The incident started from using unprotected network connection to attack R&D DevOps lab servers, resulting into exfiltration of 100% of design documents and source code for AX10 Drone System. Next, 20% of employee logins using keylogging software were stolen based on the data stored on USB keys left by Sifers-Grayson employees on the lunch tables. On the second day, the malware was installed over the network to connect from DevOps lab to a PROM burner, resulting into taking control over AX10 controlled prototype and performing a flight test. On the third day, three stolen logins were applied for sending phishing emails to employees related to the videos with kittens or cats, business news story, and news of Kentucky Volunteers basketball team. As a result, 80% of recipients clicked on the first video link, 20% of users clicked on the second video link, while the click-through rate for the second link was 95%. Furthermore, email and IP addresses of 1500+ recipients were collected using phishing emails within 24 hours. On the fourth day, email and IP addresses of 1500+ recipients were collected using phishing emails within 24 hours. Afterwards, the intrusion was detected and target server was shut down. The issue was resolved within 12 hours.
Disruption of R&D Center operations aiming to took over the engineering prototype control and obtaining confidential information related to design specification through registry keys and malware injection.
Functional impact: blocking department operations and taking over the control on engineering designs.
Information impact: disrupting information exchange by overtaking control over the email server.
Penetration test was pre-planned and therefore was not controlled until the mail server attack.
There was no effective incident response because of the absence of centralized team responsible for enterprise security monitoring and no automated detection capabilities. Response action included targeted server shutdown, while forensic investigation was limited because of no trained personnel, misuse of forensic analysis tools, and limited availability of log files required for the event analysis.
The Red Team as a consulting firm to perform a penetration test.
Cause of the Incident (e.g., misconfigured application, unpatched host)
Based on the incident investigation performed by the Blue Team, the following functional and people-related causes of the incident were identified. First, it was found that R&D Center is a satellite facility that operates using a mixed set of hardware provided by different manufacturers, as well as hosts various operating systems and their variants, such as Windows 8.1, Windows 10, Apple OSX, and iOS. Technically, all systems are supported by junior engineers who might have a lack of expertise in managing each software instance professionally. There is also a questionable organizational philosophy related to technical support, which suggests that all engineers should be equally trained to support all existing software and hardware tools. The experience is primarily acquired through the on-the-job experience and mentoring, while off-the-job training is not provided. Furthermore, the formal job responsibility of a single engineer is to find and resolve the problem assigned by a supervisor, which might be eventually inconsistent with the current individual skillset. Therefore, it is obvious that internal network had its loopholes in integrating major loopholes in both software and hardware interaction.
Another specific cause of incid
Struggling with online classes or exams? Get expert help to ace your coursework, assignments, and tests stress-free!