XYZ Technologies had a DDoS (Distributed Denial of Service) attack to their environment yesterday. Your deliverable will include reviewing the incident details document and create a RCA (Root Cause Analysis) report based on this incident. Review the details of the incident below:

Incident Details: DDoS (Distributed Denial of Service) Attack

At 2:26 CST the internet facing firewalls peaked at 100% CPU load. This load level caused any additional connection to be lost, giving the appearance that the corporate website and connectivity to the other IoT devices supported by this site to lose connectivity. Initial investigation of the log data showed 1.25 million syn requests by the following external IP addresses:

1.169.228.122, 5.254.97.84, 27.254.56.45, 37.48.80.165, 37.186.206.134, 41.32.37.226, 42.61.188.34, 103.213.45.145, 111.91.82.161, 151.233.52.209, 168.187.104.130, 186.167.1.54, 190.205.33.163, 213.184.112.102, 217.219.150.126

In the first 8 minutes, the following remediation techniques were used:

The addition of attacking IP addresses to a global block list. Result, a new attacking IP appears with the same number of syn requests.

When the website is disabled, the syn requests drop to zero.

When the website is brought up in a new location, the syn requests return, and bring down the protecting firewall.

Remediation:

After 8 minutes of complete down-time, a decision was made to disable the site in IIS until an appropriate solution could be implemented.

At 23 minutes, a recommendation was made to the support team to offload the syn requests to a cloud-based firewall, called incapsula.

At 42 minutes Incapsula implemented solution with a 30-day free trial.

Setup of Incapsula Tool

Configuration of primary website within Incapsula

Configuration of DNS from original location to Incapsula

At 45 minutes the website was returned to functional status, by re-enabling the site in IIS.

Future State:

XYZ currently has only 2 websites with public facing addresses. These two sites will be protected by the incapsula tool to offload any future DDoS attempts.

After reviewing the incident above, create a RCA (Root Cause Analysis) report based on this incident. While your report is a technical document, rich in detail, it is your role as the cybersecurity professional to tailor this RCA to meet the expectations of the target audience of non-technical, executive leadership, and customers. Please be sure to address the following:

A breakdown of the incident details (Areas Affected, Dates, and Times).

Information on the root cause of the incident.

Specifics of how the incident was resolved, or if additional steps need to be taken to fully resolve the incident.

Preventative measures for future incidents.

Be sure to tailor this RCA so that it is rich in detail but does not rely on technical language to meet the expectations of the target audience of non-technical, executive leadership, and customers.