Effective Incident Response with the NIST Cybersecurity Framework

Review the scenario below:

You are a cybersecurity analyst working for a multimedia company that offers web design services, graphic design, and social media marketing solutions to small businesses. Your organization recently experienced a DDoS attack, which compromised the internal network for two hours until it was resolved.

During the attack, your organization’s network services suddenly stopped responding due to an incoming flood of ICMP packets. Normal internal network traffic could not access any network resources. The incident management team responded by blocking incoming ICMP packets, stopping all non-critical network services offline, and restoring critical network services.

The company’s cybersecurity team then investigated the security event. They found that a malicious actor had sent a flood of ICMP pings into the company’s network through an unconfigured firewall. This vulnerability allowed the malicious attacker to overwhelm the company’s network through a distributed denial of service (DDoS) attack.

To address this security event, the network security team implemented:

A new firewall rule to limit the rate of incoming ICMP packets

Source IP address verification on the firewall to check for spoofed IP addresses on incoming ICMP packets

Network monitoring software to detect abnormal traffic patterns

An IDS/IPS system to filter out some ICMP traffic based on suspicious characteristics

As a cybersecurity analyst, you are tasked with using this security event to create a plan to improve your company’s network security, following the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). You will use the CSF to help you navigate through the different steps of analyzing this cybersecurity event and integrate your analysis into a general security strategy. We have broken the analysis into different parts in the template below. You can explore them here:

Identify security risks through regular audits of internal networks, systems, devices, and access privileges to identify potential gaps in security.

Protect internal assets through the implementation of policies, procedures, training and tools that help mitigate cybersecurity threats.

Detect potential security incidents and improve monitoring capabilities to increase the speed and efficiency of detections.

Respond to contain, neutralize, and analyze security incidents; implement improvements to the security process.

Recover affected systems to normal operation and restore systems data and/or assets that have been affected by an incident.

My report on this scenario:

Incident report analysis:

Summary: Today during working hours in my company the organization people experienced some problems in the network system and after network analysis, it was found that it was a DDoS attack on the company's internal network system.Which is active for two hours.

So due to high ICMP flood attack the network stops respondi .The network traffic can not access any network resource due to this incoming flood of ICMP.

Now the management system stops the incoming flood of ICMP by blocking the packets and stopping all non-critical services offline and restoring the critical network service.

The cybersecurity team identifies that it is done due to unconfigured firewall.A malicious acter sent the ICMP flood by using this vulnerability to crashed the company’s network through the DDos attack.

Now to address this security event the network security team implemented some features :

● A new firewall rule to limit the rate of incoming ICMP packets
● Source IP address verification on the firewall to check for spoofed IP addresses on incoming ICMP packets
● Network monitoring software to detect abnormal traffic patterns
● An IDS/IPS system to filter out some ICMP traffic based on suspicious characteristics

Protect: The team has updated the security system to prevent future attacks: A new firewall rule to limit the rate of incoming ICMP packets, Source IP address verification on the firewall to check for spoofed IP addresses on incoming ICMP packets, Network monitoring software to detect abnormal traffic patterns, An IDS/IPS system to filter out some ICMP traffic based on suspicious characteristics

Detect: To detect new unauthorized access attacks in the future, the team will use a new firewall logging tool and an intrusion detection system (IDS) to monitor all incoming traffic from the internet.

Respond: The team disabled to protect the internal network. We provided training to interns and employees on, how to protect the internal network. We informed upper management of this event and they will contact our customers by mail to inform them about internal network issues. Management will also need to inform law enforcement and other organizations as required by local laws.

Recover: The team will recover the critical network issues. So, the internal network recover now and is safe from the DDoS attack.

Some important link:

1. Applying the NIST CSF - Google Docs

2. Completed Example of an Incident report analysis - Google Docs

3. Incident report analysis - Google Docs

   Summary of the whole analysis:

A multimedia company experienced a DDoS attack that disrupted network services for two hours. The attack exploited an unconfigured firewall, flooding the network with ICMP packets. The incident was mitigated by blocking ICMP packets, taking non-critical services offline, and restoring critical services. The cybersecurity team implemented new firewall rules, source IP verification, network monitoring, and IDS/IPS systems. Following the NIST Cybersecurity Framework, the company plans to improve security by identifying risks, protecting assets, enhancing detection, responding effectively, and recovering systems.