Courses of Action Table Template and Instructions
This template is an aid to help you complete the Courses of Action Table elements in Milestone Two of your final project. The courses of action table template is similar to the activity you completed in Module Five. However, unlike the targeting step
you focused on in the Module Five lab, your completed courses of action table must address the full flow of the potential attack in your provided scenario. Use the provided
Final Project Scenario
and the resources below to complete this table.
Resources:
1.
Intelligence-Driven Incident Response
, Chapter 3
If you have not already, read the sections from “Kill Chain” to “Active Defense.” The Cyber Kill Chain helps a security profe
ssional recognize the various stages of an attack and use that knowledge to initiate incident response procedures and
practices that can stop attackers in their tracks. This kill chain model is the conceptual basis for the attack actions you will list in your courses of action table.
2.
Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
The Cyber Kill Chain methodology originated at Lockheed Martin; in this reading, experts at Lockheed expla
in how to use the kill chain model to enhance an organization’s incident response capabilities. Pay particular attention to s
ection 3.3,
entitled “Course of Action.”
3.
Gaining the Advantage: Applying the Cyber Kill Chain Methodology to Network Defense
In this reading, experts at Lockheed explain the methodology and present some informal examples of countermeasures aligned with the attack steps they are meant to defeat. This PDF offers a rough, highly-simplified courses of action table
that is similar to the one you are constructing here but based on a different use case.
4.
Visual: Interaction Between Cyberattack and Incident Response Processes
This resource provides additional guidance around the interaction between cyberattack and incident response processes. This is a logical framework that a security practitioner would use for walking through an attack.
Table Template and Instructions:
Use the table in this document a
s the basis of the “Courses of Action” table for Part II of your final project.
If you do not want to work within the template, you may create your own table or document in a separate word document but it must contain
all the required elements after the listed steps.
The resources above and the Instructions
outlined in the ‘steps’ will guide you through the completion of this
template. This guidance will walk you through the process of doing this work. Your completed table will be scored specific to the guidelines
and rubric in Milestone II. Lastly, it should be noted that in practice, the countermeasure in this type of table is referenced as a procedure document that contains an objective, description, and steps to completion. For purposes of this activity, you will
keep this information brief and limit
ed to this table. . The first step has been provided for you as an example of how to ‘right
-
size’ the informati
on you are adding to the table.Courses of Action: Unauthorized Activities
Step 1: Objective: <
Decide who, what, where, and how to conduct the cyberattack
.
Prior to completing your table, read the scenario. Summarize the attack objective you see in that scenario here as a way to situate yourself prior
to completing the table. This requires that you read and fully synthesize the scenario, as the attack objective is not explicitly listed.>
Step 2: Attack Methods and Features:
To succeed, an attacker must complete all of the
identified attack steps in the proper sequence before the defender applies countermeasures
or some unknown variable changes the operating environment under attack. For this step,
you will complete the Attack Phase and Attack Action columns below. Ensure your phase and
actions are organized according to their order of execution.
Step 3: Detection Location and Methods
After completing Step 2, you will fill in the two
columns below as indicated.
Step 4: Response Method
After completing Step 3, fill in the column below by
identifying and describing the intent of the
countermeasure (i.e. to identify, detect, disrupt,
deny, etc.) for the corresponding attack action. Also
identify important procedural steps necessary to
implement the countermeasure.
Step 5: Response Objective:
After completing Step 4,
identify the phase of the IR
process in which this
countermeasure is most likely
to be implemented, choosing
from the provided list.
Attack Phase
Identify the phase of the Kill
Chain most closely aligned with
the specific attack actions.
(Targeting, Reconnaissance,
Weaponization, Exploitation,
Attack Action(s)
Fill in the attack actions (the list of specific malicious tasks
performed to complete the attack) and number them in the
order in which they would be performed.
Indicator(s) of Attack
List an anomalous
event or effect that can
serve as a signal to a
defender that the
attack is underway.
Detection Point
Identify a likely target
system or asset for the
attack action you have
identified in Step 2.
Defensive Countermeasure(s)
Describe your defensive course of action.
(Note: In a professional setting, you may find it
valuable to create a library of countermeasures
using a standard template, and to simply reference
the specific procedure document in the box below.
Courses of action tables are intended to be living
Defensive Phase
Identify the phase of the
incident response process
most closely aligned with each
countermeasure.
(Preparation, Identification,
Containment, Eradication,
