n Project 3, your team is focused on preventing future incursions into the network and developing a business continuity plan to be deployed in case a breach occurs. There are 14 steps to be completed by the team, with the project culminating in the production of a video and forensics report that summarizes the lessons learned from the recent network breach. This project will take 14 days to complete. After reading the scenario below, proceed to Step 1 where you will establish your team agreement plan.

Before the summit, each nation set up its own secure comms network. As summit events began, your team responded to anomalous network activity that was detected on your agency’s server.

Now, to make matters worse, the next day you awaken to the news that summit attendees are unable to get access to the confidential summit data needed for the conference. All the computer screens show a pop-up message that says:

“Your Computer has been involved in Computer Fraud Activity!!! and has been locked down by the FBI and the Justice Department. Unless you pay the sum of $500 (FIVE HUNDRED DOLLARS)—in Bitcoin you will be arrested immediately! You have 48 hours to pay up via email – fines@fbi.gov.”

Your CISO has called an emergency meeting with your team. She begins to speak to the group.

“We’ve just been hit with the Reveton ransom attack, which pretends to be a warning from a country’s law enforcement agency. It locks you out of your PC and threatens criminal proceedings within 48 hours based upon very serious offenses. The message informs you that you can avoid prosecution by paying a fine to the attackers via Bitcoin. Based on the time of the incident, we believe that a single threat actor or group is responsible. This person or group is still unidentified.”

The CISO continues to brief you on the attack, confirming that no further information is known about the file, permissions, or tools used. Currently, systems show no signs of infection or additional malicious indicators.

The attendees at the summit are divided on what should be done. Some of them want to pay the money—it’s a small sum contrasted with holding up the proceedings. However, cyber insiders know that once you pay a ransom, you set a precedent for further attacks since you appear vulnerable. Also, there is no certainty that paying the ransom will unlock the system. Hackers are not the most honorable of people.

In addition, you want to know how the attackers were able to infiltrate the system and plant the malware. What current protections are in place for systems at the summit? What methods and procedures are your team employing in response to the current attack? What is the plan if protections fall short? These are the questions pouring in from leadership, down to your CISO—and now, to you.

Your CISO continues: “I need your team to provide a series of reports that will track this incident from start to recovery. Risk management briefings. Forensic reports. Situational reports. I need it all. They’ll all come in handy when it’s time to debrief our nation’s leaders.”

When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.

Step 2: Systems Locked Down: Respond to a Ransomware Attack!

Before you get started on the tasks that will lead to your deliverable to the CISO, take some time to review the CISO Deliverable Overview.

Take Note

This step includes a mandatory lab exercise. The teams should work together on the exercise, relying on each other’s expertise in the subject area of the exercise. The findings will be included in your team’s Security Baseline Report.

According to the triggering conditions of the incident response plan you created in Project 2, a cyberattack is one of the events that drives alerts and notifications throughout the cyber incident and on to recovery. You will build a series of awareness reports, called situation reports (SITREPs). The SITREPs start with minimal information but will continue to provide company leaders and everyone involved in incident response and business continuity with more information, as you and your team learn more.

These SITREPs provide a path to restoration and recovery, and eventually lessons learned to avoid, eliminate, or mitigate future occurrences. You will be serializing the SITREPs to review and document the order of events and to refer to them in a “lessons learned” activity. This system will be used for forensic investigation and situational reports based on the findings of any malicious activity that occurs in this lab exercise.

Complete This Lab

Resources

• Accessing the Virtual Lab Environment: Navigating UMGC Virtual Labs and Lab Setup
• Self-Help Guide (Workspace): Getting Started and Troubleshooting
• Link to the Virtual Lab Environment: https://vdi.umgc.edu/

Lab Instructions

• Ransomware Lab Exercise

Getting Help

To obtain lab assistance, fill out the support request form.

Make sure you fill out the fields on the form as shown below:

• Case Type: UMGC Virtual Labs Support
• Customer Type: Student (Note: faculty should choose Staff/Faculty)
• SubType: ELM-Cyber (CST/DFC/CBR/CYB)
• SubType Detail: Pick the category that best fits the issue you are experiencing
• Email: The email that you currently use for classroom communications

In the form’s description box, provide information about the issue. Include details such as steps taken, system responses, and add screenshots or supporting documents.

Take screenshots of your completed exercises. You will include them with your SITREPs as well as in the intelligence debriefing that you’ll develop later in the project.

Now that possible malware has been identified in the environment, it is time to make others aware that malicious activity is occurring. Before threat intelligenceinformation can be passed along to other operation centers, proper forensic investigation must take place on the identified machine. You will begin to work on this in the following step, where you will work on the first situation report (SITREP).

Step 3: Respond to the Incident: SITREP #1

You’ve begun your response to the ransomware attack. Intelligence gathered from this investigation can be shared with the other nation teams so they can search through their systems to see if they have the same activity. As a team, you will now create documentation that can be used by others for threat information for investigations.

Using this situation report template, create your first situation report (SITREP #1) of the initial findings, and suggest steps that are going to occur using the identified indicators. This report will be given to the rest of the nation teams. Describe the ransomware malicious activities such as file system alterations, services, IP addresses, and any other indicator that can be used by affected communities to search within their own networks.

The SITREP will be used for information sharing across nations/partner business operations. The SITREP should contain, but is not limited, to, the following information:

• when the problem was first detected and by whom

• scope of the incident
• indicators of compromise (IP address, file hash, protocols, registry edits)
• how this malware was contained and eradication. The findings will be used to create a situation report to internal staff along with external agencies/nations that could be experiencing the same type of attack. This information will speed the process of the incident response team by narrowing the search for specific indicators, whether they are targeting individuals, vulnerabilities, or resources such as web servers, databases, or even phone lines. These reports also keep management apprised of what is occurring so leaders can continue to address questions. Showcase your team’s strengths with a thorough, clear, and unbiased report that guards against misrepresentation. When you have finished gathering the initial information and have compiled the document. The SITREP #1 will be used in the intelligence briefing that you will develop in a later step.

• Step 9: Advance the Situational Awareness: SITREP #2

  Meanwhile, as you and your team have been working on the various parts of the overall analysis of the systems as a result of the attack, the CISO has been notified by credible sources that malware has been located inside the network. The CISO has also received new intelligence regarding the ransomware attacker’s demands. The attacker has raised the ransom demand from $500 to $5,000 in Bitcoin for each nation state. Conference participants are split on whether to pay the ransom. You know that this decision requires an understanding of virtual currency and the financial implications of virtual currency. While leadership is contemplating options, the CISO needs to act quickly to facilitate operations recovery.The CISO needs a report on findings and further indicators that can be shared with allies. The indicators can be found for each team in this malware indicator file. Based on the findings, the CISO would like your team to generate documentation regarding defense mechanisms needed to stop this style of attack. This documentation will be your second situation report, or SITREP #2.In one to two pages, SITREP #2 should describe threat information and any other information that fellow nations could use to speed their investigations. It will be used for information-sharing across nations/partner business operations and will help incident response teams and operations centers narrow their search based on findings. The report should include:

  • when the problem was detected and by whom
  • scope of the incident
  • indicators of compromise (IP address, file hash, protocols, registry edits)
  • how it was contained and eradicated
  • user screen captures (e.g., error messages or dialog boxes)

  Take findings from all files, hashes, IP addresses, URLs and any other indicators presented and investigate while using the following files provided to you:

  • this curated list of malware analysis tools
  • malware identification example
  • situation report template

  These findings will be used to determine what other evidence can be derived from evidence provided in the form of indicators and possible files.These data sharing checklists for submitting and sharing information is available for all to use as nations become confident sharing information with fellow countries at the summit. Review it to ensure that your nation is exercising best practices in information sharing. Providing too much information could pose a threat to the nation’s cybersecurity posture.Your team’s level of detail could be the difference between a benign incident and a catastrophic breach/mission critical resource failure.Your SITREP #2 will be used in the intelligence briefing that you develop in a later step.In the meantime, the team is going to work on digital forensics to help identify sources of the attack.

  Step 10: Prepare Situation Report for Computer Security Incident

  You and your teammates will assist in the investigation of a complex computer security incident which has multiple teams representing a variety of specialties including digital forensics, malware analysis, and human resources. Before you begin the investigation, let’s find out more about what is known and who is working on the various parts of the incident response effort.Review the Computer Security Incident Investigation information and write the situation report.SITREP #3 will be part of the intelligence briefing that you develop in the next step.