Meanwhile, as you and your team have been working on the various parts of the overall analysis of the systems as a result of the attack, the CISO has been notified by credible sources that malware has been located inside the network. The CISO has also received new intelligence regarding the ransomware attacker’s demands. The attacker has raised the ransom from $500 to $5,000 in Bitcoin per nation state. Conference participants are split on whether to pay the ransom. You know that this decision requires an understanding of virtual currency and the financial implications of virtual currency. While leadership is contemplating options, the CISO needs to act quickly to facilitate operations recovery.
The CISO needs a report on findings and further indicators that can be shared with allies. The indicators can be found for each team in this malware indicator file. Based on the findings, the CISO would like your team to generate documentation regarding defense mechanisms needed to stop this style of attack. This documentation will be your second situation report, or SITREP #2.
In one to two pages, SITREP #2 should describe threat information and any other information that fellow nations could use to speed their investigations. It will be used for information-sharing across nations/partner business operations and will help incident response teams and operations centers narrow their search based on findings. The report should include:
- when the problem was detected and by whom
- scope of the incident
- indicators of compromise (IP address, file hash, protocols, registry edits)
- how it was contained and eradicated
- user screen captures (e.g., error messages or dialog boxes)
Take findings from all files, hashes, IP addresses, URLs and any other indicators presented and investigate while using the following files provided to you:
- this curated list of malware analysis tools
- malware identification example
- situation report template
These findings will be used to determine what other evidence can be derived from evidence provided in the form of indicators and possible files.
This data sharing checklist for submitting and sharing information is available for all to use as nations become confident sharing information with fellow countries at the summit. Review it to ensure that your nation is exercising best practices in information sharing. Providing too much information could pose a threat to the nation’s cybersecurity posture.
Your team’s level of detail could be the difference between a benign incident and a catastrophic breach/mission critical resource failure.
When you and the other team members have finished compiling the second situational report, the designated team member should submit SITREP #2 for review and feedback. Your SITREP #2 will be used in the intelligence briefing that you develop in a later step.