ISE 620 Module Five Lab Activity Guidelines and Rubric
docx
keyboard_arrow_up
School
Southern New Hampshire University *
*We aren’t endorsed by this school
Course
ISE 620
Subject
Industrial Engineering
Date
Jan 9, 2024
Type
docx
Pages
7
Uploaded by DoctorHawk9805
Teema Garpue
Southern New Hampshire University
ISE-620 Incident Detection & Response
Prof. Donald Champion
October 22,
2023
ISE 620 Module Five Lab Activity Guidelines and
Rubric
Overview:
The labs in this course will help you build skills that are relevant for your final project. The purpose of these labs is two-fold:
The experience will provide you with a valuable opportunity to walk a mile in the shoes of a security practitioner performing basic incident response
procedures and tasks. Gaining this type of experience is necessary in managing and relating to the individuals and teams you will interact with in the
field.
You will also practice the communication and writing skills you need to employ in the final project for this course, as well as in your career.
These labs do not have the same scenario as the final project. Instead, they are practice opportunities that focus on a specific and smaller set of topics and skills.
It is important to note that some of the InfoSec Labs contain
challenge lab
activities. These are optional assignments.
They are not required and not included
in the course syllabus. The requirements for this lab are listed below.
Lab Requirements
Knowing where to look for indicators of attack is a critical aspect of incident detection and response. In this lab, you will execute a routine audit procedure (set of
data collection and basic report file formatting tasks) to determine if there are any signs of malicious activity. You will also learn where important audit logs (files)
are stored in a system running the Microsoft Windows Server operating system, what the audit logs look like, and how to execute common shell commands to
create, format, and populate an audit data file (simple report). You will complete two procedures in this lab.
Procedure One: You start by
seeding
the environment for analysis. You execute tasks most closely aligned to the role of attacker
or
a misguided system
administrator, using the instructions provided in the lab environment. You will then add the built-in Windows guest account to a privileged user group
called
backup operators
. The result of this change is increased capability for the guest user account to alter the server’s operating system configuration.
This change could be an indicator of attack, since hackers often seek to escalate privileges using this method, or a sign of a security-relevant system
configuration error, since misguided system administrators possess the ability make this type of account-privilege change. You will conclude this first
procedure by reviewing the Windows security event audit log to identify the changes made to the guest account.
Procedure Two: You play the role of an attacker looking for a moment to seed the environment for analysis. You will log into an external attack machine
and connect to a directory on a public-facing server residing in the defender’s network. You will then switch to the role of defender, conducting a routine
audit where you learn where data about external connections is stored. You will conclude this second procedure by exploring the system task scheduler
(used by attackers to orchestrate malicious activities) and learning how to find newly created files. These are important activities to help you identify
incident detection points on a Microsoft Windows server.
Prompt:
Now that you have completed your lab, there are several contexts in which you can apply this information. For the purposes of this assignment, imagine
this experience informing actions in a workplace environment. Your manager has asked you to create a routine audit procedure for identifying and removing
unauthorized accounts from a system’s privileged user group. This is for a departmental playbook she is assembling for user account maintenance personnel.
Include an annotation for the table that explains the relationship between the attack actions and defensive countermeasures as a whole so that a novice would
understand.
Specifically, the following
critical elements
must be addressed:
Table:
Some of the procedural information has been provided for you within the table below. Complete the blank cells in the table to identify the system
detection points, ensuring that:
o
Each
attack action
is an effective choice for addressing the attack step to which it is mapped (in the first column)
o
Each
defensive countermeasure
details an effective detection point and indicator of attack for the defensive step to which it is mapped (in the last
column)
o
The
annotation
explains the relationship between the attack actions and corresponding defensive countermeasures (This should be at least two to
three sentences in length.)
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
The empty cells that you need to fill in are highlighted in yellow below:
Unauthorized Activities: Courses of Action
Attack Step
Attack Action
Defensive Countermeasure
Defensive Step (IR
Process)
Targeting
Objective: Decide who to attack
Identify
suspicious external connections to a
public-facing Microsoft Windows server
Identification
Action:
To employ a scanning tool to conduct network
scans aimed at identifying open ports within the
firewall. To perform scans on the publicly
accessible Microsoft Windows servers with the aim
of identifying vulnerabilities and potential targets
for exploitation.
Detection Point
The firewall connection logs will reveal
connections to IP addresses categorized as
suspicious, unknown, or causing annoyance.
Indicator(s) of Attack
Connections to IP addresses that are flagged as
abusive or malicious in well-regarded and
trustworthy databases will also be disclosed.
Attack Step
Attack Action
Defensive Countermeasure
Defensive Step (IR
Process)
Targeting
Objective: Decide what to attack
Gain remote administrative access to at least one
vulnerable server in a potential target network
Identify
suspicious group membership changes
for guest user account
Identification
Detection Point
Windows event logs provide visibility into
unauthorized modifications or alterations
made to Windows user accounts or groups.
Indicator(s) of Attack
The guest user account appears in a privileged
user group without prior security team
approval/coordination
Attack Step
Attack Action
Defensive Countermeasure
Defensive Step (IR
Process)
Access &
Escalation
Objective: Solidify your foothold
●
Ensure flexible remote access to a
compromised target system in the network
you wish to attack
●
Use the system task scheduler to establish
periodic, remote “check-ins” between a
compromised target system and your
network
To contain the infection and enhance network
security, first, isolate the compromised system
from the network to prevent the malware from
spreading to other hosts. Next, bolster network
security by configuring firewall rules to permit
connections only for approved and critical
business applications in both incoming and
outgoing traffic.
Additionally, on the affected host where the
malware is present, take measures to remove
any unauthorized tasks from the Windows
Task Scheduler. Finally, initiate a
comprehensive malware and virus scan on the
affected host to identify and eliminate any
traces of the infection.
Identification
Detection Point
The firewall connection logs reveal a list of
scheduled tasks
Indicator(s) of Attack
The logs also indicate connections to IP
addresses that are classified as malicious or
suspicious. Additionally, they highlight any
unauthorized tasks within the scheduled task
list and identify unauthorized programs
located in the Windows startup folder.
Annotation:
After effectively isolating a secure system from the network, it becomes critically important to strengthen the overall network
security. This entails implementing necessary measures to ensure that the infection has not already spread beyond the initially
affected machine. The reinforcement of network security, achieved through the establishment of firewall rules, plays a pivotal role
in thwarting attempts by malware to connect to command and control servers for the purpose of downloading additional
malicious components or receiving further instructions. Preventing such connections not only enhances security but also provides
extra time to thoroughly examine the infected machine without the worry of it establishing additional external connections or
receiving more files or commands.
Alongside network security enhancements, it is imperative to remove any unauthorized scheduled tasks or programs from the
affected machine. Equally important is the preservation of any pertinent information, which can be invaluable for the
investigation process in identifying the precise source or cause of the infection, while simultaneously safeguarding the integrity of
the entire network.
Rubric
Guidelines for Submission:
The table (or the information in the table) should be submitted in a Microsoft Word document, double spaced, with 12-point Times
New Roman font.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Critical Elements
Proficient (100%)
Needs Improvement (75%)
Not Evident (0%)
Value
Attack Action
All attacks actions are
effective choices for
addressing the corresponding
attack steps
Addresses “Proficient” criteria,
but there are significant gaps in
terms of effectiveness or detail
Does not complete attack
actions in table
30
Defensive
Countermeasures
All defensive
countermeasures address
effective detection point and
indicator of attack for
addressing the corresponding
defensive
Addresses “Proficient” criteria,
but there are significant gaps in
effectiveness or detail in the
detection points or indicators of
attack
Does not complete defensive
countermeasures in table
30
Annotation
Explains the relationship
between the concept of attack
actions and defensive
countermeasures
Addresses “Proficient” criteria,
but there are significant gaps in
terms of logic or detail
Does not explain the
relationship between the
concept of attack actions and
defensive countermeasures
35
Articulation of
Response
Submission has no major
errors related to citations,
grammar, spelling, or
organization
Submission has some errors
related to citations, grammar,
spelling, or organization that
negatively impact readability
and articulation of main ideas
Submission has critical errors
related to citations, grammar,
spelling, or organization that
prevent understanding of ideas
5
Total
100%