ITI581 Cybersecurity Fundamentals
Security Incident Case Study Information
The following information is provided to allow you to investigate a specific set of circumstances around a recent incident in a corporate network and should be used in conjunction with detailed information provided for the Cyberattack on the next page.
You are an IT Security Consultant who has been engaged by the management team at CricTech, a wearable technology company, to review their systems after a recent cybersecurity attack.
As part of the terms of your engagement you must perform two key evaluative tasks to help CricTech improve their cybersecurity profile.
Evaluate how best to review the company IT operations and the security environment to determine how security can be improved (Assessment 1: Case Study Part 1).
Evaluate and propose general security best practice approaches that help them to deliver the improvements you discuss in Assessment 1: Case Study Part 1 (Assessment 2: Case Study Part 2).
In initial discussions with the management team you have noted the following issues:
No documented DR/BCP plan.
No formal Incident Response Team, or Incident Response Plan.
Insufficient documentation of the current system.
A basic network diagram exists and is shown below.
No understanding of the normal operating characteristics of the network and IT systems.
No established security culture or awareness program.
Details of the recent cyberattack against CricTech.
Adverse impact to the cyberattack on the CricTech network was first noticed late on Thursday afternoon four weeks prior to your initial meeting with the management team.
Initial forensic investigation, performed by a well-respected forensic investigator, completed post- attack found that the attacker used a brute force attack to gain access to a decommissioned Windows 2003 server that was still connected to the DMZ segment of the network. The attacker used information present on this server to gain access to the backup server, also in the DMZ, and with some experimentation, gain accessed to the internal server farm by reappropriating the backup software communication channels. This approach was able to bypass the internal facing firewall because of the apparent legitimacy of the communications channel.
Once access to the internal server was gained the attacker was able to elevate their privileges to Administrator level due to a weak password policy implementation. This then enabled them to install ransomware on one of the servers in the farm. This server then distributed the ransomware to the other servers in the farm as well as all connected desktops, laptops and some tablet devices. The ransomware was a new variant that the forensic investigator had never seen before and encrypted all data on infected systems although some access to the operating systems was still possible.
Some time ago an IT consultant put into place a Cloud provisioned backup system to perform a nightly full backup of all servers. There was a significant problem with this system that had been causing backups to fail for a period of 12 weeks but, unfortunately, this was only discovered after the cyberattack. The attacker also deleted all backups stored on the backup server located in the DMZ.
Fortunately, on the Monday immediately prior to the attack, as part of transition activities for an upgrade project for the product database system, a full copy of the product, customer and research and development databases were copied to the transition vendor. Although this was much better than losing 12 weeks worth of data, 3-4 days of data was completely lost. This was estimated to be approximately 1.5 TB of data. The company also incurred significant costs in having to reinstall, rebuild and restore the server farm, and desktop, operating environments.
The company did not contact their insurer having declined the additional cybersecurity insurance, offered to them a few weeks prior.
Analysis showed that having only a local instance of the product, customer and research and development databases contributed greatly to the $3.5 million restoration cost. It meant the reinstallation of the databases could not be done without significant input from the database developer and the IT integrator. Other costs incurred $105,000 in staff overtime and $10,000 in notifying clients of the attack. Including forensic investigation costs of $36,000, and some other sundry expenses, the total cost of the cyberattack was almost $4 million. This represents approximately 2 years profit based on the past 10 years of operation.
Attacker gained access to the decommissioned server followed shortly by access to the server farm and, within hours, the ransomware infection of all devices. Staff discover that all local backups have been deleted and the cloud-based backup hasn’t been working for months without giving any notification to either the Cloud service
provider or the company.
After initial investigation confirmed the scale of the attack police were contacted and communications were established with the attacker. A ransom of $1,500,000 was requested but, on advice from the police, management decided not to pay it.
Subsequent communication with the attacker was not productive.
The company elect to use the images of the databases provided to the transition
vendor to attempt a rebuild of the servers. The company also elect to rebuild all local desktops and laptops from scratch.
Images of infected servers made and stored for subsequent investigation. Server rebuild, desktop rebuild, installation of database software and restore of databases.
Limited access to databases and normal system functions.
Back to full operational status. Forensic investigator attends to investigate based on logs available on firewalls, network devices and images made of infected servers.
Preventative measures to address the weakness in security exposed by the incident.
The following diagram gives a general overview of the network architecture.