Skip to content

CSCI-6015 – HW5

Looking at the reports from CrowdStrike and Mandiant identify at least two current trends in crime

M-TRENDS 2022 Mandiant Special Report

Targeted attacks using initial infection vector of exploits and supply chain compromise. Interestingly this is higher than phishing-initiated intrusions, and Mandant believes this is so because of the organization’s better ability to detect and block phishing emails. They also believe better education so employees can recognize these kinds of attacks is also helping this trend (Mandiant, 2022).

The CrowdStrike 2022 Global Threat Report

Attackers are accomplishing their objectives without writing malware, and instead using legitimate credentials and built-in tools while “living off the land” (LOTL). Not using malware is deliberate to evade detection by legacy anti-virus products. It is interesting that 62% of all detections by CloudStrike in the fourth quarter of 2021 were malware-free (CloudStrike, 2022).

Explain why these trends pose a relevant threat to organizations

The reason I see these trends as relevant threats to an organization is because they show adversaries are adapting, maturing, and gaining experience. For example, using fewer phishing attacks in favor of leveraging exploits and supply chain compromise shows a lot of adaptation and maturation towards more advanced techniques. Avoiding malware to now avoid simple “traps” such as legacy antivirus to go for bigger prizes using LOTL only later shows a lot of control. It may even have come from gained experience from failure or watching others and learning from their failure. These kinds of trends make threats seem competitive in a way.

Develop a plan for a Cybersecurity Table Tabletop exercise

I heard about the Cybersecurity & Infrastructure Security Agency (CISA) Tabletop Exercise Packages during my time so far in the cybersecurity doctoral program. I decided to look through their cybersecurity Situation Manuals (SitMans) and found a ransomware scenario that was a good template to develop a plan. Given our class team made up a bitcoin ransomware story it made sense to make a tabletop plan with this in mind.

Tabletop Exercise Plan - Bitcoin Ransomware - John Kuk.docx

CISA Tabletop Exercise Packages (CTEP)

CISA offers various assets that help plan and prepare for a tabletop exercise. Below are the various PDFs that are shared by CISA for us to get better an being more situationally aware and prepare for cybersecurity incidents.

CISA Tabletop Exercise Packages - CTEP Documents located at the bottom of the page

Identify how the key players should be in the exercise

As part of the CISA Tabletop Exercise Packages there are players, observers, facilitators, and note-takers (CISA, 2022). Each has a role in the exercise, but key players are the main individuals who have an active role where they discuss or perform actions given their responsibilities. Given the exercise plan created for the tabletop exercise these are the roles that have been defined.

  • Employee “John” is a key player as an employee who accidentally triggered ransomware that locked his machine.
  • CSIRT Analyst is a key player representing an individual to performed analysis and constructed list of machines to isolate.
  • IT Networking Engineer is a key player representing one who has capability to perform any network related activities.
  • CISO, CIO, and CEO are key players representing leadership in the exercise, this can be one individual wearing multiple hats or multiple individuals depending on how many are participating in the exercise.
  • IT Engineer is an individual that has the role of accessing various machines and can perform activities such as machine wipes, OS installs, restoring backups.
  • HR, Legal, and PR are key players representing the various other internal actors in the exercise, this can be one individual wearing multiple hats or multiple individuals depending on how many are participating in the exercise.
  • News & Media, Local/State/Federal Authorities are key players representing the various external actors in the exercise, this can be one individual wearing multiple hats or multiple individuals depending on how many are participating in the exercise.

Whom in the organization would you engage to participate?

If possible, I would fill each role listed above to participate in the actual role playing during the exercise. The more involved participating would increase the diversity of thought in creatively answering the plan questions. I think finding other observers in the CSIRT, SOC, and IT engineering employees would be good to include to learn from the experience. Even other internal actors who are not technical would make sense to include for the learning experience and to understand what their role in real life would entail if there were a real incident.

Reference

CISA. (2022). CISA Tabletop Exercise Packages: Ransomware CTEP Situation Manual. CISA.gov. Retrieved January 5, 2023, from https://www.cisa.gov/cisa-tabletop-exercise-packages

CrowdStrike. (2022). The CrowdStrike 2022 Global Threat Report. CrowdStrike. Retrieved October 29, 2022, from https://go.crowdstrike.com/global-threat-report-2022.html

Mandiant. (2022). M-TRENDS 2022 Mandiant Special Report. Mandiant. Retrieved January 1, 2023, from https://www.mandiant.com/m-trends

Unless otherwise indicated, the content and opinions expressed on this web site are those of the author(s). They are not endorsed by and do not necessarily reflect the views of the George Washington University.
Viewing Message: 1 of 1.
 Notice

This site uses cookies to offer you a better browsing experience. Visit GW’s Website Privacy Notice to learn more about how GW uses cookies.