As an essential component of the Google Cybersecurity Professional course, I engaged in the analysis of a network incident in this activity. Employing the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF), I thoroughly examined the situation and subsequently crafted an incident report. The CSF is a voluntary framework that encompasses standards, guidelines, and best practices for effectively managing cybersecurity risks.
Incident Report Analysis
| Summary |
The company encountered a security incident when every network service abruptly ceased its operation. Investigation by the cybersecurity team unveiled that the disturbance stemmed from a distributed denial of service (DDoS) onslaught, inundating the network with a barrage of ICMP packets. In swift response, the team thwarted the attack and halted all non-essential network services, prioritizing the restoration of critical network functions. |
| Identify |
A malevolent individual or a group of bad actors directed an ICMP flood attack at the company, causing widespread repercussions throughout the internal network. It became imperative to safeguard and reinstate all essential network assets to ensure a return to normal functioning. |
| Protect |
The cybersecurity unit introduced a fresh firewall directive to curtail the influx of incoming ICMP packets. Additionally, they deployed an Intrusion Detection System/Intrusion Prevention System (IDS/IPS) configured to sift through ICMP traffic and selectively block content exhibiting dubious characteristics. |
| Detect |
The cybersecurity team enacted source IP address verification on the firewall, scrutinizing incoming ICMP packets for potential spoofed IP addresses. Simultaneously, they deployed network monitoring software designed to identify irregular traffic patterns. |
| Respond |
In anticipation of future security incidents, the cybersecurity team plans to isolate compromised systems to curtail any additional network disruptions. Their priority is the restoration of critical systems and services that may have been affected during such events. Subsequently, the team will meticulously scrutinize network logs for signs of unusual and suspicious activities. Additionally, they are committed to promptly reporting all incidents to upper management and relevant legal authorities when necessary. |
| Recover |
In the aftermath of an ICMP flooding DDoS attack, the restoration of network services to their regular operational state is crucial. As a proactive measure for the future, the firewall can be configured to preemptively block external ICMP flood attacks. Subsequently, a strategic approach involves halting all non-critical network services to mitigate internal network congestion. The restoration process prioritizes bringing critical network services back online first. Following the timeout of the ICMP packet flood, the reactivation of non-critical network systems and services can be safely executed. |