Cybersecurity
Incident Report Analysis
In this lab I will be analyzing a fictitious network incident using the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF). The CSF is a popular framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. Utilizing the CSF to conduct an incident report can help improve security practices within an organization. It is scalable and can be applied within a wide variety of contexts.
The following fictional scenario provides the context for this incident report analysis:
I am a cybersecurity analyst working for a multimedia company that offers web design services, graphic design, and social media marketing solutions to small businesses. My organization recently experienced a DDoS attack, which compromised the internal network for two hours until it was resolved. During the attack, my organization’s network services suddenly stopped responding due to an incoming flood of ICMP packets. Normal internal network traffic could not access any network resources. The incident management team responded by blocking incoming ICMP packets, stopping all non-critical network services offline, and restoring critical network services.
The company’s cybersecurity team then investigated the security event. They found that a malicious actor had sent a flood of ICMP pings into the company’s network through an unconfigured firewall. This vulnerability allowed the malicious attacker to overwhelm the company’s network through a distributed denial of service (DDoS) attack.
To address this security event, the network security team implemented:
- A new firewall rule to limit the rate of incoming ICMP packets
- Source IP address verification on the firewall to check for spoofed IP addresses on incoming ICMP packets
- Network monitoring software to detect abnormal traffic patterns
- An IDS/IPS to filter out some ICMP traffic based on suspicious characteristics.
As a cybersecurity analyst, I am tasked with using this security event to create a plan to improve my company’s network security, following the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). I will use the CSF to help me navigate through the different steps of analyzing this cybersecurity incident and integrate my analysis into a general security strategy. The CSF steps are as follows:
- Identify security risks through regular audits of internal networks, systems, devices, and access privileges to identify potential gaps in security.
- Protect internal assets through the implementation of policies, procedures, training and tools that help mitigate cybersecurity threats.
- Detect potential security incidents and improve monitoring capabilities to increase the speed and efficiency of detections.
- Respond to contain, neutralize, and analyze security incidents; implement improvements to the security process.
- Recover affected systems to normal operation and restore systems data and/or assets that have been affected by an incident.
For the first step, I analyzed the scenario to identify what type of attack occurred and which systems were affected. Then I assessed where the organization can improve to further protect its assets. The focus was on creating an immediate action plan to respond to the security incident. Next I considered ways that my team can monitor and analyze network traffic, software applications, track authorized vs. unauthorized users, and detect any unusual activity on user accounts. I then created a response plan for future cybersecurity incidences to help us better contain, neutralize, and analyze threats. Finally, I detailed some specific measures we can take to recover from an incident like this, including which devices, systems, and processes need to be restored.
My completed incident report analysis is as follows:
| Summary |
The company experienced a security event when all network services suddenly stopped responding. The cybersecurity team found the disruption was caused by a distributed denial of services (DDoS) attack through a flood of incoming ICMP packets. The team responded by blocking the attack and stopping all non-critical network services, so that critical network services could be restored. |
| Identify |
A malicious actor or actors targeted the company with an ICMP flood attack. The entire internal network was affected. All critical network resources needed to be secured and restored to a functioning state. |
| Protect |
The cybersecurity team implemented a new firewall rule to limit the rate of incoming ICMP packets and an IDS/IPS system to filter out some ICMP traffic based on suspicious characteristics. |
| Detect |
The cybersecurity team configured source IP address verification on the firewall to check for spoofed IP addresses on incoming ICMP packets and implemented network monitoring software to detect abnormal traffic patterns. |
| Respond |
For future security events, the cybersecurity team will isolate affected systems to prevent further disruption to the network. They will attempt to restore any critical systems and services that were disrupted by the event. Then, the team will analyze network logs to check for suspicious and abnormal activity. The team will also report all incidents to upper management and appropriate legal authorities, if applicable. |
| Recover |
To recover from a DDoS attack by ICMP flooding, access to network services need to be restored to a normal functioning state. In the future, external ICMP flood attacks can be blocked at the firewall. Then, all non-critical network services should be stopped to reduce internal network traffic. Next, critical network services should be restored first. Finally, once the flood of ICMP packets have timed out, all non-critical network systems and services can be brought back online. |
Final thoughts:
This lab provided good practice for understanding and working with the NIST CSF. This framework can be scaled and applied to virtually any security incident, making it an extremely useful tool in a security analyst’s toolbox. I enjoyed employing my critical thinking abilities as I applied each step of the framework to this particular type of DDoS attack. This lab also gave me an opportunity to learn more about DDoS attacks by ICMP flooding, which I wasn’t very familiar with prior to working on this project.