Incident Response Exercise

Your Task

You have been assigned to work incident clean-up as part of the Sifers-Grayson Blue Team. Your task is to assist in analyzing and documenting the incident described below. The Blue Team has already created a set of enterprise architecture diagrams (see figures 1-4) to help with your analysis of the incident and preparation of the incident report as required by the company’s contracts with the federal government. After completing their penetration tests, the Red Team provided Sifers-Grayson executives with a diagram showing their analysis of the threat environment and potential weaknesses in the company’s security posture for the R&D DevOps Lab (see figure 5).

Your Deliverable

Complete and submit the Incident Report form found at the end of this file. Consult the “Notes to Students” for additional directions regarding completion of the form.

Notes to Students:

1. Your final deliverable should be professionally formatted and should not exceed 10 pages. The goal is to be clear and concise in your reporting of your analysis of this incident.
2. You may include annotated diagrams if necessary to illustrate your analysis and/or make your point(s). You may use the figures in this assignment as the foundation for diagrams in your final report (no citations required).
3. Use the NIST Incident Handling Process (see Table 1) to guide your incident analysis.
4. You may assume that the company has implemented one or more of the IT products that you recommended in your Case Studies for this course. You may also assume that the company is using the incident response guidance documents that you wrote for your labs and that the associated operating systems utilities are in use (e.g. you can assume that system backups are being made, etc.).
5. DOCUMENT YOUR ASSUMPTIONS about people, processes, and technologies as if they were fact. But, don’t change any of the factual information provided in the incident report from the Red Team.
6. Use the incident report form that appears at the end of this file. Copy it to a new MS Word document. After you perform your incident analysis, fill in the required information, attach the file to your assignment folder entry, and submit it for grading as your final project.
7. For section 1 of the form, use your own name but provide reasonable but fictitious information for the remaining fields.
8. For section 2 of the form, assign IP addresses in the following ranges to any servers, workstations, or network connections that you need to discuss.
a. R&D Center 10.10.150.0/24
b. Test Range 10.10.148.0/24
c. Corporate Headquarters 10.10.155.0/24
9. For sections 2, 3, and 5, you should use and interpret information provided in this file (Overview, Background, Issues Summary). You may use a judicious amount of creativity, if necessary, to fill in any missing information.
10. For section 4 of the form you may provide a fictitious cost estimate based upon $100 per hour for IT staff to perform “clean-up” activities. Reasonable estimates are probably in the range of 150 to 300 person hours. What’s important is that you document how you arrived at your cost estimate.
11. Discuss the contract requirements and derivative requirements for cybersecurity at Sifers-Grayson in 3 to 5 paragraphs under “Section 6 General Comments.”