Sifers-Grayson Company: Cybersecurity Incident

Contact Information for the Incident Reporter and Handler

• Name:
• Role: After Action Reporting Assistant
• Organizational unit (e.g., agency, department, division, team) and affiliation: Sifers-Grayson, Engineering department, After Action Reporting division, Blue Team
• Email address: [email protected]
• Phone number: (555)-121-12-48
• Location (e.g., mailing address, office room number): Engineering department, Room E-12.

Incident Details

• Status change date/timestamps (including time zone): when the incident started, when the incident was discovered/detected, when the incident was reported, when the incident was resolved/ended, etc.

  • Day 1 (9:11 AM, GMT -5 hours): R&D DevOps lab servers were attacked through unprotected network connection (incident start)
  • Day 4 (11:01 AM, GMT -5 hours): The intrusion was detected, target server was shut down (incident discovered).
  • Day 4 (11:23 AM, GMT -5 hours): Network administrators, security specialists, and administration were notified (incident reported).
  • Day 4 (11:12 PM, GMT -5 hours): Attack was blocked (incident resolved).
• Physical location of the incident (e.g., city, state): 1555 Pine Knob Trail, Pine Knob, KY 42721
• Current status of the incident (e.g., ongoing attack): Penetration test successful, attack attempt resolved.
• Source/cause of the incident (if known), including hostnames and IP addresses:

  • R&D Center 10.10.135.0/24
  • Test Range 10.10.145.0/24
  • Corporate Headquarters 10.10.100.0/24
• Description of the incident (e.g., how it was detected, what occurred):

The incident started from using unprotected network connection to attack R&D DevOps lab servers, resulting into exfiltration of 100% of design documents and source code for AX10 Drone System. Next, 20% of employee logins using keylogging software were stolen based on the data stored on USB keys left by Sifers-Grayson employees on the lunch tables. On the second day, the malware was installed over the network to connect from DevOps lab to a PROM burner, resulting into taking control over AX10 controlled prototype and performing a flight test. On the third day, three stolen logins were applied for sending phishing emails to employees related to the videos with kittens or cats, business news story, and news of Kentucky Volunteers basketball team. As a result, 80% of recipients clicked on the first video link, 20% of users clicked on the second video link, while the click-through rate for the second link was 95%. Furthermore, email and IP addresses of 1500+ recipients were collected using phishing emails within 24 hours. On the fourth day, email and IP addresses of 1500+ recipients were collected using phishing emails within 24 hours. Afterwards, the intrusion was detected and target server was shut down. The issue was resolved within 12 hours.

• Description of affected resources (e.g., networks, hosts, applications, data), including systems’ hostnames, IP addresses, and function

  • The network of R&D DevOps labs that includes design specifications for AX10 Drone System project.
  • PROM burner responsible for AX10 Drone System prototype control.
  • Corporate e-mail server.
  • R&D Center and Corporate Headquarters IP address ranges.
• If known, incident category, vectors of attack associated with the incident, and indicators related to the incident (traffic patterns, registry keys, etc.)

Disruption of R&D Center operations aiming to took over the engineering prototype control and obtaining confidential information related to design specification through registry keys and malware injection.

• Prioritization factors (functional impact, information impact, recoverability, etc.)

Functional impact: blocking department operations and taking over the control on engineering designs.

Information impact: disrupting information exchange by overtaking control over the email server.

• Mitigating factors (e.g., stolen laptop containing sensitive data was using full disk encryption)

Penetration test was pre-planned and therefore was not controlled until the mail server attack.

• Response actions performed (e.g., shut off host, disconnected host from network)

There was no effective incident response because of the absence of centralized team responsible for enterprise security monitoring and no automated detection capabilities. Response action included targeted server shutdown, while forensic investigation was limited because of no trained personnel, misuse of forensic analysis tools, and limited availability of log files required for the event analysis.

• Other organizations contacted (e.g., software vendor)

The Red Team as a consulting firm to perform a penetration test.

Cause of the Incident (e.g., misconfigured application, unpatched host)

Based on the incident investigation performed by the Blue Team, the following functional and people-related causes of the incident were identified. First, it was found that R&D Center is a satellite facility that operates using a mixed set of hardware provided by different manufacturers, as well as hosts various operating systems and their variants, such as Windows 8.1, Windows 10, Apple OSX, and iOS. Technically, all systems are supported by junior engineers who might have a lack of expertise in managing each software instance professionally. There is also a questionable organizational philosophy related to technical support, which suggests that all engineers should be equally trained to support all existing software and hardware tools. The experience is primarily acquired through the on-the-job experience and mentoring, while off-the-job training is not provided. Furthermore, the formal job responsibility of a single engineer is to find and resolve the problem assigned by a supervisor, which might be eventually inconsistent with the current individual skillset. Therefore, it is obvious that internal network had its loopholes in integrating major loopholes in both software and hardware interaction.

Another specific cause of incident is that R&D DevOps Labs, the Data Center, and Enterprise IT Operations are using different operating systems both on the user and network hosting sides for managing workstations. For instance, while R&D DevOps Labs uses Windows 10 that is being patched and updated on the monthly schedule, the Data Center still uses Windows Server 2012 and has little benefit from the firewall used for protecting corporate networks. Hence, this gap was actually exploited by the Read Team to initiate the attack from R&D through the Data Center to access corporate server with user data. The consequent efforts were further used to produce new attacks, as internal vulnerabilities with intrusion detection were also evident in terms of training gaps and inconsistent forensic analysis approach.

Cost of the Incident

The approximate cost estimate per activity executed by Sifers-Grayson IT staff is estimated at $100 per hour. For the person hours, the following tasks were identified as critical ones:

• Resolving R&D DevOps network connectivity and security and integration with corporate and Data Center network nodes (50 person hours)
• Installing new protection network or extending technical capabilities of the existing one (50 person hours)
• Researching and implementing new data protection algorithms for the mail server and corporate network (100 person hours)
• Personnel training related to managing servers and forensic investigations (50 person hours).

Overall, the estimated costs of incident are estimated at $100 x (50 + 50 + 100 + 50) person hours = $25,000.

Business Impact of the Incident

The business impact of the incident should be analyzed from the perspectives of operational efforts and transformations. For operational efforts, it is assumed that Sifers-Grayson might postpone the deployment of the AX10 Drone System given that its operational excellence was compromised by external attack. Specifically, it means that new security protection mechanisms might be required to be implemented internally to ensure that the risk of cyberattacks is minimized and design specifications remain intact (Cichonski et al., 2012). For instance, it assumes synchronization of hardware and software pieces used by engineering departments, as well as obtaining vendor support for their deployment and use. Alternatively, additional consultancy services on another penetration attack simulation might be required to test additional vulnerabilities related to the customer engagement and prototype testing.

From the transformational perspective, the business impact assumes additional investment in employee training and potential reorganization of the technical support team. For instance, there is a need to establish the formal incident response capability driven by contractual and regulatory requirements guided by the compliance with DFARS §252.204-7008, 7009, and 7012, NIST derivatives, and lab operations requirements. Given that there is no central response team established for reactive activities, the one should be assembled at additional costs to avoid the previously mentioned cost of $25,000. Finally, the team should be well-trained to ensure that the expertise of cyberattack management does not prevent the business from launching their strategic projects, since additional post-launch costs might incur unexpectedly.

General Comments

Sifers-Grayson should also consider formal aspects, such as the contract and derivative requirements for cybersecurity management. First, relating to DFARS 252.204-7008 standard, it is important to ensure that Sifers-Grayson follows the principles of covered defense information controls, specified by NIST and governed by the chief security officer who is an organizational employee (DFARS, 2020). Second, the DFARS 252.204-7009 chapter states that third-party engagement in cyber incident analysis should be limited to the advisory purposes or technical support validated by the government (DFARS, 2020). Henceforth, it is a subject for the transparent purposes of service provision verification and further analysis of the expected outputs. Finally, the safeguarding mechanisms are needed to be implemented prior to sharing internal information system design and specifications, and therefore requires formal approval from the CIO or security associates assigned to the project.

For the derivative requirements, it is essential to seek for the guidance covered by the NIST 800-171 policy that explains how non-federal information systems should comply with protecting unclassified information (Ross et al., 2020). Partially, one refers to the use of cloud computing services and further representation of available data on behalf of the government entity (Ross et al., 2020). Therefore, the permission from the Sifers-Grayson contracting officer is required to ensure service and data exchange safeguarding.

References

Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide (NIST SP 800-62 rev. 2).

DFARS (2020).

Ross, R., Pillitteri, V., Dempsey, K., Riddle, M., & Guissanie, G. (2020). Protecting controlled unclassified information in nonfederal systems and organizations (NIST SP 800-171 rev. 2).