In this Project, your team (Australia) is focused on preventing future incursions into the network and developing a business continuity plan to be deployed in case a breach occurs. There are 14 steps to be completed by the team, with the project culminating in the production of a video and forensics report that summarizes the lessons learned from the recent network breach.
This project should take 14 days to complete. After reading the scenario below, proceed to Step 1 where you will establish your team agreement plan. Image of computer server room with many servers functioning. Lights go out in the room, and then lights on servers go dark and room is plunged into darkness. Before the summit, each nation set up its own secure comms network. As summit events began, your team responded to anomalous network activity that was detected on your agency’s server. Now, to make matters worse, the next day you awaken to the news that summit attendees are unable to get access to the confidential summit data needed for the conference. All of the computer screens show a pop-up message that says: “Your Computer has been involved in Child Porn Activity!!! and has been locked down by the FBI and the Justice Department. Unless you pay the sum of $500 (FIVE HUNDRED DOLLARS)—in Bitcoin you will be arrested immediately! You have 48 hours to pay up via email – firstname.lastname@example.org.” Your CISO has called an emergency meeting with your team. She begins to speak to the group. “We’ve just been hit with the Reveton ransom attack, which pretends to be a warning from a country’s law enforcement agency. It locks you out of your PC and threatens criminal proceedings within 48 hours based upon very serious offenses. The message informs you that you can avoid prosecution by paying a fine to the attackers via Bitcoin.
Based on the time of the incident, we believe that a single threat actor or group is responsible. This person or group is still unidentified.” The CISO continues to brief you on the attack, confirming that no further information is known about the file, permissions, or tools used. Currently, systems show no signs of infection or additional malicious indicators. The attendees at the summit are divided on what should be done. Some of them want to pay the money—it’s a small sum to be holding up the proceedings. However, cyber insiders know that once you pay a ransom, you set a precedent for further attacks since you appear vulnerable. In addition, you want to know how the attackers were able to infiltrate the system and plant the malware. What current protections are in place for systems at the summit? What methods and procedures are your team employing in response to the current attack? What is the plan if protections fall short? These are the questions pouring in from leadership, down to your CISO—and now, to you. Your CISO continues: “I need your team to provide a series of reports that will track this incident from start to recovery. Risk management briefings. Forensic reports. Situational reports. I need it all. They’ll all come in handy when it’s time to debrief our nation’s leaders.”