Write recommendations based on the results from the intel debrief, which will need to be developed to support the organization’s security assessment and training efforts.

Project 3: Lockdown
Step 13: Develop and Submit Recommended Next Steps for the Computer Security Incident Response
Write recommendations from intelligence de
iefing report.
Your deliverable will be an assessment that consists of explanatory material to aid organizational leadership in understanding malware and system infections, and the investigative report that summarizes findings from the SITREP to substantiate whether a specific incident qualifies as ransomware. The report documents what is known about the Reveton malware and should provide concrete steps for protecting the organization and its computer systems from future attacks.

INTELLIGENCE DEBRIEFING                                    2
INTELLIGENCE DEBRIEFING
University of Maryland Global Campus
CYB XXXXXXXXXXCapstone in Cybersecurity
Professor Glebocki
Introduction
Technological advancement has had a positive impact in today's digital world. Many institutions, businesses, agencies, and organizations rely on one or more forms of internet application to store their sensitive, personally identifiable information (PII) and intellectual property. Nevertheless, with the ease that the advanced technology/internet has provided, a severe liability can occur if a nefarious actor gains unauthorized access to sensitive data. Malware attacks at the FVEY summit, for example, could have been avoided if the cyber team had taken specific precautionary steps were taken to ensure that there were minimal visible vulnerabilities that hackers could exploit. This paper will (if any) identify technical information derived during the cyber attack analysis that occu
ed at the. It will also provide any linkage to impacted systems identified in the BCP, possible intrusion methods, and if events can be linked to one another.
Cu
ent system standings
There was an attack that occu
ed at the FVEY summit. The United States and other FVEY alliance members that attended the summit were affected and did not have access to their webserver. Although data loss was at a minimum, the attack led the cyber security staff to conduct a series of tests to determine the cause of the attack and gain better knowledge of the various types of threats, poor managerial behavior, diagnostic methods, and mitigations strategies that could have prevented the attack. The initial report and analysis indicated that a high-volume web activity affected web access and caused websites to become overloaded, affecting processes intended for data sharing at the summit. The initial report and analysis also led the cyber team to determine the potential intrusion point and the malicious IP address that the hacker used to gain access to sensitive data/documents. SITREP 1 shows the series of tests that were conducted to identify the incident type, the ports that were targeted, information that was stolen, a list of the possible violation, the system/number of hosts that were affected, and actions that the cyber team took to resolve the malware attack. The cyber team was able to restore the network and all services to normal business operations, and the device affected by the malware was removed and reconfigured. Furthermore, this incident has led the cyber team to train their employees to become more knowledgeable in detecting cyber attacks, which would prevent them from occu
ing in the first place.
Modifications that can be made to stop this style of threat until a patch is created
SITREP 1 listed some recommendations and actions like web filters and network monitoring software that can be used to curtail this type of attack effectively. However, at the grassroots level, all attacks should be reported immediately so that the appropriate team will take quick action to perform mitigation efforts to minimize data loss. Since speed is critical in responding to an attack and since the attack was reported as soon as it occu
ed, the cyber team was able to quickly track the source of the ransomware attack and remove the ransomware, locate the thumb drives that were found at the desk of the employees and enact remediation efforts like removing the affected workstations from the network and deleting any unwanted/suspicious user account in the network (see Appendix 3/SITREP 3 for images of the thumb drives). Like Brian Ca
ier said in his article, "The longer it takes security operations center (SOC) analysts and incident responders to detect, locate, and flush out an attack, the more time intruders have to detect, discover, and extract sensitive or valuable data (Ca
ier, 2019)
Reputation and
and damage
As data
eaches come out more and more in the media, companies, agencies, and institutions are requiring their employees to take cybersecurity seminar training to keep them apprised of best cybersecurity practices they can use to ensure that they are taking proper security measures to avoid security attacks to their computer systems. Furthermore, individuals are becoming more aware of how important their digital information is, so if an organization has their digital information, there is an unspoken expectation that they should be responsible for protecting digital data. If this expectation is not met or the entity does not report or quickly mitigate or resolve the
each, the public will lose respect, take their business elsewhere or potentially sue them for data loss. A Fo
es Insights report, for example, revealed that about "46% of organizations had suffered reputational damage as a result of a data
each and 19% of organizations suffered reputation and
and damage as a result of a third-party security
each" (Drinkwater, 2016).
The IT team responsible for cybersecurity/network security at the FVEY summit should have ensured proper security measures to avoid any attack. Even though the incident was quickly identified, contained, and resolved, it could have been avoided if proper protective measures, malware detection software, or network intrusion tools, for example, were installed to detect malicious activities. Moreover, the summit comprised several high-level security officials, so one would assume that the security would be the strongest due to the publicity and data being shared at the summit, which was not the case. The other members might:
1. Ask for financial compensation (if they sustained any due to the inte
uption in business operation since the halt of network operations to perform their analysis) 
2. Refused to attend future summits out of fear that another attack might occur 
3. They might vent their frustration on social media, further damaging the host country's reputation.
Lost productivity due to downtime or system performance
"When downtime due to equipment failure or network outage occurs, mission-critical systems become unavailable for use. Without essential applications, systems, and network services, employees would not be able to do their work. As such, employees are involuntarily idle" (Marget, XXXXXXXXXXThe cyber team was notified of the ransomware very quickly and took quick actions to resolve the ransomware attack. As a result, the operational impact due to the attack was relatively low. The time lost in productivity could have been spent doing something more productive. Because the cyber team had to shut down the network to perform system analysis like Wireshark analysis, install snort rules to detect malware content, and use Crpttools to decipher any encrypted message, they lost valuable time and staffing, which led to idle time for the members that were at the summit. 
Business Continuity Plan
The increasing cybersecurity attacks are wo
isome. These cyber-attacks have led many IT teams to create a Backup Disaster Recovery Plan (DRP) or a Business Continuity Plan (BCP) to maintain business continuity if a cyber incident occurs. In cybersecurity, a BCP can be identified as "an approved set of a
angements and procedures that enables an organization to minimize loss, repair or replace the damaged or components as soon as possible or facilitate the recovery of business operations" (Ouyang, n.d.). A well-structured BCP will also identify decisions (including options) that can be utilized if an incident occurs, enabling organization personnel to continue running their day-to-day operations. The BCP planning process involves creating a plan and documentation for maintaining business continuity through any form of disruption. 
Furthermore, a BCP "helps to identify the organization's exposure to internal and external threats; synthesize hard and soft assets to provide effective prevention and recovery for the organizations and maintains competitive advantage and value system integrity" (Ouyang, n.d.). With the growing rate of cyber-attacks and the heavy reliance on internet applications, organizations must have a conscience BCP to resolve system availability problems and take active recovery steps to ensure that their operation can still function if an attack occurs. 
System availability problems
The initial attack that occu
ed at the summit affected their operations for a short time. The malware attack limited the FVEY summit intelligence sharing, and some were not accessible during this period because members of the cyber team were trying to determine the root cause for the attack and find solutions to resolve it. The attack was resolved quickly, but the fact that it even occu
ed in the first place indicates vulnerabilities in the network's security system. Data encryption, firewalls, web filters, network intrusion detection software, and other technical support options (like a team that continuously monitors the network) should have been used to restrict network access to unauthorized users. System availability was affected by the attack, and multiple machines affected by the attack were unavailable because they needed to be reimaged
econfigured. 
Determining root causes
The threat actor sent the malicious code/malware in a phishing email, and when the summit personnel clicked on it, the ransomware was executed, and the hacker was able to gain access to sensitive classified documents. By opening the malicious email and clicking the embedded link, the personnel allowed the bad actor to gain access to their system resulting in the ransomware successfully attacking the network through user authorization which could have been avoided if restrictive measures had been taken to block users from clicking on malicious links and mandatory seminars were created to train users to identify and report suspicious emails. Furthermore, while the file was open, the ransomware ran a malicious script that affected the computer's security and network. The bad then used the ransomware to transfer files (using the HTTP protocol) back to a web server with the IP address XXXXXXXXXXon port 80. Moreover, the second attack was most likely the work of an employee that was being blackmailed (refer to SITREP 2 for a detailed explanation). The employee's
owser history shows that someone was doing cognitive research about ransomware, and a letter supposedly sent from the blackmailed attacker claims that they went to their manager about being blackmailed and their family members being threatened. The manager seemingly did not take the employee's concerns seriously, forcing them to comply with the blackmail from the hacker.
Technical support to restore systems
While conducting the analysis and tests to restore the network system, the cyber team relied on its business recovery plan and business continuity plan, which allowed them to restore the network to full operational capability. The business continuity plan also authorizes the cyber team to:
1. Follow a set of guidelines to restore hardware or software
2. Access backup logs 
3. Conduct a clean sweep to search for another virus 
4. Restore configurations of affected devices 
5. Ensure smooth employee transition back to normal operations
Compliance and regulatory failure costs
Cyberattacks are becoming a growing concern for organizations that store personally identifiable data because of