Part A: Planning
Open the provided document ITSAP XXXXXXXXXXentitled “DEVELOPING YOUR INCIDENT
RESPONSE PLAN” and respond to the questions below justifying your opinion, supporting them
with other sources if necessary.
1. You are facing two simultaneous incidents. The first is related to the availability of a web
server your company uses to sell their products (an e-commerce website). The second is
about a disgruntled employee sending out descriptions and prices of products in a research
stage exfiltrated from an internal database. What stage of the incident response plan should
help determine the priority of these incidents?
2. What would be your choice if you could manage only one at a time?
3. Early in the morning, an employee powers up their computer and detects that “My PC”
shows a unit F: identified as a pendrive. While checking the USB ports, the employee
observes there was effectively a pendrive plug in on one of the rear ports. As it belonged
to someone else, the pendrive is just unplugged and left on the table. The day continues
with normality. What did the employee do wrong? What should change for this not to
happen again?
4. Among the proposed roles for the incident response team, there is a communications
advisor. How this profile could be useful beyond internal communications within the
organization? Name two external entities that might need to be contacted during an
incident.
5. After an incident, you help the IT team to recover from it. Is there anything else that needs
to be done?
Part B: Ransomware
Open the provided document ITSAP XXXXXXXXXXentitled “HOW TO PREVENT AND RECOVER
FROM RANSOMWARE” and respond to the questions below justifying your opinion, supporting
them with other sources if necessary.
1. Your organization is backing up all servers to a NAS for faster backup and recovery. What
your recommendation would be to be protected against ransomware?
2. Brian received a call from an employee claiming their workstation was compromised with
ansomware, for all documents had been encrypted and a note left in the folder to pay a
ansom. He re-imaged the operating system a restored a backup with all documents.
Explain two things that Brian did wrong.
3. Linda’s organization has fallen victim of a ransomware attack. Give her two reason not to
pay the ransom.
4. Read about the Conti group following the link below. What tool is used to remotely execute
commands? How the gang ensure their business even if the victim is able to restore all data
from backups?
https:
www.cyber.gc.ca/en/guidance
ansomware
5. Some advocate for banning ransom payments while others do not agree on their benefits.
Research on the topic and provide an opinion for and another against the ban.
You will work with command-line tools that will help you automate incidents handling. Use the
file lab4_ XXXXXXXXXXtxt.gz in a Linux machine, such as your Kali box.
Capture a screenshot in addition to answering the questions below.
Part A: Filtering
1. Before unzipping it, use zgrep to filter some content directly in the zipped file. This will
e very handy with large files that either take too long to unzip or require space that is not
available. Specifically, filter all lines containing XXXXXXXXXXand count them.
2. Now, unzip the file and count the total lines. You will realize there is just one more, the
header. In addition to the commands, show it without opening the file with a graphical tool.
3. What are the more number lines, TCP or UDP? Prove it.
4. Execute the command below to obtain lines that are neither TCP nor UDP. What is the
protocol shown? Why it does not work with grep instead of egrep?
egrep -vi ‘tcp|udp’ lab4_ XXXXXXXXXXtxt
5. The command below would list all destination addresses in the network XXXXXXXXXX/8. Explain
what $7 and $1 represent and why -F: was necessary. Tip: you can execute the command
y parts, adding new commands after the pipe one at a time, so you can observe the
evolution.
awk '{print $7}' lab4_ XXXXXXXXXXtxt | awk -F: '{print $1}' | sort -u | grep ^10
6. Modify the command above to obtain all unique source IP addresses. Hint: check the
command uniq or the parameter -u in the command sort.
Part B: Geolocation
We are going to use the API of Team Cymru on port 43 to get the geolocation of some of the IP
addresses previously obtained.
Tool: http:
www.team-cymru.org/Services/ip-to-asn.html#whois
1. First, try the commands below to see how it works. Show the content of the file output.txt.
echo -e "begin/ncountrycode" > list.txt
awk '{print $5}' lab4_ XXXXXXXXXXtxt | grep -v Proto | awk -F: '{print $1}' | grep ^8[1-3]
| sort -u
list.txt
echo -e "end"
list.txt
netcat whois.cymru.com 43 < list.txt > output.txt
2. Next, create a similar input file named full.txt with all the IP addresses. Please note is just
a list of IPs but with a header added and last line appended. Send it to the API and save the
esults to geo.txt. Show the first 5 lines of the resulting file.
3. List all IP addresses located in Taiwan. Hint: when using grep, $ represents the end of the
line.
4. Now count all IP addresses located in China or Russia, using a single command.
Part C: Identifying servers
5. Filter the TCP traffic. What kind of servers are XXXXXXXXXXand XXXXXXXXXX?
6. What is the time span of HTTP traffic?
http:
www.team-cymru.org/Services/ip-to-asn.html#whois
Incident Response Planning (ITSAP.40.003)
UNCLASSIFIED
May 2021 | ITSAP.40.003
© Government of Canada | This document is the property of the Government of Canada. It shall not be altered, altered, distributed beyond its intended audience, produced,
eproduced or published, in whole or in any substantial part thereof, without the express permission of CSE. Cat. No. D97-1/40-003-2021E-PDF ISBN XXXXXXXXXX
DEVELOPING YOUR INCIDENT RESPONSE PLAN
UNCLASSIFIED
Your incident response plan includes the processes, procedures, and documentation related to how your organization detects, responds to, and recovers from incidents. Cyber threats, natural disasters, and unplanned outages are
examples of incidents that will impact your network, systems, and devices. When you have a proper plan, you will be prepared to handle incidents when they happen, mitigate the threats and associated risks, and recover quickly.
CONDUCT A RISK ASSESSMENT
The results of your risk assessment inform
your response plan. A risk assessment will
identify your assets and analyze the likelihood and
impact of your assets being compromised. With your
isks and potential threats clearly identified, you can
prioritize your response efforts. Some questions to
answer during the assessment include:
What data is valuable to your organization?
Which business areas handle sensitive data?
What controls do you cu
ently have in place?
Can this lead to a privacy
each for your
organization?
BEFORE CREATING A PLAN
Before you create an incident response plan, determine what information and systems are of value to your organization. Determine the types of incidents you might face and what
would be an appropriate response. Consider who is qualified to be on the response team and how you will inform your organization of your plan and associated policies
and procedures.
DEVELOP YOUR POLICIES
Your incident response activities need to
align with your organization’s policy and
compliance requirements.
Write an incident response policy that establishes the
authorities, roles, and responsibilities for your incident
esponse procedures and processes. This policy
should be approved by your organization’s senior
management and executives.
ESTABLISH YOUR RESPONSE TEAM
The goal of your team is to assess,
document, and respond to incidents, restore
your systems, recover information, and reduce the risk
of the incident reoccu
ing.
Your team should include employees with various
qualifications and have cross-functional support from
other business lines.
Roles to consider for your incident response team
include:
Incident handler
Technical lead
Human resources specialist
Communications advisor
Notetakers
Data analysts
Incidents are unpredictable and require immediate
esponse. Ensure you designate backup responders to
act during any absences when an incident occurs.
CREATE YOUR COMMUNICATIONS PLAN
Your plan should detail how, when, and with
whom your team communicates. This plan should
include a central point of contact for employees to report
suspected or known incidents.
Your notification procedures are critical to the success of
your incident response. Identify the internal and external
key stakeholders who will be notified during an incident.
You may have to alert third parties, such as clients and
managed service providers. Depending on the incident,
you may need to contact law enforcement or a consider
engaging a lawyer for advice.
An event is an observable
occu
ence in a system or network
(e.g. a user sending email).
An incident is an adverse event in
an information system or network,
or the threat of such an event.
An environment is your network
and everything attached to it, such
as peripheral devices (e.g. printers,
computers, routers). Is your
environment open to everyone or is
it secure?
An open environment allows
information to be transmitted in
and out of the network, without
estrictions.
A secured environment restricts
what information is allowed in and
out of the network.
EDUCATE YOUR EMPLOYEES
Update your employees on cu
ent incident
esponse planning and execution.
Tailor your training programs to your organization’s
usiness needs and requirements, as well as your
employees’ roles and responsibilities.
A well-trained workforce can defend against incidents.
UNCLASSIFIED
MAY 2021 | ITSAP.40.003
DEVELOPING YOUR INCIDENT RESPONSE PLAN
UNCLASSIFIED UNCLASSIFIED
CREATE YOUR INCIDENT RESPONSE PLAN
Your incident response plan should define the objectives, stakeholders, responsibilities, communication methods, and escalation
processes used throughout the incident response lifecycle. Keep the plan simple and flexible. Test, revisit, and revise it annually to keep
it effective. The following list details the phases of the incident response life cycle which can be followed to structure your plan.
PREPARE
Lay out the objectives of your incident response
strategy, as well as your related policies and procedures.
Define your goals to improve security, visibility, and
ecovery.
Implement a reliable backup process to create copies of
your data and systems and help you restore them during an
outage.
Have a detailed strategy for updating and patching your
software and hardware. Use this strategy to track and fix
vulnerabilities and mitigate the occu
ence and severity of
incidents.
Develop exercises to test your plan and response. You can
evise and improve your plan using your test results.
OBSERVE
Monitor your networks, systems, and connected
devices to identify potential threats. Produce reports on a
egular basis and document events and potential incidents.
Analyze these occu
ences and determine whether you need
to activate your incident response plan. Determine the
frequency and intensity of your monitoring. You may want to
consider monitoring your networks on a 24/7 basis or in a
more ad hoc manner.
RESOLVE
Gain an understanding of the issue so you can
contain the threat and apply effective mitigation measures.
An effective mitigation measure is disabling connectivity to
your systems and devices to block the threat actor from
causing further damage. It might be necessary to isolate all
systems and suspend employee access temporarily to
detect and stop further intrusions.
Eradicate the intrusion by restoring your systems from a
ackup. You should also run anti-malware and anti-virus
software on all systems and connected devices. If you
uncover vulnerabilities, you will need to patch and update
your devices.
Preserve evidence and supporting documentation to assist
in your analysis of the incident.
UNDERSTAND
Identify the root cause of the incident and collaborate
with the response team to determine what can be improved.
Evaluate your incident response processes and highlight
what went well and which areas require improvement.
Create a lessons learned document that details how you will
adjust and improve your plan for future incidents.
Document the steps taken to uncover and resolve the
incident. This will assist you in responding to future
incidents by providing insight into possible mitigation
measures and lessons learned to offer a faster, more
effective recovery.
1
2
3
4
IN-HOUSE OR PROFESSIONAL SERVICES
When planning your response plan, determine which actions and services you can conduct
internally and which actions you will outsource. Professional services can be obtained to
assist you with incident response initiatives, such as developing your plan, determining your
ackup processes, and monitoring