurity Incident
Response Team
CISO
Pre-Incident
Determining the roles and
responsibilities of Crisis team members
CISO
Pre-Incident
Identification
Collect contact information of
Cybersecurity Incident Response Team
Members
CISO
Pre-Incident
Develop communication plan
CISO, Company leadership,
Cybersecurity Incident Response Team
Pre-Incident
Setup location for base operations
during the incident
CISO, Company leadership,
Cybersecurity Incident Response Team
Pre-Incident
Create network baseline
CISO and Information Technology
Department
Pre-Incident
Research potential laws, standards, and
regulations
Human Resources, legal team and
Cybersecurity Incident Response Team
Pre-Incident
Develop and practice simulated incident
breach training exercises
Information Technology Department
and Cybersecurity Incident Response
Team
Pre-Incident
Confirm PII breach
Information Technology Department
Immediately
Deploy Incident Response Plan
Information Technology Department
and Cybersecurity Incident Response
Team
Immediately after
confirmation of breach
Identify signs of incidents
Information Technology Department
Within four hours of
breach
Identify scope of breach
Information Technology Department
and Cybersecurity Incident Response
Team
Within four hours of
breach
Determine which attack vector(s) were
utilized for the breach
Information Technology Department
Within four hours of
breach
Identify which organizations,
stakeholders, and partners that need to
be notified
Notify previously mentioned
organizations, stakeholders, and
partners
Containment,
Eradication,
Human Resources and Cybersecurity
Incident Response Team
Human Resources and Cybersecurity
Incident Response Team
Within eight hours of
breach
Within eight hours of
breach
Document all steps and actions taken
Cybersecurity Incident Response Team
Routinely
Contain all affected areas of the breach
Information Technology Department
and Cybersecurity Incident Response
Team
Within 24 hours of
breach
Gather evidence during incident for
record keeping
Cybersecurity Incident Response Team
and law enforcement
Routinely
Document how evidence is handled and
preserved
Cybersecurity Incident Response Team
Within eight hours of
breach
Identify attack host(s)
Information Technology Department
and Cybersecurity Incident Response
Team
Within eight hours of
breach
Restore systems to established baseline
Information Technology Department
and Cybersecurity Incident Response
Team
Within 12 hours of
baseline
Increase logging and network
monitoring for any anomalies or
lingering effects
Information Technology Department
and Cybersecurity Incident Response
Team
Within 12 hours of
baseline
Document all steps and actions taken
Cybersecurity Incident Response Team
Routinely
Recovery
Post Incident
Inform public and media of PII breach
Cybersecurity Incident Response Team,
Company leadership
72 hours after breach
Review all documentation from
previous steps
Cybersecurity Incident Response Team,
Company leadership
72 hours after breach
Update IRP
Cybersecurity Incident Response Team
Withing 72 hours after
breach
Incorporate any changes in the IRP into
future training
Cybersecurity Incident Response Team
Within 4 to 6 weeks of
incident
Incident Response Flowchart
References
Cichonski, P., Grance, T., Millar, T., & Scarfone, K. (2012, August ). Computer Security Incident Handling Guide. Computer Security Incident
Handling Guide. National Institute of Standards and Technology. Retrieved November 1, 2022, from
https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf
Cobb, M. (2023, February 10). Data masking vs. data encryption: How do they differ? Retrieved from Tech Target:
https://www.techtarget.com/searchsecurity/definition/data-masking
Distributed Denial of Service: Anatomy and Impact of DDoS Attacks. (n.d.). Retrieved from Kasperky.com: https://www.kaspersky.com/resourcecenter/preemptive-safety/how-does-ddos-attack-work
incident response plan. (n.d.). Retrieved from NIST: Computer Security Resource Center:
https://csrc.nist.gov/glossary/term/incident_response_plan#:~:text=Definition(s)%3A,organization's%20information%20systems(s).
Intrusion Detection System (IDS). (2022, Dec 13). Retrieved from Geeks For Geeks: https://www.geeksforgeeks.org/intrusion-prevention-systemips/?ref=lbp
Related documents
Student Incident Report samples
Student Incident Report samples
QIR - Blank
QIR - Blank
Download
advertisement