Project - Scenario

Company: Consortium of Banks represented by the Financial Services Information Sharing and Analysis Center (FS-ISAC)

Industry: Financial-Banking

The Situation:
- Recent reports of intrusions into the networks of banks and their consortium
- Millions of files were compromised
- A representative from FS-ISACmet with your manager at the FBIabout
       1. Data exfiltration
       2. Extensive distributed denial of service disruptions of the the consortium's networks, impacting the customer websites, and blocking millions of dollars of potential transactions.

You: A network analyst working at the FBI

Your Manager: The FBI Chief Network Defense Liaison to the financial services sector/consortium, FS-ISAC

Your Knowledge:
- Financial Sector
- Use of network monitoring and intrusion detection tools
- Network and customer transaction websiteanalyses after cybersecurity attacks, such as,intrusions, data exfiltration, distributed denial of service

The Specific Assignment:
- Use one bank as a sample (the "target bank") for confirming the intrusions and DDoS attacks reported by the consortium. You can give that bank a name.
- Who breached the networks and what happened to the extracted data?
- Using your network monitoring and intrusion detection tools, produce two documents-

      1. A Malicious Network Activity Report (MNAR) by you to the FBI and the FS-ISAC consortium that contains the information you observed on the network (your research and lab analyses).

      2. A joint Network Defense Bulletin issued by the FBI to all of the banks in the FS-ISAC consortium. Note that a Network Defense Bulletin is very much like a vendor issuing a security vulnerability bulletin about a vulnerability in one of its products. Therefore, look at some vendor security bulletins to get some ideas and use the template I provided. The bulletin can be issued for one very specific event measured in the lab. Be sure to identify the specific event(s), describe the seriousness and impact if not remediated, recommend the remediation steps requiredand provide the recommend tools and method(s) for prevention.

Summary of Project 2 Steps

I. Perform independent research

a. Inject yourself and your lab results into the given scenario.
b. You travel to a target bank's locations and gain access to their network operations
c. Use Wireshark to analyze packets traversing their networks
d. Read Wireshark resource
e. Focus your work on how it relates to the target bank's networks

II. Step 1: Create a network architecture overview
a. Focus on what is at the target bank being examined
  i. Can be fictitious information, or model network from research, or reuse of appropriate network(s) from other projects.
b. Provide network architecture overview in both diagram and written forms
c. Describe various data transmission components
  i. User Datagram protocol (UDP)
  ii. Transmission Control Protocol/Internet protocol (TCP/IP)
  iii. Internet Packets
  iv. IP addresses schemes
  v. Well-known ports and applications
d. Address
  i. Sender or source that transmits a message
  ii. Encoder used to code messages
  iii. Medium or channel that carries message
  iv. Decoding mechanisms used
  v. Receiver or destination of messages
e. Describe
  i. Intrusion Detection and prevention Systems (IDS/IPS)
  ii. Firewalls that have been established
f. Link operating systems and software/hardware components in network, firewall and IDS that make up bank's implemented network defense
g. Identify
 i. How banks use firewalls
 ii. How banks use IDS/IPS
 iii. Difference between these technologies
h. Include
  i. Network infrastructure information
  ii. IP address schemes
  iii. Involve IP addressing assignment model information
  iv. Public and private addressing and addressing allocations
  v. Identify potential risks in setting up IP address scheme
  i. Research firewalls and IDS/IPS
j. Identify well-known ports, services and applications being used
k. Identify risks associated with those identified and possibly targeted

III. Step 2: Identify information security attacks
a. Use model network architecture and IDS/firewalls
b. Identify possible cyberattacks
  i. Spoofing/cache poisoning attacks
 ii. Session hijacking
 iii. Man-in-the-middle attacks
 iv. Provide techniques for monitoring against these attacks
c. Cyber offensive operation - Honeypots
 i. Describe what they are
 ii. How to set up an operation using one
 iii. What security and protections mechanisms need to be in place
 iv. What are indicators in network traffic would lead you to believe they are working

IV. Step 3: Identify false negatives and false positives
a. Identify risks to network traffic analysis and remediation
b. Review resources on false positives and false negatives
  i. Identify what these are
 ii. How they are determined
 iii. How they are tested
 iv. Which is riskier to health of the network
c. Describe your analysis about testing for false negatives and false positives
 i. Using tools such as IDS and firewalls
 ii. Recommendations for the banks in your bulletin
 iii. Statistical analyses of false positives and false negatives from results in the lab
 iv. How they can reduce these values

V. Step 4: Analyze IP network addresses
a. Use Workspace Lab and Snort
b. Capture network IP addresses
c. Types of protocols running
d. Relate them to network architecture provided earlier
e. Analysis of source and destination IP addresses that seem anomalous
 i. Traffic volume patterns with date and time corroborations
 ii. Other significant details of network traffic analysis
 iii. Obtain and include screenshots

VI. Step 5: Use Snort for intrusion detection
a. Use Workspace Lab and Snort
b. Conduct network forensics and identify malicious IP addresses
c. Develop proposed Snort signatures to prevent against known bad sites and test signatures
d. Track if signatures trigger false positives or false negatives - record events
e. Provide improvements to performance of signature
f. Obtain screenshots

VII. Step 6: Explain other detection tools and techniques
a. Do independent research
b. Explain what other tools and techniques you can use to detect these signatures

VIII. Step 7: Organize and complete your report
a. Conclude the report and organize it in sections

IX. Step 8: Create the joint defense bulletin
a. Compile the information gathered
b. Eliminate information that could ID bank
c. Create an educational public service announcement document

Malicious Network Activity Report (8-10 pages)
Joint Net Defense Bulletin (1-2 pages)

Joint Net Defense Bulletin

1.0 BULLETIN INFORMATION-NAME
1.1 Effective Date
1.2 Last Update Date
1.3 Prior Version Dates

2.0 ABOUT THIS BULLETIN
2.1 Who is issuing this bulletin?
2.2 At whom is this bulletin targeted?
2.3 What the bulletin addresses.

3.0 TECHNICAL DETAILS
3.1 Exploited vulnerability(ies) on the "target" bank's network leading to this bulletin.
3.2 Brief description of the event(s).
3.3 Seriousness and possible impact of the event(s).

4.0 Supporting Data (Your lab test results for the "target" bank. The content depends on what you find in the lab related to the event and choose to notify the consortium about. The use of tables where appropriate will help with clarity. For example,...)
4.1 Analysis of false negatives/positives
­ Testing for false negatives/positives
­ Results
­ Implications
4.2 Analysis IP network addresses
­ Anomalous source and destination IP addresses
­ Application, service and port issues
­ Traffic volume patterns with date and time corroborations
­ Other significant details

5.0 RECOMMENDATIONS (Use of tables where appropriate will help with clarity.)
5.1 Recommended specific actions for remediation of this(these) event(s).
5.2 Recommended tools for identification and prevention.
5.3 Recommended techniques and procedures for identification and prevention.
5.4 Recommended reporting when next event occurs.

6.0 REPORTING EVENTS
6.1 Phone and email information for FS-ISAC.

7.0 SUMMARY OF REFERENCES (Use APA format for all reference summaries and in-line citations. Only include references for specific references used in the bulletin.)

Malicious Network Activity Report

1.0 DESCRIPTION OF EVENT
Provide a succinct description of what has happened and what the impact could be.

2.0 CYBERSECURITY RESPONSE
General introduction to the network analyst, fly-to operation. Inject yourself into the given scenario and respond as the network analyst. Use your lab results (and any results from prior labs which are relevant) as results of your analysis of the target banking institution's network.
2.1 Role
Explain what you were tasked to do and by whom.
2.2 Information Attacks
Explain the different types of information attacks you were tasked to examine
2.3 Cyberattack Methods
Identify several potential methods of cyberattacks that may have been used (e.g., distributed denial of service attacks, spoofing/cache poisoning attacks, session hijacking and man-in-the-middle attacks) that are relevant to the scenario.

3.0 TARGET AND PROFILE
3.1 Explain the consortium of banks and the Financial Services Information Sharing and Analysis Center (FS-ISAC)
3.2 Identify the specific "target" banking institution addressed in this report. Organization name, Organization structure, location information, etc. (Use and explain diagrams as appropriate.)

4.0 OVERVIEW OF TARGET BANKING INSTITUTION NETWORK ARCHITECTURE
4.1 Provide a network architecture overview, relevant for this scenario, of the
­ network infrastructure,
­ critical information system(s), and
­ any critical applications
in both diagram and written forms (Feel free to reuse example networks from other projects if they are appropriate in this scenario.)
4.2 Describe the different data transmission components that might be involved in the specific events. Be sure to point specifically to your diagram(s) to indicate examples of where they occur. Examples might be:
­ User Datagram protocol (UDP)
­ Transmission Control Protocol/Internet protocol (TCP/IP)
­ Internet Packets
­ IP address schemes
­ Well-known ports and applications
4.3 Address
­ Sender or source that transmits messages
­ Encoder used to encrypt messages
­ Medium or channel that carries message
­ Decoding/decryption mechanisms used
­ Receiver or destination of messages
Be sure to point specifically to your diagram(s) to indicate examples of where they occur and for clarity and understanding you may provide additional diagrams which indicate the steps in the flow.
4.4 Firewalls vs. IDP/IPS
Describe, locate and explain for the "target" bank
­ Intrusion Detection and prevention Systems (IDS/IPS).
­ Firewalls.
­ How the target bank specifically uses firewalls.
­ How the target bank specifically IDS/IPSs.
­ What are the differences between these technologies?
Indicate exactly where these security devices are in the network and how they are implemented (i.e., hardware or software, give examples).
4.5 Operating Systems
­ Identify the operating systems in the "target" bank network elements, firewalls and IDS/IPS that make up its implemented network defenses.
­ Why is it important for you to identify these OSs in our scenario?
4.6 Addressing and Related Issues
Explain the following for the "target" bank and use diagrams as necessary for clarity
­ IP address scheme
­ IP addressing assignment method
­ Public and private addressing method
­ Potential risks in setting up the IP address scheme
­ Why is it important for you to cover addressing in our scenario?
4.7 Applications, Services and Ports
­ Identify services and applications which are running on the "target" bank's network equipment.
­ What are the well-known ports associated with these?
­ What are the risks associated with those identified?
­ How likely are these to be targeted?
­ Why is it important for you to cover applications, services and ports in our scenario?

5.0 NETWORK TRAFFIC MONITORING AND RESULTS
Apply your specific lab results to the "target" bank scenario.
5.1 False Negatives and False Positives
­ Review resources on false negatives and false positives
­ Identify risks to network traffic analysis and remediation. For example, What are these? How are they determined? How are they tested? Which is riskier to the health of the network?
­ Describe your analysis about testing for false negatives and false positives. For example, using tools such as IDS and firewalls, providing statistical analyses of false positives and false negatives from results in the lab, and ending with recommendations for the banks. How can the recommendations specifically improve the statistics?
5.2 Anomalous Source and Destination IP Addresses
­ Identify and explain risks to network traffic analysis
­ Describe and explain your analyses related to testing for anomalous IP addresses. For example, using tools such as IDS and firewalls, providing statistical analyses of anomalous IPs from your lab results, reporting traffic volume patterns with date and time corroborations. Use tables as appropriate for greater clarity.
­ How can the statistics be improved?

6.0 RECOMMENDED REMEDIATION STRATEGIES
Use this section to provide your recommendations which address the project scenario and your lab findings.
6.1 Cyber Offensive Operation
From your studies and independent research for the "target" bank, explain what tools and techniques you recommend to the consortium to detect network/traffic attacks. Address the specific areas discussed in your report, above. Also cover honeypots as part of the cyber offensive operation. For each area recommended, describe and explain
­ What they are
­ An indication of aspects such as cost, skills, time, complexity, staff required for specifying, implementing, operating and maintaining
­ How an organization sets up an operation using them
­ The security and protections mechanisms needed to be in place
­ The indicators in network traffic that lead you to believe they are working
6.2 Summary of Recommendations.
A summary table with implied order of implementation should be provided and key entries explained.