Import the VM provided in enisa-main.ova into Virtual Box. From a terminal, execute the initialization script “./setup” and follow the instructions. After restarting the VM, all necessary material...

1 answer below »
Can you help me to do this assignment please



Import the VM provided in enisa-main.ova into Virtual Box. From a terminal, execute the initialization script “./setup” and follow the instructions. After restarting the VM, all necessary material to complete this lab will be found in the just created directory /home/enisa/Desktop/Training-Material/Inc_Hand_Dur_Att_Cri_Inf. Finally, read about the scenario and tasks (section 2) in the provided document ENISA_attack_Critical_Information_Infrastructure.pdf. Incident background: An attacking group has succeeded in connecting a rogue device to a substation network. This device enables them to connect to the control server and manipulate the power output of the station. Part A: Preliminary analysis 1. Was the corporate network at risk if the attackers compromised the HMI? Why or why not? 2. What is the IP address of the Windows RDP server? How did you know? 3. There are suspicious communications to the Windows RDP server originated in an IP address likely belonging to the rogue device. What is the IP address of this rogue device? Capture a screenshot of your finding. 4. There are logs that provide more information regarding this communication. Even if some parts of the information are in German, the structure is the standard for Windows events. Provide the event data in XML format. 5. Look for more events to find out logon attempts. Determine the target account and whether the attacker succeeded or not. Prove all your statements. 6. Explain the kind of logon. Part B: Mounting the disk image 1. Unzip the file cih-das-sda.img.bz2 found in the working directory. The resulting file is a disk forensic image of the DAS server. Execute the command “sudo losetup -f cih-das- sda.img” to mount the image and the command “sudo losetup -a” to check it. Capture a screenshot. 2. Show the partition table with “sudo fdisk -l LOOPBACK_DEVICE”, where the loopback device is /dev/loopN, being N the number assigned as per the previous command. Which kind of partition (primary or extended) is each one? 3. The last partition is using a logical volume, which must be activated. Execute “sudo partx –a –v LOOPBACK_DEVICE”, then “sudo pvscan”. Two logical volumes will be listed. The first, named enisa-vm-vg, is the VM’s root partition. Focus on the second one, which is a partition in the mounted image. Write down the device file for this partition and the name of the volume group (VG). 4. To activate the VG, execute “sudo vgchange -a y”. Then, mount the filesystem as read- only by executing “sudo mount –o ro /dev/mapper/cih--das-root /mnt”. Finally, short list the contents of /mnt. Capture a screenshot of all commands. Part C: Filesystem analysis 1. Move to /mnt/var/log and show all occurrences of the rogue device IP address. 2. Explain what the attacker tried, determine if the attack was successful and justify your answer. 3. Show all log entries related to the administrator user by the time of the incident. The command would be similar to “grep USER * | grep 14:0[0-9]:[0-9][0-9]”. 4. Check the difference of both cron binaries (the VM’s and the disk image’s) with the command “ls -l /usr/sbin/cron /mnt/usr/sbin/cron. What is suspicious? 5. Use the tool find to look for files under /mnt that have been modified after the cron binary. Then, append “-exec ls -l {} \;” to your command to list their properties. Capture a screenshot. Part D: Reasoning 1. Considering the use of the DAS server in the SCADA system. What containment action would you have recommended if you had been on duty when the incident was reported? Objective of this assignment is to understand detailed concepts of the Module (7 to 9) that you have studied from the book. To solve the following questions, you will need to carefully read and understand all the topics of the Module 7 to 9. Note: The question sets are defined based on the Modules/Chapters. You will see questions of Module 7 followed by Module 8 & 9. Module 7/Chapter 7 (To answer following question read module 7): PART 1: Discussion/Ethical Decision-Making Question 1. If open-source software is free to use without licensing costs, what other factors should be considered when evaluating the total cost of operating such software? 2. Suppose JJ had a close friend who was a very experienced IDPS specialist, with broad and deep experience with a specific IDPS software vendor. JJ thought she would be an excellent candidate for the new position. JJ told her about the opportunity, but she was not quite as enthused about applying for it as JJ had hoped. You see, there was a referral bonus, and JJ would get a tidy sum of cash if she were hired based on his recommendation. JJ told her that she needed to get on board and that he would split the referral bonus with her. Do you think that is an ethical way to encourage the candidate to apply? PART 2: Review Questions 1. What is a SPAN port and how is it different from a tap? 2. What is the clipping level? 3. What is a log file monitor? What is it used to accomplish? 4. What does the term trap and trace mean? 5. What is a honeypot? What is a honeynet? How are they different? PART 3: Real-World Exercises 1. Find out more about defense in depth. Visit youtube.com and search for “network defense in depth.” Select one or two of the options and watch the videos. What is the primary value or justification for using this approach? 2. Visit the site www.honeynet.org. What is this Web site, and what does it offer the information security professional? Visit the “Know Your Enemy” white paper series and select a paper based on the recommendation of your professor. Read it and prepare a short overview for your class. Module 8/Chapter 8 (To answer following questions, read module 8): PART 1: Discussion/Ethical Decision-Making Question 1. Was Osbert acting ethically when he wrote his worm program? On what do you base your position? 2. Was Osbert’s professor acting ethically by assigning him the worm program? On what do you base your position? 3. Who is responsible for this catastrophe? Osbert? His professor? The student who changed the network configuration.? The university? On what do you base your position? PART 2: Review Questions 1. What is an IR reaction strategy? 2. If an organization chooses the protect and forget approach instead of the apprehend and prosecute philosophy, what aspect of IR will be most affected? 3. What is the first task the CSIRT leader will undertake on arrival? 4. What is the second task the CSIRT leader will undertake? PART 3: Real-World Exercises 1. Depending on where you live and copyright requirements, the documentary “The KGB, the Computer and Me” may be available for viewing on public video-streaming services. Use a search engine to find the title and watch the documentary if it is available. (The video remains available as of 2020; its run time is about 57 minutes.) As you watch the film, note what makes Cliff start the search for the hacker. 2. One example of unauthorized access occurs when a relatively low-level account is used to gain access and then the commandeered account has its privileges escalated. To learn more about this, visit youtube.com. Enter the search term “privilege escalation demonstration.” Choose at least two of the options and view the videos. (Note that you may be required to view advertisements unless you have a YouTube service account.) As you watch, look for the techniques used to achieve the desired result. Module 9/Chapter 9 (To answer following questions, read module 9): PART 1: Discussion/Ethical Decision-Making Questions 1. Was the CSIRT response appropriate, given the circumstances? On what do you base your position? 2. Can the team access Osbert’s personal devices to examine them? Under what constraints? How might the team accomplish this legally? 3. During the investigation and forensic effort in response to the worm outbreak, you are examining a hard drive and find “love letters” between two employees of the organization who are not married to each other. This activity is not illegal, and it is not related to the worm attack. Do you report it in the investigation? PART 2: Review Questions 1. What is an incident damage assessment? 2. What are some of the reasons a safeguard or control may not have been successful in stopping or limiting an incident? PART 3: Real-World Exercises 1. Do a Web search for “Trojan horse defense.” How can it be used to question the conclusions drawn from a forensic investigation? 2. At the end of 2006, a new edition of the Federal Rules of Civil Procedure (FRCP) went into effect. Do a Web search to learn more about the FRCP. What likely effect will its emphasis on electronically stored information (ESI) have on an organization’s need for a digital forensic capability? European Union Agency for Network and Information Security www.enisa.europa.eu Incident handling during attack on Critical Information Infrastructure Toolset, Document for students September 2014 Incident handling during attack on Critical Information Infrastructure Toolset, Document for students September 2014 Page ii About ENISA The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Acknowledgements Contributors to this report We would like to thank all our ENISA colleagues who contributed with their input to this report and supervised its completion, especially Lauri Palkmets, Cosmin Ciobanu, Andreas Sfakianakis, Romain Bourgue, and Yonas Leguesse. We would also like to thank the team of Don Stikvoort and Michael Potter from S-CURE, The Netherlands, Mirosław Maj and Tomasz Chlebowski from ComCERT, Poland, and Mirko Wollenberg from PRESECURE Consulting, Germany, who produced the second version of this documents as consultants. Agreements or Acknowledgements ENISA wants to thank all institutions and persons who contributed to this document. A special ‘Thank You’ goes to the following contributors: Anna Felkner, Tomasz Grudzicki, Przemysław Jaroszewski, Piotr Kijewski, Mirosław Maj, Marcin Mielniczek, Elżbieta Nowicka, Cezary Rzewuski, Krzysztof Silicki, Rafał Tarłowski from NASK/CERT Polska, who produced the first version of this document as consultants and the countless people who reviewed this document. Contact For contacting the authors please use [email protected] For media enquires about this paper, please use [email protected]. http://www.enisa.europa.eu/ mailto:[email protected] mailto:[email protected] Incident handling during attack on Critical Information Infrastructure Toolset, Document for students September 2014 Page iii Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Copyright Notice © European Union Agency for Network and Information Security (ENISA), 2013 Reproduction is authorised provided the source is acknowledged. Incident handling during attack on Critical Information Infrastructure Toolset, Document for students September 2014 Page iv Table of Contents 1 What Will You Learn 1 2 Exercise Task 1 2.1 Task 1 Analyse network infrastructure and scenario introduction 1 2.2 Task 2 Accessing and analysing incident data 2 2.3 Task 3 Discussion of findings 3 Incident handling during attack on Critical Information Infrastructure Toolset, Document for students September 2014 Page 1 1 What Will You Learn In this exercise you will learn how to address incidents in critical information infrastructures
Answered 6 days AfterNov 29, 2022

Answer To: Import the VM provided in enisa-main.ova into Virtual Box. From a terminal, execute the...

Deepak answered on Dec 03 2022
35 Votes
1.
It stands for "human machine interface". However, HMIs provide excellent targets for attackers.

A Human Machine Interface (HMI) is a device that shows data from machines to humans and receives orders from humans to machines. An operator observes and responds to information shown on a system via this interface. A modern HMI provides a highly advanced and customizable visualisation of a system's current state.
2.
To find IP address of RDP:
Open cmd...
SOLUTION.PDF

Answer To This Question Is Available To Download

Related Questions & Answers

More Questions »

Submit New Assignment

Copy and Paste Your Assignment Here