Step 13: Develop and Submit Recommended Next Steps for the Computer Security Incident Response
Written recommendations based on the results of an incident response investigation need to be developed to support the organization’s security assessment and training efforts. In Project 3 Step 10, you wrote and submitted a Situation Report which addressed the computer security incident investigation. Now, your team needs to further develop your recommended “next steps” from that deliverable (item 10 in SITREP 3). Your deliverable for this step will be to write a report on malware, encryption, ransomware, and communications and network security to inform the CISO and CISO staff about the next steps that should be taken.
Your deliverable will be an assessment that consists of explanatory material to aid organizational leadership in understanding malware and system infections, and the investigative report that summarizes findings from the SITREP to substantiate whether a specific incident qualifies as ransomware. The report documents what is known about the Reveton malware and should provide concrete steps for protecting the organization and its computer systems from future attacks.
Refer to the CISO Deliverable Overview for a full list of requirements for the intelligence debriefing.
When you have completed the report, submit it for review and feedback.
Course Resource
CISO Deliverable Overview
This document contains full details for each final assignment to be assessed, as well as guidelines for video submissions.
As a synthesis of prior steps and interim submissions, you will be assessed on the following assignments:
- Cyber Operations and Risk Management Briefing
- Intelligence Debriefing
- Lessons Learned Video Presentation
- Next Steps for the Computer Security Incident Response
1. Cyber Operations and Risk Management Briefing
Using the Software Development Life Cycle Assessment and Software Development Matrix you create during the project, you will develop a Cyber Operations and Risk Management Briefing for your nation’s CISO and other stakeholders. The briefing will consist of a written evaluation and video presentation. The briefing should include each of the following items:
- identification of the software assurance needs and expectations of the organization
- description of the key attributes of the current software development life cycle (SDLC)
- identification of any known supply chain risks
- identification of vulnerabilities in the existing software used
- identification of software options that could meet the organization’s needs
- evaluation of software options and recommendation(s) for your organization, with each supported by a rationale
- evaluation of supply chain options and recommendation(s) for your organization, with each supported by a rationale
- explanation of the costs involved in your recommendations
- recommendations for contract language that would be used to ensure that supply chain, system, network, and operational security were met
Use the dropbox to submit the written portion of your briefing.
To submit your briefing:
- Use the dropbox to submit the written portion of your briefing.
- How to submit the video: To submit the video, you may either upload it to your OneDrive using your UMGC account, or upload it to a video-sharing service. Once you have uploaded the video, copy the link and include it in a document or in the dropbox text field.
2. Intelligence Debriefing
Using the Business Continuity Plan and Situation Reports you created throughout the project, you will create an Intelligence Debriefing and a Lessons Learned Video Presentation to share with your CISO.
This report will be from all information from all events that occurred during the summit. In the report, it will detail all technical information that was derived and any linkage to impacted systems identified in the BCP, possible methods of intrusion, and if events can be linked to one another. Write eight to 10 pages describing the events throughout the summit and all indicators shared by fellow nations. Determine what the malware types were and how they can be discovered in the future, and how they can be mitigated whether by detection systems or simply by having end users take awareness training.
Items below are required in the report for technical staff.
- current system standings
- modifications that can be made to stop this style of threat until a patch is created
- reputation and brand damage
- lost productivity due to downtime or system performance
- system availability problems
- determining root causes
- technical support to restore systems
- compliance and regulatory failure costs
3. Lessons Learned Video Presentation
As a synthesis of the prior steps in the project, you will create a lessons learned video presentation to share with your CISO.
Create a five- to 10-minute video/PowerPoint voice recording that would be presented to the CISO and the nation’s leader concerning attacks, evidence acquired, attribution, impact, business recovery, and remediation success. Areas that should be discussed are defined below.
Use this opportunity to describe not only what occurred during the attack and the results of evidence items but also how operations and communications can be done in a secure fashion. Also describe the need for information sharing and how it can be possible between nations and private business operations without source attribution. Is source attribution needed?
Use this opportunity for any lessons learned throughout the project that IT staff can take back to business units to incorporate into daily operations. Recall the threats you received. If you were the leader of the group, what would you want the CISO to know in case of an event? What could have been identified earlier as a critical system that may have been protected? Also, take a look back at your team’s BCP and discover any setbacks that may happen once an event occurs. Describe any additions or changes that you would incorporate in the plan. Describe the following information in your video at a minimum and additional topics that could better the operational tempo of business units.
Recovery: How the incident was contained and eradicated
- The work performed during recovery
- Areas where the incident response team was effective
- Areas that need improvement
- Which security controls failed (including monitoring tools)?
- How can we improve those controls?
- How can we improve the security awareness programs?
- What were the current operating system vulnerabilities that were leveraged to execute the attack?
- How can managing patches and basic operating system security enhance security from known threats?
To submit the video: You may either upload the video to OneDrive using your UMGC account, or upload it to a video-sharing service. Once you have uploaded the video, include the link in a document and submit it using the dropbox provided.
4. Next Steps for the Computer Security Incident Response
Written recommendations based on the results of an incident response investigation need to be developed to support the organization’s security assessment and training efforts. Your team needs to further develop your recommended “next steps” (from Step 10, SITREP 3). Your deliverable will be to write a report on malware, encryption, ransomware, and communications and network security to inform the CISO and CISO staff about the next steps that should be taken.
Your deliverable will be an assessment that consists of explanatory material to aid organizational leadership in understanding malware and system infections, and the investigative report that summarizes findings from the SITREP to substantiate whether a specific incident qualifies as ransomware. The report documents what is known about the Reveton malware and should provide concrete steps for protecting the organization and its computer systems from future attacks.