CETM45 – Breach and Incident Response

Please read all information & instructions carefully. Please ensure that you retain a duplicate of your assignment.  We are required to send samples of student work to the external examiners for moderation purposes.  It will also safeguard in the unlikely event of your work going astray. The following learning outcomes will be assessed:

Knowledge

1. Incident response planning, and, preparation for cyber breach response, including the legal and professional requirements involved.

2. Evidence collection requirements and methods for securing content in a forensically sound manner. This includes the ability to acquire, analyses and report collected information

3. Breach types, consequence and surrounding legal implications on both the organization and practitioner.

Skills

4. Plan and manage an effective response to a breach, including containment strategies and management of risk.

5. Respond and learn from a breach to develop and evaluate both proactive and reactive policies and procedures.

6. Investigate a breach, including methods for containment, risk, notification, evaluation and response.

Important Information

You are required to submit your work within the bounds of the University Infringement of Assessment Regulations (see your Programme Guide).    Plagiarism, paraphrasing and downloading large amounts of information from external sources, will not be tolerated and will be dealt with severely.  Although you should make full use of any source material, which would normally be an occasional sentence and/or paragraph (referenced) followed by your own critical analysis/evaluation. You will receive no marks for work that is not your own.  Your work may be subject to checks for originality which can include use of an electronic plagiarism detection service. Where you are asked to submit an individual piece of work, the work must be entirely your own.  The safety of your assessments is your responsibility.  You must not permit another student access to your work. Where referencing is required, unless otherwise stated, the Harvard referencing system must be used (see your Programme Guide).

Assignment 2

The assignment is worth 50 %. As a guide, your report should be 2,000 words in length, excluding references and executive summary.

This assignment involves writing a breach incident and response report based on practical work you must undertake. The practical work will be based on a virtual machine (Breach-1 and 2.1) links to download these breaches are at bottom of this document. You will also need to have a virtual machine with Kali Linux installed in order to perform the breach. You will be required to move through both breaches to underpin what has occurred. You should consider:  What type of attack has been conducted? Who is the attacker? Were measures in place before the attack to protect systems? How can this attack be remediated? When you are at the end of each breach you will find a flag to indicate you have reached the end. Furthermore, you will also be required to create Breach and Response report based upon the Breach Incident Response scenario (below). The report will have a maximum word limit of 2,000 words, not including references, executive summary.  

The report will cover the breach incident remediation approaches. References to professional and academic may be used to back up your report (as needed). The scenario is given below.

Scenario

Initech was breached and the board of directors voted to bring in their internal Initech Cyber Consulting, LLP division to assist. Given the high- profile nature of the breach and, nearly catastrophic losses, there have been many subsequent attempts at the company. Initech has tasked their top consultants, led by Bill Lumbergh (CISSP) and Peter Gibbons (CEH, SEC+, NET+, A+) to contain and perform an analysis on the breach.

Little did the company realize that the breach was not the work of skilled hackers but a parting gift from a disgruntled former employee on his way out. The top consultants have been hard at work containing the breach. However, their own work ethics and mess left behind may be the downfall of the company. Some additional video can be from https://www.imdb.com/title/tt0151804/?ref_=ttqt_qt_tt .

The following points should be discussed through the various headings in the breach report.

You have been asked to write a Breach Incident Response report. Your report should be a well-structured, detailed, critical discussion of:

·         Previous planning for a breach

·         Response to the breach incident and your technical findings

·         Management of an effective response to the breach

·         Policies, processes and legal & ethical issues

·         The evidence and its handling

·         Containment of risk

·         Remediation advice and recommendations

Report Sections

Title & Contents - Name of author,organisation (make one up), incident no (make one up)., IR company, ToC

·         Background - A short background of the breach, discuss anything in place before breach occurred such as previous investigations or their incident response plan. (5 marks)

·         Findings (executive summary) (300) goals & findings, 1 page (15 marks)

·         Recommendations Short & medium term to remedy current situations. Long term to increase security (20 marks)

Appendices long listings, excerpts (anything 1+ pages)

·         Examine a source of evidence – what does the evidence show, why is it important? screenshot of evidence, code or analysis report may be provided to show evidence? (15 marks)

·         Handling of evidence - How would/have you handled live, images, malware? (15 marks)

·         Timelines – Timeline of events for the attack – show dates and times of the attacks. (10 marks)

·         Analysis Details – Steps taken to get to the root of the attack, actions taken, code used or why you did that step and screenshot/image of that step for evidence. (10 marks)

An additional 10 marks is available for appropriate use of references and the overall quality and structure of the report.

The report should use relevant references from professional and academic papers, as well as good professional practice in order to support your work (as needed and in Harvard format).

Your report should be appropriately sectioned, well-structured and should clearly set out your own analysis, the necessary remediation. and conclusions. Your conclusions should be backed up by well-reasoned arguments and references. It is not enough to regurgitate or summarise material found in literature

Quotations should be no more than two lines long and, taken all together, should represent less than 10% of the words written. The remaining 90% of this assignment must be entirely in your own words.

You should submit your paper as a PDF file.

Help with Referencing
Whenever you need to refer the reader to the source of some information, e.g. a book/journal/academic paper/WWW address, provide a citation at that point within the main body of your report.

e.g. ... as we are all now aware referencing is not trivial (Kendal, 2017)

Provide a reference list towards the end of your research paper (after your conclusions section but before any appendices) that contains:

References, a list of books/journals/academic papers/URLs etc. that have been directly cited from within the report (see example citation above).

Any material from which text, diagrams or specific ideas have been used, even if this has been presented in your own words, must be cited within the main body of the paper and listed in the reference list. It is not enough to list this material in a bibliography.

e.g. for the previous example (using Harvard system) the reference list would contain the following:

Kendal S., 2017, Referencing standards, International Student Journal, Vol 55, Pages 25 – 30, Scotts Pub., ISBN 1-243567-89

This shows the authors, date published, title of paper (in single quotes), title of journal or conference (in italics), volume, page numbers, and publisher (ISBN desirable but not essential).

For further help see the following book which is available in the library: -

Cite Them Right: The Essential Guide to Referencing and Plagiarism by Richard Pears and Graham Shields

An interactive online version of this guide is available by logging into My Sunderland with your User ID and password and then clicking on Me and Library Resources. 

Files and software required
Workstation pro 15 (virtual machine)
Follow the link provided below. You will be faced with a login screen which you enter your university login details. If this does not work, please contact the IT support team.
vmware.sunderland.ac.uk

Kali Linux
One you have Workstation pro installed you will be required to obtain Kali Linux from the link provided below:
https://www.kali.org/downloads/

Here are some links on how to install Kali Linux on a virtual machine within VMWare:
https://www.shaileshjha.com/step-by-step-guide-how-to-install-kali-linux-2017-1-and-vmware-tools-in-vmware-workstation-12-pro/

Breach 1.0
The VM is configured with a static IP address (192.168.110.140) so you will need to configure your host-only adaptor to this subnet.
https://www.vulnhub.com/entry/breach-1,152/

Breach 2.1
The VM is configured with a static IP (192.168.110.151) so you'll need to configure your host only adaptor to this subnet.
https://www.vulnhub.com/entry/breach-21,159/
 

Assignment 2 marking scheme