Import the VM provided in enisa-main.ova into Virtual Box. From a terminal, execute the initialization script “./setup” and follow the instructions. After restarting the VM, all necessary material...

Import the VM provided in enisa-main.ova into Virtual Box. From a terminal, execute the
initialization script “./setup” and follow the instructions. After restarting the VM, all necessary
material to complete this lab will be found in the just created directory
home/enisa/Desktop/Training-Material/Inc_Hand_Dur_Att_Cri_Inf. Finally, read about the
scenario and tasks (section 2) in the provided document
ENISA_attack_Critical_Information_Infrastructure.pdf.

Incident background: An attacking group has succeeded in connecting a rogue device to a
substation network. This device enables them to connect to the control server and manipulate the
power output of the station.
Part A: Preliminary analysis
1. Was the corporate network at risk if the attackers compromised the HMI? Why or why not?
2. What is the IP address of the Windows RDP server? How did you know?
3. There are suspicious communications to the Windows RDP server originated in an IP
address likely belonging to the rogue device. What is the IP address of this rogue device?
Capture a screenshot of your finding.
4. There are logs that provide more information regarding this communication. Even if some
parts of the information are in German, the structure is the standard for Windows events.
Provide the event data in XML format.
5. Look for more events to find out logon attempts. Determine the target account and whether
the attacker succeeded or not. Prove all your statements.
6. Explain the kind of logon.
Part B: Mounting the disk image
1. Unzip the file cih-das-sda.img.bz2 found in the working directory. The resulting file is a
disk forensic image of the DAS server. Execute the command “sudo losetup -f cih-das-
sda.img” to mount the image and the command “sudo losetup -a” to check it. Capture a
screenshot.
2. Show the partition table with “sudo fdisk -l LOOPBACK_DEVICE”, where the loopback
device is /dev/loopN, being N the number assigned as per the previous command. Which
kind of partition (primary or extended) is each one?
3. The last partition is using a logical volume, which must be activated. Execute “sudo partx
–a –v LOOPBACK_DEVICE”, then “sudo pvscan”. Two logical volumes will be listed. The
first, named enisa-vm-vg, is the VM’s root partition. Focus on the second one, which is a
partition in the mounted image. Write down the device file for this partition and the name
of the volume group (VG).
4. To activate the VG, execute “sudo vgchange -a y”. Then, mount the filesystem as read-
only by executing “sudo mount –o ro /dev/mappe
cih--das-root /mnt”. Finally, short
list the contents of /mnt. Capture a screenshot of all commands.
Part C: Filesystem analysis
1. Move to /mnt/va
log and show all occu
ences of the rogue device IP address.
2. Explain what the attacker tried, determine if the attack was successful and justify your
answer.
3. Show all log entries related to the administrator user by the time of the incident. The
command would be similar to “grep USER * | grep 14:0[0-9]:[0-9][0-9]”.
4. Check the difference of both cron binaries (the VM’s and the disk image’s) with the
command “ls -l /us
sbin/cron /mnt/us
sbin/cron. What is suspicious?
5. Use the tool find to look for files under /mnt that have been modified after the cron binary.
Then, append “-exec ls -l {} \;” to your command to list their properties. Capture a
screenshot.
Part D: Reasoning
1. Considering the use of the DAS server in the SCADA system. What containment action
would you have recommended if you had been on duty when the incident was reported?

Objective of this assignment is to understand detailed concepts of the Module (7 to 9) that you
have studied from the book. To solve the following questions, you will need to carefully read and
understand all the topics of the Module 7 to 9.

Note: The question sets are defined based on the Modules/Chapters. You will see questions of
Module 7 followed by Module 8 & 9.

Module 7/Chapter 7 (To answer following question read module 7):

PART 1: Discussion/Ethical Decision-Making Question

1. If open-source software is free to use without licensing costs, what other factors should
e considered when evaluating the total cost of operating such software?
2. Suppose JJ had a close friend who was a very experienced IDPS specialist, with
oad and
deep experience with a specific IDPS software vendor. JJ thought she would be an
excellent candidate for the new position. JJ told her about the opportunity, but she was
not quite as enthused about applying for it as JJ had hoped. You see, there was a refe
al
onus, and JJ would get a tidy sum of cash if she were hired based on his
ecommendation.
JJ told her that she needed to get on board and that he would split the refe
al bonus with
her. Do you think that is an ethical way to encourage the candidate to apply?
PART 2: Review Questions

1. What is a SPAN port and how is it different from a tap?
2. What is the clipping level?
3. What is a log file monitor? What is it used to accomplish?

4. What does the term trap and trace mean?
5. What is a honeypot? What is a honeynet? How are they different?

PART 3: Real-World Exercises

1. Find out more about defense in depth. Visit youtube.com and search for “network
defense in depth.” Select one or two of the options and watch the videos. What is the
primary value or justification for using this approach?
2. Visit the site www.honeynet.org. What is this Web site, and what does it offer the
information security professional? Visit the “Know Your Enemy” white paper series and
select a paper based on the recommendation of your professor. Read it and prepare a
short overview for your class.
Module 8/Chapter 8 (To answer following questions, read module 8):

PART 1: Discussion/Ethical Decision-Making Question

1. Was Osbert acting ethically when he wrote his worm program? On what do you base your
position?
2. Was Osbert’s professor acting ethically by assigning him the worm program? On what
do you base your position?

3. Who is responsible for this catastrophe? Osbert? His professor? The student who changed
the network configuration.? The university? On what do you base your position?
PART 2: Review Questions

1. What is an IR reaction strategy?
2. If an organization chooses the protect and forget approach instead of the apprehend
and prosecute philosophy, what aspect of IR will be most affected?

3. What is the first task the CSIRT leader will undertake on a
ival?
4. What is the second task the CSIRT leader will undertake?

PART 3: Real-World Exercises

1. Depending on where you live and copyright requirements, the documentary “The KGB,
the Computer and Me” may be available for viewing on public video-streaming services.
Use a search engine to find the title and watch the documentary if it is available. (The
video remains available as of 2020; its run time is about 57 minutes.) As you watch the
film, note what makes Cliff start the search for the hacker.

2. One example of unauthorized access occurs when a relatively low-level account is used
to gain access and then the commandeered account has its privileges escalated. To learn
more about this, visit youtube.com. Enter the search term “privilege escalation
demonstration.” Choose at least two of the options and view the videos. (Note that you
may be required to view advertisements unless you have a YouTube service account.) As
you watch, look for the techniques used to achieve the desired result.
Module 9/Chapter 9 (To answer following questions, read module 9):

PART 1: Discussion/Ethical Decision-Making Questions

1. Was the CSIRT response appropriate, given the circumstances? On what do you base your
position?
2. Can the team access Osbert’s personal devices to examine them? Under what
constraints? How might the team accomplish this legally?
3. During the investigation and forensic effort in response to the worm out
eak, you are
examining a hard drive and find “love letters” between two employees of the
organization who are not ma
ied to each other. This activity is not illegal, and it is not
elated to the worm attack. Do you report it in the investigation?

PART 2: Review Questions

1. What is an incident damage assessment?
2. What are some of the reasons a safeguard or control may not have been successful in
stopping or limiting an incident?
PART 3: Real-World Exercises

1. Do a Web search for “Trojan horse defense.” How can it be used to question the
conclusions drawn from a forensic investigation?
2. At the end of 2006, a new edition of the Federal Rules of Civil Procedure (FRCP) went into
effect. Do a Web search to learn more about the FRCP. What likely effect will its emphasis
on electronically stored information (ESI) have on an organization’s need for a digital
forensic capability?




European Union Agency for Network and Information Security
www.enisa.europa.eu
Incident handling during attack on
Critical Information Infrastructure
Toolset, Document for students
September 2014
Incident handling during attack on Critical Information Infrastructure
Toolset, Document for students

September 2014
Page ii
About ENISA
The European Union Agency for Network and Information Security (ENISA) is a centre of network and
information security expertise for the EU, its member states, the private sector and Europe’s citizens.
ENISA works with these groups to develop advice and recommendations on good practice in
information security. It assists EU member states in implementing relevant EU legislation and works
to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to
enhance existing expertise in EU member states by supporting the development of cross-border
communities committed to improving network and information security throughout the EU. More
information about ENISA and its work can be found at www.enisa.europa.eu.
Acknowledgements
Contributors to this report
We would like to thank all our ENISA colleagues who contributed with their input to this report and
supervised its completion, especially Lauri Palkmets, Cosmin Ciobanu, Andreas Sfakianakis, Romain
Bourgue, and Yonas Leguesse. We would also like to thank the team of Don Stikvoort and Michael
Potter from S-CURE, The Netherlands, Mirosław Maj and Tomasz Chlebowski from ComCERT, Poland,
and Mirko Wollenberg from PRESECURE Consulting, Germany, who produced the second version of
this documents as consultants.
Agreements or Acknowledgements
ENISA wants to thank all institutions and persons who contributed to this document. A special ‘Thank
You’ goes to the following contributors: Anna Felkner, Tomasz Grudzicki, Przemysław Jaroszewski,
Piotr Kijewski, Mirosław Maj, Marcin Mielniczek, Elżbieta Nowicka, Cezary Rzewuski, Krzysztof Silicki,
Rafał Tarłowski from NASK/CERT Polska, who produced the first version of this document as
consultants and the countless people who reviewed this document.
Contact
For contacting the authors please use XXXXXXXXXX
For media enquires about this paper, please use XXXXXXXXXX.
http:
www.enisa.europa.eu
mailto: XXXXXXXXXX
mailto: XXXXXXXXXX
Incident handling during attack on Critical Information Infrastructure
Toolset, Document for students

September 2014
Page iii


Legal notice
Notice must be taken that this publication represents the views and interpretations of the authors and
editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the
ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not
necessarily represent state-of the-art and ENISA may update it from time to time.
Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external
sources including external websites referenced in this publication.
This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA
nor any person acting on its behalf is responsible for the use that might be made of the information contained
in this publication.
Copyright Notice
© European Union Agency for Network and Information Security (ENISA), 2013
Reproduction is authorised provided the source is acknowledged.
Incident handling during attack on Critical Information Infrastructure
Toolset, Document for students

September 2014
Page iv
Table of Contents
1 What Will You Learn 1
2 Exercise Task 1
2.1 Task 1 Analyse network infrastructure and scenario introduction 1
2.2 Task 2 Accessing and analysing incident data 2
2.3 Task 3 Discussion of findings 3
Incident handling during attack on Critical Information Infrastructure
Toolset, Document for students

September 2014
Page 1
1 What Will You Learn
In this exercise you will learn how to address incidents in critical information infrastructures