Partnership and expertise Doc

Description

Having Trouble Meeting Your Deadline?

Get your assignment on Partnership and expertise Doc  completed on time. avoid delay and – ORDER NOW

Partnerships and Expertise Document

Purpose

Based on Module 8’s Help Wanted scenario, you will identify gaps in in-house expertise and identify how Ackme can benefit from external complementary expertise.

Purpose of Document: Prepare a Partnerships and Expertise Document to outline how Ackme can be protected from potential cyber threats and security breaches with the assistance of external partners and their complementary expertise.


Allies and Partners Needed

Please read H. Ackme Oil & Gas Background Material (Links to an external site.) and the scenario information below before attempting your assignments for this module.

The malware analysis has been proven to be quite complex! A foreign language has been used to name one of the key files and that is suspected to be a clue as to the origin of the malware. The malware is more complex than the onsite team can comprehend. The FBI recommends bringing in one of two companies to assist with deep analysis of the malware and the exfiltrated data. They suspect the motive is to cause damage and interruption at great scale. Some evidence has been detected that includes references to Iranian infrastructure. At this point, that could be a clue or could be an intention to throw off law enforcement and intelligence groups. A tool called ISMDoor has been found on the ARC proxy system and is exfiltrating data using DNS AAAA records. The pattern of infiltration looks familiar although the tool set seems to have evolved and the US has not been a target of the suspected threat actor group in the past. The experts need to help determine the source of the attacks, is it the threat actor group normally associated with the TTPs (although they have evolved) or is it another threat actor group with similar attack patterns (spear phishing coupled with supply chain)?

Meanwhile, concerns are mounting:

The usage monitors throughout Ackme operations have the capability to shut off or dampen the flow of crude oil, natural gas or refined petroleum products. The devices are also used to project needs of customers and influence production rates. The team is unsure whether the recorded usage patterns have been modified yet, but do suspect this was part of the threat actor’s plans.

Impacted customers:

  • As we know from Module 3, one of the byproducts of the Ackme wells is petroleum. The local airports are consumers of this petroleum after it has been processed locally to be used as jet fuel. One of the airports, New City, hosts international flights and is a major hub for a very large airline. The usage patterns have been exfiltrated.
  • Ackme and other major customers use the petroleum processed into diesel for transportation fuel. It is believed that the distribution meter has been compromised and that data exfiltrated as well.
  • Several industrial customers appear to have been impacted as well.

The team has to determine the risk to the business as well as determine the remediation steps and timing. Further information on the typical objectives of the threat actor group will aid with these decisions as the motive factors into the business risk as does the sophistication of the attack and stage of the attack (MITRE ATT&CK/Lockheed Killchain).

DHS’s Cybersecurity and Infrastructure Security Agency (CISA) has come in to assist on the remediation since they are chartered to assist with recovery of critical infrastructure assets post-intrusion, while the FBI assists on forensics and attribution.

Zapper Inc. Threat Analysis Report

Zapper, Inc is pleased to work with Ackme to analyze threat information and discover the extent of the infiltration. We work with all of our customers as partners, we are in this together and understand the scope of harm an attack has on your business. We also understand the sensitive nature of all information shared with us and discovered in this process. We will guard it with the highest levels of confidentiality.

After thorough analysis, we have uncovered several threat indicators of compromise (IoCs) that seem significant to indicate the scope of the attack and possible paths towards attribution. Zapper, Inc. does not perform attribution due to liabilities, but we believe the information contained in this report will aid in your analysis and discovery work with the FBI and DHS.

Your analysis prior to Zapper Inc joining the team included a major finding, the ISMDoor tool used to leak information via AAAA records. To perform the data leakage, the threat actor used a custom command and control tool mimicking DNS traffic used to leak information and talk to external servers. They leveraged a direct connection to external networks for DNS traffic.

The IoC was ISMDoor malware. DNS AAAA records with direct connections to servers other than approved DNS resolvers. For now, this may be your service provider’s DNS resolution system.

Recommendations

Prevent direct external DNS access via the use of a DNS proxy. The DNS proxy may be used to blackhole known bad hostnames as well as to restrict DNS traffic to the organization’s DNS resolver.

Additional malware was found on the compromised proxy. The tools are also IoCs.

IoCs:

  • LaZagne – credential dumping tool
  • KEYPUNCH – keystroke logger
  • CANDYKING – used to capture screenshots from system
  • RGDoor – used to establish redundant access
  • Remote Desktop Protocol (RDP) – unusual activity patterns detected indicating their lateral movement. The patterns were used to identify the full scope of infiltrated systems on the network, which is provided in a separate highly confidential addendum.
  • Customer .bat and .vbs scripts were found on the proxy system. A full analysis of the scripts and their scope of use that was successful is also provided in the addendum. A few high level and standard tools from the operating system were used and are detailed here as they are not as sensitive:
    • We believe “ipconfig /all” and “netstat -an” were run on systems to aid in identification of targets for their lateral movement in the network
    • “Hostname” and systeminfo” were run to understand the possible value of a compromised asset to the threat actor.
  • HTTP was attempted for use in exfiltration, but due to the protections in place, the threat actors were not able to use this mechanism and fell back to DNS as described above.
  • Additional tools found include:
    • BONDUPDATER
    • Helminth
    • OopsIE
    • RSGDoor

A more formal report will be delivered at the next phase of our engagement. The scope of the attack and tools indicate a sophisticated threat actor group with targeted intent.

The remediation process and lessons learned phase will help use provide recommendations to try to prevent similar attacks or ones that are slightly more sophisticated. Your expertise and knowledge of network resources will be required for the assessment and forward looking recommendations.

Readings

Reading on CRITICAL INFRASTRUCTURE PROTECTION Actions Needed to Address Significant Weaknesses in TSA’s Pipeline Security Program Management Report to Congressional Requesters, December 2018, GAO-19-48, United States Government Accountability Office. https://www.gao.gov/assets/700/696123.pdfLinks to an external site.

OilRig Threat Actor Group – includes TTPs:

https://attack.mitre.org/groups/G0049/Links to an external site.

  • Read Allies and Partners Needed scenario.
    • Create a Partnerships and Expertise Document to outline how Ackme can be protected from potential cyber threats and security breaches with assistance from external partners and their complementary expertise.
    • Read the following questions carefully and include ALL of the following components in the Partnerships and Expertise Document:
      • List all the cyber security issues Ackme will need assistance on.
      • Identify gaps in in-house expertise for which Ackme could benefit from external complementary expertise.
      • Establish a list of criteria for hiring outside help to assist in future incidents.
      • Identify the top three cyber security consulting agencies that can help Ackme to overcome the gaps in expertise they have. These companies can come from USA and Israel. Among the top three agencies, list the pros and cons of these potential contractors.
      • Create a needs analysis matrix to articulate needs and expertise available in Ackme.
  • NOTE: You are expected to conduct additional research to complete your assignments.
  • The report should be of the following length: between 1250 and 2500 words
Explanation & Answer

Our website has a team of professional writers who can help you write any of your homework. They will write your papers from scratch. We also have a team of editors just to make sure all papers are of HIGH QUALITY & PLAGIARISM FREE. To make an Order you only need to click Order Now and we will direct you to our Order Page at Litessays. Then fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.

Fill in all the assignment paper details that are required in the order form with the standard information being the page count, deadline, academic level and type of paper. It is advisable to have this information at hand so that you can quickly fill in the necessary information needed in the form for the essay writer to be immediately assigned to your writing project. Make payment for the custom essay order to enable us to assign a suitable writer to your order. Payments are made through Paypal on a secured billing page. Finally, sit back and relax.

Do you need an answer to this or any other questions?

Similar Posts