Project #1 Incident Response Report – Part B: Summary
After Action Report
By:
CSIA 310
1
This study source was downloaded by 100000766134782 from CourseHero.com on 05-24-2022 17:39:35 GMT -05:00
https://www.coursehero.com/file/92995132/Project-1-Part-B-Summary-After-Action-Report-FINALdocx/
Introduction
Sifers-Grayson (SG) is a well-established company with its headquarter in Grayson County,
Kentucky, USA. SG is a typical American style family owned and operated business. The CEO is
the great-grandson of one of the original founder; his name is Ira John Sifer, III. SG’s COO is
Michael Coles, Jr., also a family member – CEO great nephew. Mary Beth Sifer, also a family
member, acts as the CFO and the head of the company’s personnel.
Recently, SG has secured a series of business contracts with the Department of Defense and
Homeland Security. Due to the nature of the business agreement with the 2 government agencies,
SG requires to be fully compliant with NIST 800-171 and Federal Acquisition Regulation
(DFARS).
SG was victim of 2 ransomware incidents (first 3 years ago, and second 3 months ago) which
caused substantial financial and credibility loss. In both incidents, SG opted to pay the ransom
because the company had never implemented a proper data backup process which could had be
used to recover the encrypted data without paying the ransom (Best practices for protecting your
data from ransomware, n.d.).
Although, SG has experienced cybersecurity breaches, the management never toke any real
action to improve the company’s security posture. However, the recent contracts with the
government agencies, which demanded strict compliance requirements, have imposed a full
review of the company’s security posture as well as a proper plan of actions to secure company’s
assets.
SG CEO, Ira Sifer, acknowledged that the company cannot stands the market competition
without a proper security posture, a maturity level that can only be achieved by having an
effective IT security process in place driven by skilled and empowered security team. Modern
businesses cannot operate at the industry level without technology – they all depend from online
services such as financial services, mobility, cloud computing, etc. (The Importance of
Technology for Modern Business Survival, 2016). Rigorous sets of policies, processes and
procedures will needed to be implemented company wide. The company’s IT environment, the
infrastructure and network topology, the identity management process including the
2
This study source was downloaded by 100000766134782 from CourseHero.com on 05-24-2022 17:39:35 GMT -05:00
https://www.coursehero.com/file/92995132/Project-1-Part-B-Summary-After-Action-Report-FINALdocx/
authentication protocols, and the entire data assets needs to be fully reviewed, improved, and
constantly monitored from vulnerabilities and threats.
SG must have a full insights onto its security posture, know its weaknesses, and proactively fix
them. With this goal as the new company priority, SG hired a Penetration Test consulting
company to help it meet the security requirements needed to be aligned with both the NIST 800-
171 and DFARS standards. A penetration test, also known as pen-test, is a simulated hacking
attack designed to help organizations in discovering security vulnerabilities (What is Penetration
Testing? – Pen Testing, 2019).
The contracted security consulting firm was immediately engaged, and its penetration test Red
Team started with an full assessment based on a set of questionnaire and interviews. The actual
penetration test was conducted on a normal business day. It consisted of 2 parts. Part 1 was
planned and delivered to assess the network and the systems to see if they can be hacked. Red
team searched and tested exploitable vulnerabilities that allow them to gain access, breach and
compromise the environment. Part 2 was designed to ensure that proper mitigation controls were
going to be implemented.
The initial quick assessment and the full test revealed many vulnerability, such as the lack of any
security policies, backup practices, incident response procedure, business continuity and disaster
recovery solution, and most important the lack of proper security awareness and training –
employees had no clue about social engineering and phishing emails. Additionally, the
assessment pointed out that the company IT staff was understaffed and lacked the proper skills
and experience to effectively manage, secure, and protect the network, the IT systems, and the
data.
Penetration Test Result and Incident Analysis
The penetration test conducted by the security consulting firm Red Team last 24 hours. The test’s
scope and rule of engagement (RoE) included several agreed attack vectors. The resources
assessed during the test include, but were not limited, to public facing (internet accessible) end
points such as web applications, network infrastructures, computer systems, data, and people.
The simulated attack was very successful in getting access to the company’s private data and to
the latest source code for the new AX10 Drone System. Results of the test were eye-opening,
3
This study source was downloaded by 100000766134782 from CourseHero.com on 05-24-2022 17:39:35 GMT -05:00
https://www.coursehero.com/file/92995132/Project-1-Part-B-Summary-After-Action-Report-FINALdocx/
highlighting major vulnerabilities among people, processes, policies, and technology. The Red
Team exploited tons of security weaknesses including services, applications flaws, end-user
behavior, and application flaws.
Based on threat modeling, SG and the Security Consulting firm have agreed and defined three
attack vectors. The attack vectors agreed upon were:
Attacks to corporate system from external access – An internet-based attack
aimed to gain useful information about or access the target systems.
Lateral movements from target system to management system – An internal
attack aimed to access the target management system from a system with an
identified or simulated security weakness on the corporate network that
mimics a malicious device.
Physical access – Attempt to gain access to the physical location.
The first attack consisted in gaining unauthorized access into the company’s Engineering R&D
servers. The penetration tests focused on external attacks against hosts to determine the
sensitivity of any information retrieved if exploitation was successful.
The network and servers were not protected by Firewalls, and neither had a sort of automated
detection system, therefore the Red Team was able to exploit the unprotected network, gain
access, and reach the Data Center computer systems.
The Red Team was able to exfiltrate all the engineering design documentation and the source
code for the new AX10 drone system. The attack revealed weak technology, processes and lack
of security policies.
The second attack was developed to test both physical security and protection against internal
threats. The physical security tests attempt to circumvent physical security to gain unauthorized
access to critical assets. It simulated an attack by an external untrusted individual, including any
rogue untrusted SG employee. Consequently, the internal attack was designed to determine the
security posture against threats originating from the corporate environment.
The attack consisted in leveraging employee kindness as they opened office’s doors to pretended
to be new employees, using their personal RFID cards, and without questioning who these
4
This study source was downloaded by 100000766134782 from CourseHero.com on 05-24-2022 17:39:35 GMT -05:00
https://www.coursehero.com/file/92995132/Project-1-Part-B-Summary-After-Action-Report-FINALdocx/
individual were and why they didn’t have an RFID card. Once inside the Red Team left several
malicious weaponized USB Drives scattered around the lunch room tables in the headquarters
building employee’s lounge area. These USB Drives contained an hidden key-logging software
which allowed the Red Team to capture all the key strokes as they were entered through the
keyboard, including credential passwords. The attack was fairly successful, as the Red Team was
able to obtain about 20% of the employee login credentials. Red Team leveraged the stolen and
compromised credential to move laterally through the company’s computer systems, till they
accessed the workstations used to burn (wirte) PROMs into the drone computer system, and they
installed a malware onto the PROM which was then placed in a testing drone. The Red Team was
able to take full remote control of the drone during a flying test. This attack demonstrated that
employees are the weakest link as they are not proper trained nor conscious of social
engineering threats. Proper technical safeguards were missed to prevent removable media to be
attached to the computer systems.
Finally the Red Team used some of the compromised credentials to exploit users using Social
Engineering techniques – they initiate a Phishing email attack. The test was designed with the
intent of exploiting weaknesses in the human factor to obtain an access path into the
organization. The crafted email tricked employees to click on embedded links which simulated a
malicious endpoint collecting email and IP addresses of these that have clicked the link. The Red
Team reported that 80% of the employees clicked on a link of a cute kittens and cats videos, 20%
were fooled by a business news story video, and 95% opened the link for sports event wrap-up
for the Kentucky Volunteers basketball team. Employees once again failed drastically, revealing
the lack of proper knowledge on how to best protect SG, mainly due to inadequate, and
insufficient training (process/policy failures).
Recommendations
Based on the results and finding of the penetration test conducted, a series of mitigation and
improvements are highly recommended. These are grouped as people, technology, processes &
procedures, and they are listed below.
People
SG’s employees, including IT personnel, executives and upper management, should attend a
regular security awareness and training program, at least once a year. Training should be
5
This study source was downloaded by 100000766134782 from CourseHero.com on 05-24-2022 17:39:35 GMT -05:00
https://www.coursehero.com/file/92995132/Project-1-Part-B-Summary-After-Action-Report-FINALdocx/
mandatory. Security training should not only be a compliance requirement but the first line of
defense that can help improve SG security posture and strengthen customers’ trust in the
organization. The training should meant to provide employees with guidance on security best
practices, latest security threats and operational security initiatives. Many cyber attacks target
users’ access to company assets. Without basic security training, users are unaware of the
different methods used by bad actors, how to protect against them, and the importance of
consistent adherence to security policy. As the first line of defense against bad actors, users must
be educated to prevent the exposure of vulnerabilities through common tactics, such as phishing
and leveraging elevated persistent administrative access (Security Awareness Training: Secure
Your Employees, 2020). If SG employees should have had proper training, they would have
known to not insert the founded USB drives onto the computer. Also, they would have known to
not let anyone in the office’s facility without proper badges and access card. Finally, they would
have known how to evaluate if an email contains a malicious content and not to open links from
it. SG executives should require to invest on company’s first asset – people – and assure they are
fully trained. Also, the company should acknowledge IT as the foundation to its business, hence
empowered the team accordingly. IT department should not be understaffed, and if not possible it
is recommended to leverage outsourced support from 3rd party specialized consulting firms. IT
personnel should allowed to train for the latest technology and security defensive solutions. They
represent the backbone for much of the day-to-day business activities. Therefore, they should
learn to be agile and flexible, proactive, innovative and visionary in driving continuous
improvements and evolution. IT should own and be made responsible to develop policies,
processes, and procedure to ensure proper security posture is achieved, and this includes annual
audit reviews and assessments. If the IT team would have not been understaffed and they would
have been properly skilled, the network could have been configured with better security
guardrails and some of the attacks would have been blocked at its source.
Technology
Modern businesses depend highly on technology. Proper governance of the technology includes
identifying (proactively) vulnerabilities, assess and manage risks, and mitigating them. These are
critical functions that the company IT department should function continuously (24/7). When
assessing vulnerabilities there are 4 defined categories to consider: hardware; software; network;
people. An effective security solution must be designed and implemented immediately. SG
6
This study source was downloaded by 100000766134782 from CourseHero.com on 05-24-2022 17:39:35 GMT -05:00
https://www.coursehero.com/file/92995132/Project-1-Part-B-Summary-After-Action-Report-FINALdocx/
should consider implementing a protection approach based on multi-layered security model –
something like a castle (Security et al., n.d.). If you study castles, you learn that they are
protected from external moats, bridges, sturdy entry doors and layered perimeter walls. This
model allowed a castle to defend its self from several attacks and prevent penetration. Also, it
intimidates attackers or even better suggests to abort any attempt of attacks. If compared to the
analogy of the castle defensive structure, today network firewall are the equivalent of the castle’s
tall and layered walls. By following the same concept, SG should have had several network
firewall, starting from the closest outside entry point, passing through a DMZ area, and ending at
the internal network. Also it is recommended to implement a mix of diversified multi-vendor
Firewall appliances (different make and models) to avoid that one exploitable vulnerability
would effect all (Tulloch, 2017). If one of them is breached chances are that the others can block
the intruder. A Network Intrusion Detection and Prevention System (IDS, IPS) should be in
place. Just as a castle’s moat filled with water and alligators, the IDS/IPS would detect and
eliminate the intrusion (What is IDS and IPS? | Juniper Networks, 2019). Network ports are
similar to the castle’s bridges and doors, and analogically they are closed or opened as needed,
meaning traffic would be allowed or denied based on proper rules. Additionally, SG should
consider addressing proper insights by monitoring the entire environment, encrypt data at rest
and in transition, and secure endpoints such as servers and desktops with anti-virus and antimalware software. Modern endpoint protection software is capable to block rouge external
attached media and reduce phishing attack success surface. If SG would engage in applying the
above recommendation, the company will have the proper counter attack tools to stop tentative
of compromise at its source or contain the breach at the beginning stages, hence limiting
damages. Security, as it stands at the core of any modern businesses, must be addressed and
implemented.
Processes-Procedures
As results of the penetration test, one thing that stands out is that SG has failed dramatically.
Attacks and breaches were carried out undetected – no one was aware of what was happening.
One of the root causes of such is the lack of proper monitoring, which otherwise it would have
detected some of the anomalies and generated some sort of alert. Even with proper monitoring, if
the company does not have adequate set of policies, processes and procedures in place, it would
be ineffective. To start, SG needs a strict policy about allowing people in the office facility.
7
This study source was downloaded by 100000766134782 from CourseHero.com on 05-24-2022 17:39:35 GMT -05:00
https://www.coursehero.com/file/92995132/Project-1-Part-B-Summary-After-Action-Report-FINALdocx/
Entering the building without badges, and access cards needs to be forbidden to all. External
guests will need to be vetted and escorted until supervised by a company employee which
assumes the responsibility afterword. Additionally processes and procedures will need to be
developed and implemented for Incident Handling and First Response.
Lesson Learned
The penetration test served as a woke up call for SG. Results made clear that the company needs
to invest into securing the infrastructure. Mitigation recommendations will allow SG to improve
the security posture, however, the company must commit to continue identify and mitigate risks
repeatedly. Cyber criminal continue to develop new tactics, techniques, and procedures (TTPs)
as new vulnerabilities are discovered, especially the Zero Day ones, however, the overall security
process should never stop. SG assets must be safeguarded, hence IT personnel must train and
improve their skills.
SG must:
Have a dedicated security team
Expand investments in security
Enforce security awareness and training company-wide
Enforce regular vetting of employees and partners
Implement regular auditing
Have regular penetration tests, possibly conducted by in-house Red Team
References:
Best practices for protecting your data from ransomware. (n.d.). Www.securitymagazine.com. Retrieved
February 8, 2021, from https://www.securitymagazine.com/articles/94075-best-practices-for-protectingyour-data-from-ransomware
Ryan. (2019, June 18). Encryption in-transit and Encryption at-rest – Definitions and Best Practices.
Ryadel. https://www.ryadel.com/en/data-encryption-in-transit-at-rest-definitions-best-practices-tutorialguide/
Security Awareness Training: Secure Your Employees. (2020). Rapid7.
https://www.rapid7.com/fundamentals/security-awareness-training/
8
This study source was downloaded by 100000766134782 from CourseHero.com on 05-24-2022 17:39:35 GMT -05:00
https://www.coursehero.com/file/92995132/Project-1-Part-B-Summary-After-Action-Report-FINALdocx/
Security, C. P. in I., December 18, in S. on, 2008, & Pst, 6:05 A. (n.d.). Understanding layered security
and defense in depth. TechRepublic. https://www.techrepublic.com/blog/it-security/understandinglayered-security-and-defense-in-depth/
The Importance of Technology for Modern Business Survival. (2016, September 9). My Computer
Career. https://www.mycomputercareer.edu/the-importance-of-technology-for-modern-business-survival/
Tulloch, M. (2017, July 13). Firewalls: Should you have a single vendor or multi-vendor strategy?
TechGenix; TechGenix. http://techgenix.com/firewalls/
What is Penetration Testing? – Pen Testing. (2019, October). Cisco.
https://www.cisco.com/c/en/us/products/security/what-is-pen-testing.html
What is IDS and IPS? | Juniper Networks. (2019). Juniper.net. https://www.juniper.net/us/en/productsservices/what-is/ids-ips/
9
This study source was downloaded by 100000766134782 from CourseHero.com on 05-24-2022 17:39:35 GMT -05:00
https://www.coursehero.com/file/92995132/Project-1-Part-B-Summary-After-Action-Report-FINALdocx/
Powered by TCPDF (www.tcpdf.org)
