Final Project – Sifers-Grayson Incident Response Exercise
Roderick Barker
October 14, 2018
This study source was downloaded by 100000766134782 from CourseHero.com on 05-16-2022 15:35:11 GMT -05:00
https://www.coursehero.com/file/34738142/CSIA-FinalProjectdocx/
SIFERS-GRAYSON CYBERSECURITY INCIDENT REPORT FORM
1. Contact Information for the Incident Reporter and Handler
– Roderick Barker
– Cybersecurity Incident Response Team Leader
– Organizational unit: Information Technology Department Head at Sifers-Grayson
Corp., Blue Team member
– [email protected]
– 606-331-8098
– Location: 1555 Pine Knob Trail, Pine Knob, KY 42721
2. Incident Details
– Status change date/timestamps (including time zone): Official start time of the attack is
still unclear. The incident was uncovered when the system became sluggish due to high
traffic and drone “malfunctions”. The incident at this point has been traced back to an
unauthorized IP address.
– Location: Pine Knob, KY (42721)
– Status of the incident: The attack has ended
– Source/cause of the incident: The source of the attack was from the IP address of
11.123.26.193, there was no hostname associated. The cause was to steal any and all
valuable information.
– Description of the incident: The attack was detected when the system became unusable
from the high traffic levels in the latency. The logging information from a server running
Task Manager provided the evidence.
– Description of affected resources: The overall is still fully operational. The R&D Center
servers have been compromised (IP Address 10.10.120.0) and 100% of documentation
and codes have been stolen. The test range network (IP Address 10.10.128.0) has been
compromised, AX10 drone has been “stolen” from the company and flown from the
designated site.
– If known, incident category, vectors of attack associated with the incident, and
indicators related to the incident: Not available at this time.
– Prioritization factors: During the attacks, the network and system became slow due to
high traffic volumes. After the attacks finished the system and network went back to
normal functionality.
– Mitigating factors: Hacked servers lead to 100% stolen design documents and code for
the drone, 20% of employee passwords stolen from key logging software, malware
downloaded due to stolen logins, malware affecting PROM lead to “stolen” drone
– Response actions performed: The system was turned off after the attack finished. All
activities that occurred on the network were logged for forensic evidence.
This study source was downloaded by 100000766134782 from CourseHero.com on 05-16-2022 15:35:11 GMT -05:00
https://www.coursehero.com/file/34738142/CSIA-FinalProjectdocx/
– Other organizations contacted: N/A
3. Cause of the Incident: (e.g., misconfigured application, unpatched host)
The incident was caused to a string of unsecured access points, improper handling of
devices, and lack of overall network security. Poor security of user logins allowed for
access to secure parts of the network and secure areas. Employee’s improper handling of
unknown plug-in device allowed for viruses and malware on to systems, then the
network. Employees allowing unknown persons into secure areas allowed for possible
physical hacking. With no security measures to read for malware and viruses, attackers
were able to hack items like the AX10 Drone.
4. Cost of the Incident:
The total cost has yet to be completely determined. The user accounts, coding for the
AX10 drone, and documentation are almost priceless. The price of any damaged
equipment is still being totaled. Projected timetables and costs show that it would be
about 200 hours for the IT staff to perform a “clean-up” of the network. In pay, this is
about 100 dollars per hour. The estimated grand total is somewhere in the 20,000 dollars
range.
5. Business Impact of the Incident:
The impact of this incident is very significant. This will help Sifers-Grayson set the
necessary security measures it needs to operate smoothly and avoid future incidents.
6. General Comments :
The test pointed out many of the security issues Sifers-Grayson faced. Below will be an
overview of the incident, an analysis of some of the key issues, and then what tools to
implement and secure the network.
Background Overview
Sifers-Grayson hired an outside company to perform a test of the network for its
security. The test consisted of penetrating the network and give a full report on any
vulnerabilities that were found. With weeks of constantly testing any exploits, the test
team (Red Team) was able to successfully get into Sifers-Grayson network and exploit a
list of unsecured connections. The current contracts that the company holds through
government agencies, the Department of Defense requires the companies to have more
security in their Research and Development and SCADA lab operations. Both of these
labs hold classified and secret information. These were locations the Red Team were able
to enter and steal information from.
This study source was downloaded by 100000766134782 from CourseHero.com on 05-16-2022 15:35:11 GMT -05:00
https://www.coursehero.com/file/34738142/CSIA-FinalProjectdocx/
Due to the parameters of the contracts and standards. Sifers-Grayson now must
follow the NIST publications for adequate protection of unclassified information. This is
required for the information to be stored in Nonfederal information systems and
organizations. With these regulations any failure to follow them could result in heavy
fines or contract termination, contract termination makes it hard for companies to get
contracts after.
Sifers-Grayson using the Defense Federal Acquisition Regulations as an outline
for their incident reporting will benefit the security and integrity of the company.
Identifying any possible risks to the network and systems before the “enemy” does is a
plus. Using the outline and information in the given documents will make providing
security easier. The given analysis will provide tools and recommendations for providing
a safeguard for the information for the company.
Incident Analysis
Based on the current topology of the internet connection for the Research and
Development (R&D) servers, they are connected to a Wireless Access Point (WAP)
through two different wired connections. Both connections are buried, the first
connection is fiber optic straight to the R&D center. The other is copper cabling that has a
protective firewall that then leads to the center.
The testing team (Red Team) was able to gain access to the network through the
engineer’s R&D center server. The Red Team used hacked in through unprotected
network connections. There are a few possibilities on how the hacking could have been
done. The wireless router could have been hacked or the network cables could have been
rerouted to a rogue router to allow access. The unsecured network connections make it
easy to pick up the network traffic and allow for it to be monitored. It also makes a path
for the attacker to see any information stored on any of the systems in the network. It is
easy for an attacker to get a form of monitoring software that allows them to attach to
unsecured networks and collect a wide array of information. The attacker could gain
usernames, passwords, personal information, and much more.
With government contracts, most if not all information that is stored is secret or
confidential in some way. Companies with these types of contracts and data need the
utmost security. For the current internet connection, Sifers-Grayson should adopt WPA2
encryption with a form of protection like AES. “This is the most secure option. It uses
WPA2, the latest Wi-Fi encryption standard, and the latest AES encryption protocol.”
(Hoffman, 2017). WPA2 encryption and AES protection are some of the hardest forms of
protection to crack, even having the usual hacking tools will not help.
Another security measure that should be implemented is the Microsoft Active
Directory. It would benefit the topology that is already in place and boosts the security for
This study source was downloaded by 100000766134782 from CourseHero.com on 05-16-2022 15:35:11 GMT -05:00
https://www.coursehero.com/file/34738142/CSIA-FinalProjectdocx/
devices and users. Like most companies, Sifers-Grayson has multiple devices and users
who access the network at different times and for different reasons. The Active Directory
will allow the resources that the company has to be better articulated.
The features the AD can implement will not just secure the systems and network,
but will also help protect the users. The function of Domain Services will be to keep from
any unauthorized access to the network. The information stored in the DS is devices,
members of the domain, users, user rights associated with their account, and it can verify
the credentials of users. The AD also implements certificate services. This allows for the
ability of creation, validation and revoking of any public key certificates that are created.
These certificates help with validating data from the devices user access information.
Making sure that any data that gets put into the system and network deserves to be there.
The last function that makes using the AD worthwhile is the Active Directory
Rights Management Services (ADRMS). This function works for both intruders and
employees when trying to obtain access to unauthorized documents, web pages, emails,
or files. This sets up even more encryption and uses selective denial for limiting who has
access to these objects. The ADRMS also does the decryption with use of the certificates
the user has, so if they do not have the correct “code” they cannot gain access. With
having user privilege parameters defined in the Active Directory, the user can only have
access to points in the network that they are granted to like the domains made for their
departments. Since the Red Team was able to gain access through the unsecured network
connections, they were able to get instant access to the servers and other parts of the
network. Had the Active Directory been installed and in full use, the Red Team would not
have had any access to the servers in other domains. Using the principle of least
privilege, users are assigned the rights and access to domains that they are required for
work. They can only access those points and nothing further. If a device or account is
hacked and do not have the rights defined, they will not be able to access the network.
Another major issue that was faced in the test phase was the Red Team’s ability to
crack into users accounts. Due to employees picking up unknown USB devices and
plugging them into their devices the Red Team was able to get key logging software on to
the network. This software was able to log all the user credentials and give the Red Team
access to the account. There are a number of ways to fix this issue, the two easiest ways
to fix this are training and company mandated devices.
One of the easiest and fastest ways to keep this issue from happening again at
Sifers-Grayson is proper training of all staff members from the IT department. Teaching
employees all the possible vectors from where and how an attack could occur is key.
Employees should also be taught about common issues such as downloading suspicious
files, plugging in unauthorized or unknown devices, phishing schemes, and physical
security such as the piggybacking issue. Keeping employees up to date on all the
This study source was downloaded by 100000766134782 from CourseHero.com on 05-16-2022 15:35:11 GMT -05:00
https://www.coursehero.com/file/34738142/CSIA-FinalProjectdocx/
information will help keep the company safe. The option of only allowing devices like
USB’s from Sifers-Grayson is another option. This would ensure that harmful devices
never find a way on to the devices of the company. Most Department of Defense
environments supply the devices and that requests to get the devices needs to be made.
This is a sure way to keep the network secure. This will also make watching over the
network faster and easier.
C.E.R (Containment, Eradication, and Recovery) Briefing:
When the discovery was made of stolen user login credentials, it was also
discovered that malware had been installed from the DevOps department. Since the
network connections in this department was left unsecured, it made it easy for the Red
Team to install the malware without raising any alarms or flags. Since malware is
constantly changing and becoming harder to detect, new technologies have to be made to
counter them.
The easiest way Sifers-Grayson would have been protected was by implementing
an IPS and IDS. An Intrusion Prevention System and Intrusion Detection System would
have alerted the IT staff of the malware installation. The IPS “is a device that controls
access to IT networks in order to protect systems from attack and abuse. It is designed to
inspect attack data and take the corresponding action, blocking it as it is developing and
before it succeeds, creating a series of rules in the corporate firewall.” (Panda, n.d.). This
tool would have made sourcing the unsecured networks easier. It would have also
prevented the Red Team from successfully installing malicious software. The IDS
“provides the network with a level of preventive security against any suspicious
activity. The IDS achieves this objective through early warnings aimed at systems
administrators.” (Panda, n.d.). The IDS does not prevent the attacks, but it does log all the
successful and unsuccessful entrances to the network. For Sifers-Grayson the threat
would have been thwarted earlier if an IPS and IDS had been installed and active. The
IDS would have logged the activity and the IPS would have kept the malware from being
installed. This would have made notes for the IT department to view and fix the
vulnerability. An adequate IPS and IDS need to be implemented on to the network as
soon as possible.
The final threat and issue that needs to be handled by Sifers-Grayson is a backup
file system. After two previous ransomware attacks, all files, documents, and other
important information should have backups in case of another security threat. Microsoft
offers the ability to save and create file backups. The ability to backup files needs to be
added to all servers in the company, this is one way to ensure that there is no level of loss.
Backups can be made of files, folders, and the state of the system. If the system were to
go down or be attacked the snapshots would allow for a new device or “save” could be
implemented and bring everything back. Backups should be done on weekends and nonThis study source was downloaded by 100000766134782 from CourseHero.com on 05-16-2022 15:35:11 GMT -05:00
https://www.coursehero.com/file/34738142/CSIA-FinalProjectdocx/
working hours to ensure that the network is clear for use. Backups can be scheduled or
instantaneous depending on the users and the rules set.
This study source was downloaded by 100000766134782 from CourseHero.com on 05-16-2022 15:35:11 GMT -05:00
https://www.coursehero.com/file/34738142/CSIA-FinalProjectdocx/
Reference:
Hoffman, C. (2017, July 20). Wi-Fi Security: Should You Use WPA2-AES, WPA2-TKIP, or
Both? Retrieved from https://www.howtogeek.com/204697/wi-fi-security-should-you-use-wpa2-
aes-wpa2-tkip-or-both/
Panda. (n.d.). What is the difference between an IDS and an IPS? Retrieved from
https://www.pandasecurity.com/usa/support/card?id=31463
This study source was downloaded by 100000766134782 from CourseHero.com on 05-16-2022 15:35:11 GMT -05:00
https://www.coursehero.com/file/34738142/CSIA-FinalProjectdocx/
Powered by TCPDF (www.tcpdf.org)
