Before you begin: Read the Project #1 description (attached to the Project #1a assignment folder) paying special attention to the Red Team’s report.For this week’s discussion our focus will be upon developing a brief (1-2 page) forensics data collection plan to be used during a Red Team exercise. Your plan will be used as part of training exercise for incident response personnel to help them learn to identify and collect evidence.Your first task is to analyze the Red Team’s report to determine what they attacked or what attack vectors were used. Next, analyze the environment to determine what types of forensic evidence should be collected after the attack(s) and where that evidence can be collected from. You should consider both volatile sources such as RAM (memory) and static sources such as disk drives, thumb drives (USB storage devices), etc. After you have identified the types of evidence and the devices from which evidence should be collected, document that in your short paper (the “plan”).At a minimum your plan must document evidence collection for three specific attack vectors or vulnerabilities that were exploited by the Red Team as part of its penetration testing. For each vector or vulnerability, document what type of evidence could be collected and where the evidence should be collected from.
(Read through)-Red Team Penetration TestingSifers-Grayson hired a cybersecurity consulting firm tohelp it meet the security requirements of a contract with a federal agency. Theconsulting firm’s Red Team conducted a penetration test and was able to gainaccess to the engineering center’s R&D servers by hacking into theenterprise network through an unprotected network connection (see figure 2).The Red Team proceeded to exfiltrate files from those servers and managed tosteal 100% of the design documents and source code for the AX10 Drone System.The Red Team also reported that it had stolen passwords for 20% of the employeelogins using keylogging software installed on USB keys that were left on thelunch table in the headquarters building employee lounge (see Figure 3). TheRed Team also noted that the Sifers-Grayson employees were quite friendly andtalkative as they opened the RFID controlled doors for the “new folks” on theengineering staff (who were actually Red Teamers).The Red Team continued its efforts to penetrate theenterprise and used a stolen login to install malware over the network onto aworkstation connected to a PROM burner in the R&D DevOps lab (See Figure3). This malware made its way onto a PROM that was then installed in an AX10-atest vehicle undergoing flight trials at the Sifers-Grayson test range (SeeFigures 1 and 4). The malware “phoned home” to the Red Team over a cellularconnection to the R&D center. The Red Team took control of the test vehicleand flew it from the test range to a safe landing in the parking lot at Sifers-Graysonheadquarters.The Red Team used three stolen logins to send PhishingEmails to employees. These phishing emails appeared to come from coworkers(employees of the company) and contained a link to one of three videos. Eachvideo was linked to a server that tracked the email address and IP address ofthe computer used to access the video. The Red Team reported that over 80% ofthe recipients clicked on the video link for cute kittens or cutecats. Twenty percent (20%) of the recipients clicked on the video link fora business news story. A video link to a sports event wrap-up for the KentuckyVolunteers basketball team had over 95% click-through rate. All three videosdisplayed a “Page Not Found (404 Error)” message from the target server. TheRed Team did not put a tracking beacon in the emails to track forwarding of thephishing emails. But, the team reported that the target server collected emailaddresses and IP addresses for over 1500 external recipients within 24 hours ofthe original mailing; at that point, the target server was shutdown.After completing their penetration tests, the Red Teamprovided Sifers-Grayson executives with a diagram showing their analysis of thethreat environment and potential weaknesses in the company’s security posture forthe R&D DevOps Lab (see figure 5).
