Incident Details
-The Red Team forcefully penetrated the engineering center’s R&D servers, 10.10.135.0/24, on August 3rd, 2021, 0930 hours, Eastern Standard Time (EST). The team stole design documents and drone system source code from the servers at 1005 hours. At 1255 hours, Red Team stole employees’ logins using keylogging software and installed malware over the Sifers-Grayson network at 1325 hours. The Red Team also sent phishing emails to the workers after 30 minutes, exposing the company’s vulnerability. The penetration test ended 24 hours later after the target server was shut down.
- The incident’s physical location is 1555 Pine Knob Trail, Pine Knob, KY 42721.
- Red Team’s penetration test completed
- Source or cause of the incident: Forced intrusion at R&D Center IP 10.10.135.0/24, infection of malware from AX10 Test Range IP10.10.145.0/24 to Corporate Headquarters IP10.10.100.0/24
- Incidence description: The Red Team’s penetration test into Sifers-Grayson systems was efficiently and professionally executed, resulting in a hundred percent success and exposing the firm’s vulnerability to cyber-attacks. The team easily located a weakness due to Sifers-Grayson’s unsecured network connection, allowing them to intrude into the company’s databanks. The Red Team succeeded in stealing 100% of design documents and AX10 Drone System’s source code. Using one of its employees disguised as Sifers-Grayson’s staff, the Red Team found a USB key on a lunch table in the enterprise’s headquarters building staff lounge. They used keylogging software installed in the USBs to steal passwords for 20% of the workers.
Installation of malware through the network onto a workstation linked to the PROM burner located in the R&D DevOps lab followed. The move enabled the Red Team to access cellular connection and “phoned home” to the team. The Red Team effectively controlled the test vehicle, flying it from the test range to a safe landing. Lastly, the Red Team sent phishing emails to the Sifers-Grayson’s employees using the stolen logins, where a significant number of the recipients clicked on the video links.
- Affected sources description: 100% of the R&D center’s server infrastructure intruded, 20% of workers’ passwords and login details were stolen, and PROM burner was attacked with malware, and drone system code was stolen. The compromised sources represent the Corporate Headquarters, R & R&D center, and Test Range with IPs 10.10.100.0/24, 10.10.135.0/24, and 10.10.145.0/24.
- Vectors associated with the incident: Unsecured network connection, unattended USB drives, malicious insider (Red Team member), and phishing.
- Prioritization factors: The attack negatively impacted network and system functionality by slowing them down.
- Mitigation factors: No mitigation factors were in place.
- Response actions performed: Shutting down of the target server.
- Other organizations contacted: Sifers-Grayson never informed any outside organization about the penetration test or contacted them during the incidence.
Cause of the Incident
Unsecured connections, lack of network security, and improper handling of devices were the leading cause of incidence. The unsecured network connections and absence of defensive measures allowed the Red Team to instantly and silently access secured data. Employees lacked device discipline and failed to ensure physical security since they left unattended USBs and permitted unauthorized individuals (new hires) into RFID.
Cost of the Incident
The estimated cost of responding to an incident is $275 000. The IT staff would take 275 hours at the cost of $100 per hour to execute all the clean-up activities. Firewall and other security configurations would take 90 hours, digital forensics to analyze intrusion methods 60 hours, scanning of servers and AX10 drone system 55 hours, and security awareness training 70 hours.
Business Impact of the Incident
While the incident was a penetration test, it had significance to Sifers-Grayson’s business. The intrusion into the company’s network system, installation of malware, and phishing emails slowed operations. However, the incident prompted the business to its vulnerabilities to cyber-attacks, necessitating immediate measures to avert such occurrences in the future and ensure business security.
General Comments
Companies in contract with the Departments of Defense and Homeland Security must comply with security requirements provided in NIST Special Publication 800-171 and DFARS section 252-204-7012. Conforming to these requirements is necessary to guarantee safety and security against any attack on sensitive data provided by the government and stored in the Sifers-Grayson R&D DevOps and SCADA labs. The contract further requires the company to report any security incident to the federal government.
The NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations guides companies such as Sifers-Grayson on handling data that is not under federal government control. There are various things that the firm needs to do to meet provided standards. They include access control, media protection, awareness and training, personnel security, audit and accountability, configuration management, risk assessment, identification and authentication, and incident response among others (Ross et al., 2020). The requirements will guarantee the security of the information that the company stores in its systems.
DFARS guides Sifers-Grayson on procedures it must follow when reporting security incidents. The document provides detailed information regarding different types of incidents and how they should be reported. Contractors must immediately notify the department of defense in case of a security incident or data compromise (“252.204-7000 Disclosure of Information”, 2021). DFARS guidelines will allow Sifers-Grayson to fulfill all contract obligations and maintain proper handling of stored data and its information system.
References
252.204-7000 Disclosure of Information. (2021). Acq.osd.mil. Web.
Ross, R., Pillitteri, V., Dempsey, K., Riddle, M., & Guissanie, G. (2020). Protecting controlled unclassified information in nonfederal systems and organizations, 1-101. Web.