can you solve these assignment
Part A: Planning Open the provided document ITSAP.40.003 entitled “DEVELOPING YOUR INCIDENT RESPONSE PLAN” and respond to the questions below justifying your opinion, supporting them with other sources if necessary. 1. You are facing two simultaneous incidents. The first is related to the availability of a web server your company uses to sell their products (an e-commerce website). The second is about a disgruntled employee sending out descriptions and prices of products in a research stage exfiltrated from an internal database. What stage of the incident response plan should help determine the priority of these incidents? 2. What would be your choice if you could manage only one at a time? 3. Early in the morning, an employee powers up their computer and detects that “My PC” shows a unit F: identified as a pendrive. While checking the USB ports, the employee observes there was effectively a pendrive plug in on one of the rear ports. As it belonged to someone else, the pendrive is just unplugged and left on the table. The day continues with normality. What did the employee do wrong? What should change for this not to happen again? 4. Among the proposed roles for the incident response team, there is a communications advisor. How this profile could be useful beyond internal communications within the organization? Name two external entities that might need to be contacted during an incident. 5. After an incident, you help the IT team to recover from it. Is there anything else that needs to be done? Part B: Ransomware Open the provided document ITSAP.00.099 entitled “HOW TO PREVENT AND RECOVER FROM RANSOMWARE” and respond to the questions below justifying your opinion, supporting them with other sources if necessary. 1. Your organization is backing up all servers to a NAS for faster backup and recovery. What your recommendation would be to be protected against ransomware? 2. Brian received a call from an employee claiming their workstation was compromised with ransomware, for all documents had been encrypted and a note left in the folder to pay a ransom. He re-imaged the operating system a restored a backup with all documents. Explain two things that Brian did wrong. 3. Linda’s organization has fallen victim of a ransomware attack. Give her two reason not to pay the ransom. 4. Read about the Conti group following the link below. What tool is used to remotely execute commands? How the gang ensure their business even if the victim is able to restore all data from backups? https://www.cyber.gc.ca/en/guidance/ransomware 5. Some advocate for banning ransom payments while others do not agree on their benefits. Research on the topic and provide an opinion for and another against the ban. You will work with command-line tools that will help you automate incidents handling. Use the file lab4_24022007.txt.gz in a Linux machine, such as your Kali box. Capture a screenshot in addition to answering the questions below. Part A: Filtering 1. Before unzipping it, use zgrep to filter some content directly in the zipped file. This will be very handy with large files that either take too long to unzip or require space that is not available. Specifically, filter all lines containing 2007-02-24 and count them. 2. Now, unzip the file and count the total lines. You will realize there is just one more, the header. In addition to the commands, show it without opening the file with a graphical tool. 3. What are the more number lines, TCP or UDP? Prove it. 4. Execute the command below to obtain lines that are neither TCP nor UDP. What is the protocol shown? Why it does not work with grep instead of egrep? egrep -vi ‘tcp|udp’ lab4_24022007.txt 5. The command below would list all destination addresses in the network 10.0.0.0/8. Explain what $7 and $1 represent and why -F: was necessary. Tip: you can execute the command by parts, adding new commands after the pipe one at a time, so you can observe the evolution. awk '{print $7}' lab4_24022007.txt | awk -F: '{print $1}' | sort -u | grep ^10 6. Modify the command above to obtain all unique source IP addresses. Hint: check the command uniq or the parameter -u in the command sort. Part B: Geolocation We are going to use the API of Team Cymru on port 43 to get the geolocation of some of the IP addresses previously obtained. Tool: http://www.team-cymru.org/Services/ip-to-asn.html#whois 1. First, try the commands below to see how it works. Show the content of the file output.txt. echo -e "begin/ncountrycode" > list.txt awk '{print $5}' lab4_24022007.txt | grep -v Proto | awk -F: '{print $1}' | grep ^8[1-3] | sort -u >> list.txt echo -e "end" >> list.txt netcat whois.cymru.com 43 < list.txt=""> output.txt 2. Next, create a similar input file named full.txt with all the IP addresses. Please note is just a list of IPs but with a header added and last line appended. Send it to the API and save the results to geo.txt. Show the first 5 lines of the resulting file. 3. List all IP addresses located in Taiwan. Hint: when using grep, $ represents the end of the line. 4. Now count all IP addresses located in China or Russia, using a single command. Part C: Identifying servers 5. Filter the TCP traffic. What kind of servers are 10.16.54.2 and 10.16.54.6? 6. What is the time span of HTTP traffic? http://www.team-cymru.org/Services/ip-to-asn.html#whois Incident Response Planning (ITSAP.40.003) UNCLASSIFIED May 2021 | ITSAP.40.003 © Government of Canada | This document is the property of the Government of Canada. It shall not be altered, altered, distributed beyond its intended audience, produced, reproduced or published, in whole or in any substantial part thereof, without the express permission of CSE. Cat. No. D97-1/40-003-2021E-PDF ISBN 978-0-660-38974-5 DEVELOPING YOUR INCIDENT RESPONSE PLAN UNCLASSIFIED Your incident response plan includes the processes, procedures, and documentation related to how your organization detects, responds to, and recovers from incidents. Cyber threats, natural disasters, and unplanned outages are examples of incidents that will impact your network, systems, and devices. When you have a proper plan, you will be prepared to handle incidents when they happen, mitigate the threats and associated risks, and recover quickly. CONDUCT A RISK ASSESSMENT The results of your risk assessment inform your response plan. A risk assessment will identify your assets and analyze the likelihood and impact of your assets being compromised. With your risks and potential threats clearly identified, you can prioritize your response efforts. Some questions to answer during the assessment include: What data is valuable to your organization? Which business areas handle sensitive data? What controls do you currently have in place? Can this lead to a privacy breach for your organization? BEFORE CREATING A PLAN Before you create an incident response plan, determine what information and systems are of value to your organization. Determine the types of incidents you might face and what would be an appropriate response. Consider who is qualified to be on the response team and how you will inform your organization of your plan and associated policies and procedures. DEVELOP YOUR POLICIES Your incident response activities need to align with your organization’s policy and compliance requirements. Write an incident response policy that establishes the authorities, roles, and responsibilities for your incident response procedures and processes. This policy should be approved by your organization’s senior management and executives. ESTABLISH YOUR RESPONSE TEAM The goal of your team is to assess, document, and respond to incidents, restore your systems, recover information, and reduce the risk of the incident reoccurring. Your team should include employees with various qualifications and have cross-functional support from other business lines. Roles to consider for your incident response team include: Incident handler Technical lead Human resources specialist Communications advisor Notetakers Data analysts Incidents are unpredictable and require immediate response. Ensure you designate backup responders to act during any absences when an incident occurs. CREATE YOUR COMMUNICATIONS PLAN Your plan should detail how, when, and with whom your team communicates. This plan should include a central point of contact for employees to report suspected or known incidents. Your notification procedures are critical to the success of your incident response. Identify the internal and external key stakeholders who will be notified during an incident. You may have to alert third parties, such as clients and managed service providers. Depending on the incident, you may need to contact law enforcement or a consider engaging a lawyer for advice. An event is an observable occurrence in a system or network (e.g. a user sending email). An incident is an adverse event in an information system or network, or the threat of such an event. An environment is your network and everything attached to it, such as peripheral devices (e.g. printers, computers, routers). Is your environment open to everyone or is it secure? An open environment allows information to be transmitted in and out of the network, without restrictions. A secured environment restricts what information is allowed in and out of the network. EDUCATE YOUR EMPLOYEES Update your employees on current incident response planning and execution. Tailor your training programs to your organization’s business needs and requirements, as well as your employees’ roles and responsibilities. A well-trained workforce can defend against incidents. UNCLASSIFIED MAY 2021 | ITSAP.40.003 DEVELOPING YOUR INCIDENT RESPONSE PLAN UNCLASSIFIED UNCLASSIFIED CREATE YOUR INCIDENT RESPONSE PLAN Your incident response plan should define the objectives, stakeholders, responsibilities, communication methods, and escalation processes used throughout the incident response lifecycle. Keep the plan simple and flexible. Test, revisit, and revise it annually to keep it effective. The following list details the phases of the incident response life cycle which can be followed to structure your plan. PREPARE Lay out the objectives of your incident response strategy, as well as your related policies and procedures. Define your goals to improve security, visibility, and recovery. Implement a reliable backup process to create copies of your data and systems and help you restore them during an outage. Have a detailed strategy for updating and patching your software and hardware. Use this strategy to track and fix vulnerabilities and mitigate the occurrence and severity of incidents. Develop exercises to test your plan and response. You can revise and improve your plan using your test results. OBSERVE Monitor your networks, systems, and connected devices to identify potential threats. Produce reports on a regular basis and document events and potential incidents. Analyze these occurrences and determine whether you need to activate your incident response plan. Determine the frequency and intensity of your monitoring. You may want to consider monitoring your networks on a 24/7 basis or in a more ad hoc manner. RESOLVE Gain an understanding of the issue so you can contain the threat and apply effective mitigation measures. An effective mitigation measure is disabling connectivity to your systems and devices to block the threat actor from causing further damage. It might be necessary to isolate all systems and suspend employee access temporarily to detect and stop further intrusions. Eradicate the intrusion by restoring your systems from a backup. You should also run anti-malware and anti-virus software on all systems and connected devices. If you uncover vulnerabilities, you will need to patch and update your devices. Preserve evidence and supporting documentation to assist in your analysis of the incident. UNDERSTAND Identify the root cause of the incident and collaborate with the response team to determine what can be improved. Evaluate your incident response processes and highlight what went well and which areas require improvement. Create a lessons learned document that details how you will adjust and improve your plan for future incidents. Document the steps taken to uncover and resolve the incident. This will assist you in responding to future incidents by providing insight into possible mitigation measures and lessons learned to offer a faster, more effective recovery. 1 2 3 4 IN-HOUSE OR PROFESSIONAL SERVICES When planning your response plan, determine which actions and services you can conduct internally and which actions you will outsource. Professional services can be obtained to assist you with incident response initiatives, such as developing your plan, determining your backup processes, and monitoring