CASE Study 2 PDF

Preview

Summary

Case STudy 2...

Description

1

Case Study 2 Incident Response Planning Responding to the cybersecurity incident successfully can be vital as if cyberattacks are not handled properly will have catastrophic results. Our book laid out a process for successful incident response planning. In the file attached to this document, I included the Office of Personnel Management (OPM) hack case and your book incident response process. Please do a research OPM hack case and analyze what they have done right and what they have done wrong based on your book incident response process. Please outline an incident response plan for the OPM following your book incident response process. You are also welcomed to follow any other incident response plan available if you provide a proper citation.

Incident Response Plan (IRP) for OPM Data Breach It is very important to create an incident response plan or IRP for an organization. This is a risk management plan that will define controls to help reduce breaches or incidents and if a breach does occur, this will help to mitigate the risk of that breach. The incidence response team should prioritize what needs to be responded to immediately and what can be delayed. The management will define the scope and goals of the incidence response team in the incidence response policy. When an incident occurs, it is important that you manage the incident properly by following the incident response plan. An incident response plan has several steps: a. Identify A first response also involves incident identification, trying to determine the scope of the event, identifying what kind of event it is, and determining what systems it affects. It is important to determine the severity of the breach and what type of breach has occurred. Legally protected information breaches consist of health records, personal identification, fingerprints, etc. and with OPM’s breach, it is identified to be a breach of legally protected information. b. Investigate The next phase is the investigation phase where we identify the source of the breach and the extent of the compromise. “This deep investigation will allow the company to identify the attacker, discover unknown security vulnerabilities, and determine what improvements need to be made to the company’s computer systems”(Dhillon). Among the data exfiltrated there were millions of SF-86 Forms (which is a form that contains personal information which is gathered in the background checks for the people seeking government security clearances. This also contains millions of people’s fingerprints). The document includes detailed information such as residence and employment history, lists of family members, foreign travel, and business activities. It also contains detailed summaries of psychological and emotional health counseling the employee may have received (Josh). “Nation-state threat actors that at one point online used the alter-ego monikers of Captain America and Iron Man likely worked

2

in tandem in two sets of attacks to case the Office of Personnel Management’s (OPM) network and system infrastructure and then systematically steal personal information of more than 22 million Americans, according to the results of a year-long congressional investigation published today” (Higgins). c. Collect evidence This phase is where we include a detailed set of instructions and approved methods to protect digital evidence. The response teams should continue to carefully watch the status of the breach. They can also ensure that more information is not compromised. This is important even after the breach. In OPM’s case, the team initially noticed that the malware was beaconing out to a command. This caught the eye of the team as it was represented as an antivirus file from McAfee software which OPM doesn’t use. The ICOS of the Investigation phase is pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system network. The breach was later detected by CyTech, “Using our endpoint vulnerability assessment methodology, CyFIR quickly identified a set of unknown processes running on a limited set of endpoints. This information was immediately provided to the OPM security staff and was ultimately revealed to be malware” (Mitchell). The attackers first breached the networks. Since they weren’t able to access any personnel records later, they managed to exfiltrate manuals and IT system architecture information. Later that year, the attackers tried to breach the system of two employees. OPM hoped that a system reset would rid the attackers from the system but by that time. But the attackers were smart enough that they had already begun to load keyloggers onto the database administrators' workstations. “There was no firm evidence that such information compromised by the OPM breach has been used by criminals to steal victims’ identities or to create phony bank and credit accounts” (Joseph). Loading keyloggers allowed the attackers to see which keys were being used on what websites so they had access and knew the login information because of what the user was inputting on their computer. d. Respond to result: Timeline of the breach:  November of 2013, an attacker first breached OPM networks  December of 2013, attackers were attempting to breach the system of two contractors.  March of 2014, OPM identifies they had been hacked  May 27, 2014: the attackers began to load keyloggers into the administrations’ workstation  July & August 2014, the attacker exfiltrated the background investigation data from OPM’s system.

3

October 2014, the attackers had moved through the OPM environment to breach a Department of Interior server where personnel records were stored  December 2014, another 4.2 million personnel records were exfiltrated  Late March of 2015: Fingerprint data was exfiltrated  Finally, on April 15, 2015, OPM realized that attackers still had a foothold in their systems. It is important for OPM to keep a log of what actions were taken to respond to the breach. This usually includes the affected systems, compromised accounts, disrupted services, and the amount of damage occurred. The OPM breach compromised sensitive security information of about 21.5 million current and former federal employees and their families. The attackers are believed to have worked on behalf of the Chinese government for cyber espionage reasons, though the intelligence community has not released an official attribution. 

e. Contain the incident In this phase the recovery team must take action to mitigate the impact of the breach as much as possible. For that, we must put all the affected machines, devices, and systems on lockdown. Re-routing of network traffic, filtering, or blocking traffic is some preventive strategies for this. A response team should be formed as soon as possible. This should include forensic, legal, IT, HR, operations, communications, and management experts. They should be assigned to deal with the aftermath of the breach in every aspect such as the forensic experts, check the network segmentation and see what the attacker gained access to. f. Repair gaps or malfunctions When the scope of the breach was flagged, OPM should have acted right away instead of neglecting them. They received so many red flags regarding their encryption, authentication, and other security features over the years. This was the main cause that led to the attack. The administration should take steps to improve security so that they could give more attention to the threats. The effectiveness of the security controls for assessing and monitoring effectiveness must be done on a regular basis. This is because the threats change every day, and we must be prepared for it. OPM should also make sure whether the authorization and assessment mechanisms are in place and only people with the rights within the agency can access them. It is also important to give awareness to all employees and train them to protect against the attack as security awareness and policy enforcement is important to create a security culture within an organization. g. Remediate compromised accounts, computers, and networks:

4

Now the next step is to immediately change the account credential and change the passwords or the encryptions key. This keeps the attack from spreading and also, they will no longer be able to attack us or to. OPM also has to find whether there are any viruses or malicious code involved. And if there are any, they must clear from the system. This helps the company to recover. Data is an asset for an organization and any breaches can prove to be critical not just for the company, but also their clients. It is important to recover from data loss breaches. So, a small step an organization can do will be to keep a copy of critical data in a secure offsite location. h. Validate remediation and strengthened security controls: Information is expensive so it is important to invest wisely and intelligently in security. There should be strong encryption, two-factor authentication for workers accessing the system remotely. This means a strong security system has to be implemented that is kept up to date. In the OPM data breach, the incident first occurred in May 2014 to OPM’s local area network and the data exfiltration began in July, which lasted for about a month. During this whole time, no one suspected a thing, and that is where it all went wrong. In addition to this, they had not found out about the malware until April of 2015. For all this time, they had not used their CyFIR tool on the suspect computers, meaning that they didn’t have a set routine to check for situations like this. Even though they were finally aware of the malware, it was too late because 22 million records were stolen by then. i. Report the conclusion of the incident: OPM stores a plethora of Personal Information and other delicate records than practically any other organization. This is a colossal responsibility set in the organization by the huge number of people which is why OPM should persistently improve through steady acuteness. OPM needs to use forceful strides to improve security conventions, set up consistent surveillance of its systems, set up a centralized Operations Team, change the encryption system they previously used, and other similar measures. To some extent, some of these measures were already in place (albeit executed ineffectively) and this assisted with finding the dubious events revealing the malicious events depicted in this IRP. Without these means, the malevolent events might have taken a few more years to discover the hack. There are several things OPM can do to reinforce its system to prevent a future attack. Simple security measures like two-factor strong authentication for everyone can cut the risk of breach by half itself. This can essentially diminish the danger of enemies penetrating password-protected networks. Introducing the addition of more firewalls can bolster network protection. Limited distant access for network heads so the risk of remote hacks can be minimized. An upgrade to the infrastructure can help as new equipment and

5

updated software for an operating system can have patches to vulnerabilities that tend to plague older devices. Implementing anti-malware software can also aid in the detection of threats much quicker than before. Executed constant checking to improve the capacity to recognize and react in real-time to hacks and threats Better Encryption methods implemented as well as the recruitment of cyber experts from the private sector can help reinforce new strategies to combat attacks and respond more efficiently. With the tenacious and constant cyberattacks by malevolent hackers around the world, it's lucid that OPM must stay alert and continue to constantly monitor its systems, implement stronger encryption mechanisms and deploy multi-factor authentication systems to strengthen its security and protect the sensitive data more effectively. j. Resume normal IT operations: As for what OPM did right, there is not much but at least now, OPM knows how to implement better security measures and has a dedicated team working to protect the sensitive data of millions of Americans. OPM has spent tens of billions of dollars to update its software and hardware. They used updated legacy applications to use modern development language and databases. OPM has implemented about 51 of the Accountability Office’s 80 recommendations after the breach. Some of these implemented recommendations include a strengthened firewall, enforced password policies, and updated contingency plans for the vital system. OPM spends money to improve its governance by bringing in more staff to develop, document, implement, and manage projects and efforts to establish an agency enterprise architecture. More than three years after suffering the cyber breach, it was found out that OPM has not implemented about one-third of the recommendations from the government’s in-house auditor. OPM also continues to struggle with the technology that led to 21.5 million current and former feds having their data stolen.

6

Works Cited Corbin, Kenneth. “How OPM Data Breach Could Have Been Prevented.” CSO Online, CIO, 13 July 2015, www.csoonline.com/article/2947289/how-opm-data-breach-could-have-beenprevented.html. David Bisson Follow @DMBisson!function(d, s. “The OPM Breach: Timeline of a Hack.” The State of Security, 10 July 2015, www.tripwire.com/state-of-security/security-data-protection/cybersecurity/the-opm-breach-timeline-of-a-hack/. Dhillon, Gurpreet. “What to Do before and after a Cybersecurity Breach?” American.edu, www.american.edu/kogod/research/cybergov/upload/what-to-do.pdf. Fruhlinger, Josh. “The OPM Hack Explained: Bad Security Practices Meet China's Captain America.” CSO Online, CSO, 12 Feb. 2020, www.csoonline.com/article/3318238/the-opm-hack-explainedbad-security-practices-meet-chinas-captain-america.html. Higgins, Kelly Jackson. “OPM Breach: Two Waves Of Attacks Likely Connected, Congressional Probe Concludes.” Dark Reading, Dark Reading, 9 Sept. 2016, www.darkreading.com/endpoint/opmbreach-two-waves-of-attacks-likely-connected-congressional-probe-concludes/d/d-id/1326834. Marks, Joseph. “Greatest Damage from OPM Breach Was to Government's Reputation.” Nextgov.com, Nextgov, 10 Apr. 2017, www.nextgov.com/cybersecurity/2017/04/greatestdamage-opm-breach-was-governments-reputation/136902/.

Mitchell, Billy. “How the OPM Breach Was Really Discovered.” FedScoop, FedScoop, 27 Dec. 2016, www.fedscoop.com/how-the-opm-breach-was-really-discovered/. Wehbé, Alan. “OPM Data Breach Case Study: Mitigating Personnel Cybersecurity Risk.” SSRN, 8 May 2017, papers.ssrn.com/sol3/papers.cfm?abstract_id=2964071.

7...