1

Running Head: CYBERSECURITY INCIDENT REPORT

Cyber Security Incident Report

Name

University

Course Title

Instructor's Name

Due Date
CYBERSECURITY INCIDENT REPORT 2
Executive Summary

While cyber risks continue to rise, some of the most frequent and most common

cyber hazards are known to today's businesses. The recent cyber-attack on our site

highlights the critical need of SuperCybersecure network protection. This led to an

inquiry and a report on the results. The aim of this Cyber Security Incident Report (CIR)

is to give a post-action report and to make suggestions for future prevention. The attackers

attacked our network using a hacked laptop that an employee had brought to work. This resulted

from policy implemented by our company called Bring Your Own Device (BYOD) program.

One laptop was left on the company through the night, during which time it attempted to exploit

a PHP vulnerability by launching an attack on the network. This flaw has the potential to lead to

the exposure of sensitive information without authorization. While the assault was unsuccessful,

it highlights the need to strengthen our BYOD policy, security monitoring, and network

administration.

To better monitor and safeguard our infrastructure, we need to revamp our wireless and

BYOD policies. In order to do this, we must enhance rogue access point (RAP) detection while

also hardening the Cisco ISE setup and its reaction to destructive behavior. At the very least, our

security policy should contain processes for preventing and detecting attack and instructions for

conducting insider investigations. It should indicate the potential consequences of abuse. To

properly monitor, succeed and protect all devices connected the network, whether those which

we provide or those brought in as a consequence of our BYOD policy, a remote-control solution

must be introduced. Furthermore, LANs must be segmented. Intrusion detection systems based

on a host or a network deserve a significant place on our internal defenses, but identifying

appropriate monitoring points may be difficult. Besides, perimeter tools and tactics must be

refocused. We can significantly improve our security posture, often at no expense, by extending
CYBERSECURITY INCIDENT REPORT 3
our perimeter tools to the interior of our network. If these measures had been taken, the attack on

our server would never have been possible.

Introduction

Cybersecurity refers to the process of protecting computer software, networks, and

systems against digital intrusions and attacks. Such attacks typically aim to obtain access to,

remove, or change complex data, extort user money or interfere with regular company

operations. Effective cybersecurity measures are difficult to implement due to the fact that there

are more electronics than people today, and attackers are becoming more creative. Everyone

benefits from sophisticated cyber-defense measures in today's linked society. A cybersecurity

attack on a personal level may result in everything from identity theft to coercion attempts to the

loss of critical data for example family photographs. Everybody, including our business, is

dependent on essential infrastructure. Securing our organizations is necessary for their continued

operation. The work of cyber threat researchers helps everyone; for example, this report will

assist our company in avoiding similar incidents. It will uncover new security flaws, educate

workers about the significance of cybersecurity, and improve open-source tools.

Wireless and BYOD Security Plan

We adopted a BYOD policy in July 2017, enabling end-users to bring their own devices

to work, including tablets and laptops. Due to infrastructure and ethernet cabling constraints, this

policy did not permit wired access but authorized WiFi access. In retrospect, there was a

significant absence of security settings and monitoring to prevent network attacks. Our wireless

network faces a cybersecurity danger as a result of the BYOD policy.

Wireless Local Area Network (WLAN) components are comparable to those found in

conventional Ethernet-wired LANs. Indeed, wireless LAN protocols are functionally equivalent

to Ethernet and have the same form factors. WLANs face two main threats: rogue access points
CYBERSECURITY INCIDENT REPORT 4
and prohibited equipment. Unauthorized devices are defined as items not permitted to be utilized

inside the organization, such as computer files or software brought from home or other sources

and installed on the work computer. We could not identify the illegal devices because we had not

implemented adequate security settings or monitoring for these kinds of devices, wireless either

or wired. A rogue access point (RAP) is an access point placed on a network without the

authorization of the network's operator. RAP masquerade as a network router to persuade an end-

user to send a request and verify with the RAP server. Using the information provided by the

end-user, the RAP point then pretends to be the end-user while interacting with the legal network

access point.

Malicious devices may affect a network that is not protected adequately. They may be

used to obtain access to a company's network without authorization. Unauthorized Access or

Hacking refers to unauthorized efforts to circumvent an information system's or network's

security measures. It is the most prevalent and well-known kind of cybercrime (Schatz et al.,

2017). They may carry out more difficult-to-detect activities, such as passively gathering data for

a subsequent attack route, to traffic evaluation. Eavesdropping and traffic analysis are more

straightforward on WLANs since the device has to listen to traffic or wireless signals and not

join the network. The system gathers and analyzes data from network devices, endpoint logs.

Threat intelligence feeds and policy breaches allow for detecting security events, fraudulent

activity, and other dangers. Alternatively, the device could conduct a more active attack by

impersonating a legitimate device to gain network access, re-transmitting messages to

impersonate a user, mapping the network, identifying potential high-value targets, stealing

sensitive information, or launching denial of service attacks. Data security is the number one

priority for our organization. Information security (InfoSec), which is primarily concerned with

preventing unauthorized access to information, makes it possible to safeguard personal

CYBERSECURITY INCIDENT REPORT 5
information. To detect unwanted devices recently installed on the network, it is critical to have a

properly configured intrusion prevention system (IPS), such as Cisco Identify Services Engine

(ISE). Cisco ISE uniquely identifies and fingerprints each device it connects to. It enables the

isolation of or denial of service attacks against suspicious or unknown devices.

RAPs obtain illegal wireless access to the network's infrastructure to steal data for several

reasons, including acquiring the network's authentication credentials to utilize them later in an

attack against it. To detect a rogue access point, the company must scan and classify all of its

networks. If an attacker gains control of an access point, they may intercept data traveling across

the network. For example, by monitoring channels utilizing attack detection and parcel collection

to detect repeats of impersonations or communications, or identifying odd Wi-Fi patterns,

etcetera (Williams & Woodward, 2015).

This event demonstrates the critical need for a standard security configuration to fight

attacks that target our networks through the WLAN effectively. To do this, we need a standard

for the infrastructure's architecture and settings. To provide the most outstanding possible

interface with our switches and allow the best possible monitoring and availability, I suggest

utilizing Cisco ISE in conjunction with Cisco's Adaptive Wireless IPS and Cisco APs. This

would enable seamless interaction with standardized hardware, allowing for cable and wireless

packet inspection, scanning and reporting of rogue devices or RAPs, and more visibility into

network activity. Modify the rules for rogue categorization. Unidentified devices are

automatically labeled as suspects by the system. Whenever this default value is set to rogue, any

third-party access point or client will be immediately identified by the controller as being a

rogue. In order to isolate the access point, we may choose to reject all packets sent and received

by and from the device. In maintaining a safe environment, keeping all systems up to date with

patches and updates is critical. This reduces the chance that an unpatched vulnerability would
CYBERSECURITY INCIDENT REPORT 6
result in a breach or successful attack. To guarantee that all devices introduced via the BYOD

policy are appropriately configured, it is also necessary to verify that they all have the

appropriate settings. To do this, it is suggested that we conduct remote configuration

management (RCM) on the systems to guarantee their security. Moreover, only authorized

Information Technology personnel are permitted to connect networking equipment. All network-

connected equipment, including wireless access points, must adhere to the company's security

standards.

Before installing the WLAN, security monitoring was not considered. As a result, we

lacked the necessary infrastructure, including APs capable of identifying RAPs and a

management system capable of identifying and fingerprinting devices, such since Cisco ISE.

WLANs are generally more susceptible than wired networks, as there is no particular link.

WLANs are especially vulnerable to attack since physical access to them is challenging to

prohibit (Williams & Woodward, 2015). This enables devices to be relocated to conceal them,

which is exacerbated by the fact that WLANs are often insecure and vulnerable to assaults

through wired connections. Their sole benefit is that an attacker must be physically close to the

network, limiting the possible attackers' pool. While security monitoring may detect attacks

before their completion, not all attacks are recognizable since they do not make communications

and lack identifiable network characteristics. The only kinds of attacks or infiltration attempts

that may be detected via active monitoring are those detected through passive monitoring

(Abomhara & Kien, 2015).

The incident necessitates the rapid implementation of an Incident Response (IR) strategy

to mitigate the harm inflicted. Indeed, a very agile and quickly deployed cybersecurity incident

response may even allow a company to secure its data before the attackers activate their

encryption keys. It may be beneficial to investigate the Cyber Kill Chain architecture to enhance
CYBERSECURITY INCIDENT REPORT 7
incident reaction times. Although the Cyber Kill Chain architecture identifies prevalent

vulnerabilities, it is not exhaustive. Attacks and attacks that do not use malware as an attack

vector are excluded from the scope of this definition. While this is advantageous, it is important

to remember that attacks are unpredictable and do not follow a regular pattern. The most

remarkable response is to harden all infrastructure and systems that we can to protect our data.

Additionally, one of the critical metrics that IR professionals should embrace to assist in

mobilizing the internal planning efforts is the "Mean Time To Respond" (MTTR), which is a

measure of the time required to contain, remediate, and eliminate a threat once it is identified

(Schatz et al., 2017).

Tracking Suspicious Behavior

I monitored the employee's location and environment after determining their conduct and

activities were questionable. To do this, I tried two methods: first, I tracked the device's IP

address and how the RAP was connected; second, I verified the device's geolocation by utilizing

the Absolute LoJack solution, which we mandate on all Bring Your Own Device (BYOD)

computers at the company. This enables us to triangulate and verify the device's position using

WiFi and GPS. After confirming that the device was on-premises, I tried to remotely access the

configured and needed laptop for Remote Configured Management. When I did, I discovered

that the device was being used to communicate from an ad hoc network on behalf of another

device not connected to the network. There will be no legal implications for utilizing these

technologies. When end-users configure their devices in line with the BYOD policy, they agree

to enable us to monitor their systems and allow their systems to communicate with our network

correctly. Furthermore, because we have captured the device that was attacking our network's

communication, we have established the reason and justification for our actions, which may have
CYBERSECURITY INCIDENT REPORT 8
resulted in the potential violation of the end user's privacy by monitoring and halting the attack

while it was still in progress.

Since the company did not own the hacked device, we notified the owner after the attack.

It was suggested that the user get identity theft insurance via CSID or LifeLock. Identity theft

insurance was recommended since the attacker used the person as the first vector for infiltrating

the company network. This demonstrates an understanding of the target and the capacity to

watch activities on the user's laptop that may reveal important Personally Identifiable

Information, such as their complete name, social security number, address, and credit cards. The

end-user was then required to complete a course on proper cybersecurity etiquette to educate

them on best practices when interacting with the Internet of Things (IoT) and adequate safety

measures such as using an antivirus solution and not opening downloads from emails or

programs without scanning them first. While the attack occurred as a result of a compromised

device, we must prepare for additional attack vectors, such as impersonating an end user's device

through attack vectors such as MAC spoofing, which occurs when an attacker pretends to

communicate from a target device by using the device's unique identifying address. This attack

technique attempts to obscure potentially valuable information for identifying and tracking down

an attacker on the network. To get the MAC address, the target machine may have transmitted it

via a network eavesdropped on by the attacker.

To protect against MAC spoofing, it is critical to have adequate security mechanisms in

place that can identify or fingerprint systems, monitor abnormal activity, and detect anomalies.

These Cisco products employ methods such as determining whether a device is suddenly using a

different connection type, whether the DHCP class id indicates a change in the kind of client or

vendor being used, or whether an attribute such as endpoint policy indicates a shift in the style of

device ID from a printer to an IP phone or workstation. These discrepancies accumulate and

CYBERSECURITY INCIDENT REPORT 9
enable the attacker to be detected and halted before causing harm or completing the assault.

Cisco ISE and other monitoring systems may also be utilized to help in whitelisting device types.

A whitelist is a list of authorized network devices permitted to access the network; devices that

do not match the list are refused access. IP whitelisting allows administrators to limit and control

access to just trusted users by using a single IP address. The ability to compile a list of

trustworthy and lawful IP addresses from which workers may connect to company’s network is

provided by this feature. An organization often connects to the internet via a predetermined set

of IP addresses, which allows for the inclusion of a list of all trusted IP addresses that are

allowed access. In order to access certain network services such as applications, URLs, and

emails to just trusted users inside a specified IP address range, one must whitelist the IP

addresses that are being used. Additionally, IP whitelisting helps businesses protect remote

network access, including BYOD, enabling workers to use their own devices. Cisco ISE

fingerprinting is ideal since it prevents network access during the fingerprinting process, thus

protecting validated systems and network resources.

Continuous Improvement Plan

In order to enhance our security, it is critical to evaluate the protocols that are currently

in use, those that are available. Thus, it becomes clear in retrospect that errors were made due to

a failure to ensure that newer and more secure protocols, such as the WPA communication

protocol, were utilized on our WLAN.

A network protocol is a collection of rules that govern how data is transferred between

devices connected to the same network. There are three recently popular WiFi protocols which

are the Wired Equivalent Privacy (WEP) which encrypts information on 802.11a and 802.11b

wireless devices using the Rivest Cipher 4 (RC4) stream cipher, rendering it unreadable to

hackers; the Wi-Fi Protected Access (WPA) protocols which is a wireless (WiFi) security
CYBERSECURITY INCIDENT REPORT 10
protocol that enables secure wireless (WiFi) networks; and the Wi-Fi Protected Access (WPA2).

Wireless security encryption is accomplished via an encryption algorithm that guarantees data

secrecy sent through wireless networks. The WEP key is identified using ten or twenty-six

hexadecimal digits, which results in 40 or 104 bits, respectively, thus the designations WEP-40

and WEP-104. These WEP security features were the de facto router setup requirements. They

used robust encryption to guarantee that data could not be recognized by anybody other than the

intended recipient. WEP is used on a WsiFi network; it renders data unintelligible to humans but

still processable by receiving computer devices. Encryption is performed using keys saved on

wireless network devices or in the Windows Registry. It is comparable to the WEP protocol but

improves the way security keys and user authorization are handled. To ensure the security of an

encrypted data transfer, both systems at the start and conclusion of the transfer must utilize the

same encryption or decryption key. There is also the WPA2 protocol, which is a wireless

network security standard built on the Advanced Encryption Standard (AES). Since 2006, WPA2

has been the de facto standard for all approved Wi-Fi equipment. Those inside the network may

see the information if WPA2 is configured with the strongest encryption option; nevertheless,

traffic is scrambled using the latest encryption standards.

Declaring that one need interoperability or a protocol headed by a well-known industry

leader before determining the appropriate kind of technology for origination’s application is just

not acceptable. Three different protocols may be utilized and should be evaluated before

deciding whether or not to use them on our network.

Bluetooth is a wireless communication protocol for short-range personal area networks

(PANs) operating at 2.4 GHz that is used all over the globe. File transfers from one device to

another, wireless headphones, and wireless speakers are all common uses for Bluetooth

technology. It transmits data using ultra-high-frequency radio waves and is mainly utilized in
CYBERSECURITY INCIDENT REPORT 11
tiny devices. Bluetooth's advantages include a lower likelihood of device interference since it

utilizes low-power wireless transmissions and frequency hopping to reduce potential

interference. The disadvantages include a restricted data rate of up to 25 Mbps and a narrow

coverage area due to low-strength wireless transmissions. Second, ZigBee is a mesh local area

network (LAN) protocol operating at 2.4 GHz. Because ZigBee was initially developed for

building automation and control, it is often used in wireless thermostats and lighting systems.

The ZigBee protocol supports 128-bit AES encryption and is usually used in mesh networks that

may operate in either an infrastructure or ad hoc mode and have numerous data transmission

paths. Thirdly, the WiMax protocol is a broad-bandwidth standard formerly utilized by several

mobile phone operators. While each protocol has several advantages, it is clear that it is better to

stick with the existing protocol type; now, we are using WPA2 for WiFi. Bluetooth would be

insufficient in terms of range and data transmission rate, ZigBee would be too slow for our

server and high-value systems, and WiMax would be too expensive.

Remote Configuration Management

Remote management is the process through which administrators gain complete

control of all activities via a remote connection. Misconfigurations may also have an

adverse impact on network performance. A poorly designed server may potentially result in

non-compliance with regulatory requirements like SOX, PCI, HIPAA, HITECH, FISMA,

and, most recently, GDPR. Additionally, if compliance has been compromised, there is a

high probability that security has been compromised as well. That is why a solution that can

automate configuration and change management activities for devices like routers, switches,

and firewalls is critical (Williams & Woodward, 2015). It enables patch and updates

management, antivirus and security, remote monitoring, and remote control for assistance

and problem resolution. We have begun requiring remote configuration, specifically AVG
CYBERSECURITY INCIDENT REPORT 12
Managed Workplace, on all BYOD devices. This is to ensure that vulnerabilities with

available patches are patched and to monitor what is happening on a system more efficiently

than previously when we could only monitor communication attempting to be sent over our

network.

If an undocumented device is discovered on the network, the RCM will not allow us

to disable the device's access. Cisco ISE would identify the undocumented device and

subsequently disable its network access. The RCM would have aided in determining the

situation of the event. It would have enabled us to remotely access and monitor the device to

determine if the user was assaulting the network maliciously or whether it was just an

exploited vulnerability that had not been patched or a virus that any antivirus solution had

not detected. We would have been able to guarantee that the device ceased interacting

through an ad hoc network, isolated it in a secured VLAN without full internet access,

erased traces of the infection, and ensured that any potential problems were detected and

resolved.

Employee Misconduct

The event happened when a dictionary-based assault was detected against

SuperCyberSecure's web server, and the attack came within the network. The attack arose

outside of the regular hours of operation for the worker who last signed in on the device. We

were notified soon after the assault began but could not halt it before it ended because of a log

analysis tool provided by Google called Scalp. Scalp identified the assault due to the many HTTP

or GET requests to the webserver to get critical local security and configuration files. After

sending the warning, I confirmed that the attack occurred by examining the captured logs and

limiting the infected device's network access. I then identified the machine's IP address from

which the assault originated and deactivated the wireless access point to which it was connected.
CYBERSECURITY INCIDENT REPORT 13
I then confirmed the device was disconnected from the network by pinging it and getting no

response.

I next proceeded to the area where the AP was situated and conducted a walk-through to

see whether anybody was there. When there was no one visible, I made an effort to find the

gadget that had carried out the assault. Once I located the device, I returned it to the computer,

manually turned off the WiFi on the switch, and then logged in. I established that the device had

been hacked and forwarded requests from the ad hoc network used to launch the assault.

Wireless ad hoc networks are a kind of dispersed network that operates without the need

for fixed infrastructure. Each network node is ready to relay network packets for the benefit of

other network nodes (Bensky, 2016). Identifying rogue ad hoc wireless networks is possible

using the Cisco APs deployed on our network. Because the ad hoc wireless network lacks a

central authority to ensure that devices joining it are entirely benign. It may jeopardize our

security because it needs a peer-to-peer architecture. The network's topology is determined by

the location of the various users, which varies over time. Additionally, since a mobile's

propagation range is restricted, it may need to recruit other mobiles' assistance to send a packet to

its ultimate destination. As a result, the end-to-end connection between any two mobile hosts

may have several wireless hops. Due to the unpredictable network architecture, decentralized

control, and multiloop connections inherent in ad hoc wireless networks, it is a major

technological difficulty to offer dependable high-speed end-to-end communications (Bensky,

2016). A high level of security is required to protect ad hoc networks from intrusion, information

disclosure, and denial of service attacks. Ad hoc networks are dynamic in nature and are

vulnerable to a variety of attacks. While an ad hoc network might theoretically be utilized to

minimize infrastructure needs and expenses, it would result in a lack of network visibility and

management. It would introduce vulnerabilities that would much exceed the cost savings as well
CYBERSECURITY INCIDENT REPORT 14
as slowing down and adversely affecting communication devices' interactions with external

systems.

While it would be more difficult to manually detect and shut down an ad hoc network that

used signal concealment techniques, the Cisco APs already in place would be able to identify the

traffic and distinguish a rogue wireless network on the premises. One typical strategy of signal

concealment is for a network to conceal its Service Set Identifier (SSID), forcing a device

attempting to join the network to know both the identifying name and the pass to connect.

Alternatively, the signal intensity may be reduced to the minimum required to cover the specified

region, or the base station's physical location could be changed with the appropriate placement,

such as away from windows or short pathways leading to the designated area's perimeter.

Countermeasures against signal hiding on our premises would involve configuring the Cisco APs

to check for traffic that does not originate or go via our network.

Wireless Traffic Analysis

The activity that raised suspicions of an intrusion attempt was traffic emanating from a

particular IP address (10.0.250.161) and consisting of web page requests to the local webserver

(10.0.250.200). I examined a packet capture for active devices within the suspicious activity

period to verify the suspicious behavior. There was a total of 77652 packets obtained during the

packet capture analysis, between nine distinct IP addresses: 239.255.255.250, 224.0.0.252,

17.253.20.253, 10.0.250.161, 10.0.250.200, 10.0.250.160, 10.0.250.1, and 10.0.250.146. Due to

the kinds and quantity of pages requested, the behavior seemed suspicious. There were 37078

requests made to the web server in 271 seconds, of which 37008 were specific GET requests for

various web pages. The majority of GET queries return either a 404 Not Found or a 403

Forbidden response. The requests contain files that would be prohibited configuration files for
CYBERSECURITY INCIDENT REPORT 15
the Apache web server's security. These queries indicate that a malicious attack is being launched

against the webserver to get or breach sensitive information.

Conclusion

After evaluating the existing infrastructure security protocols and processes, it is clear

that we need to implement a BYOD, WiFi, and improved network defense strategy. It is crucial

to examine the procedures that have been utilized and those that are accessible. As a result, errors

based on not ensuring newer and appropriate protocols, such as the WPA communication

protocol, are being used on our WLAN become evident in retrospect. We need to revise our Wi-

Fi and bring-your-own-device rules in order to properly manage and protect our infrastructure. In

order to do this, we must enhance rogue access point (RAP) detection and fortify Cisco ISE

settings, as well as their reaction to destructive behavior. A remote configuration management

system must be implemented in order for us to effectively secure, monitor, and manage all of the

devices on our company network, both those that we supply and brought in as a result of our

Bring Your Own Device (BYOD) policy. If these steps had been done, the assault on our

webserver would have never been able to happen.

CYBERSECURITY INCIDENT REPORT 16
References

Abomhara, M., & Køien, G. M. (2015). Cybersecurity and the internet of things: vulnerabilities,

threats, intruders, and attacks. Journal of Cyber Security and Mobility, 65-88.

https://www.riverpublishers.com/journal_read_html_article.php?j=JCSM/4/1/4

Bensky, A. (2016). Wireless positioning technologies and applications. Artech House.

https://books.google.com/books?

hl=en&lr=&id=rS6pCwAAQBAJ&oi=fnd&pg=PR1&dq=Technologies+and+application

s&ots=fcoOtGLkVQ&sig=Qq3_u9nT2VhRvz9yZLjFPQ8DgNk

Mohamed Mizan, N. S., Ma’arif, D., Yusnorizam, M., Mohd Satar, N. S., & Shahar, S. M.

(2019). Cnds-cybersecurity: Issues and challenges in ASEAN countries. International

Journal of Advanced Trends in Computer Science and Engineering, 8(1.4).

http://www.warse.org/IJATCSE/static/pdf/file/ijatcse17814sl2019.pdf

Schatz, D., Bashroush, R., & Wall, J. (2017). Towards a more representative definition of

cybersecurity. Journal of Digital Forensics, Security and Law, 12(2), 8.

http://commons.erau.edu/cgi/viewcontent.cgi?article=1476&context=jdfsl

Williams, P. A., & Woodward, A. J. (2015). Cybersecurity vulnerabilities in medical devices: a

complex environment and multifaceted problem. Medical Devices (Auckland, NZ), 8,

305. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4516335/