Answered step by step
Verified Expert Solution
Link Copied!

Question

1 Approved Answer

XYZ Technologies had a DDoS (Distributed Denial of Service) attack to their environment yesterday. Your deliverable will include reviewing the incident details document and create

XYZ Technologies had a DDoS (Distributed Denial of Service) attack to their environment yesterday. Your deliverable will include reviewing the incident details document and create a RCA (Root Cause Analysis) report based on this incident. Review the details of the incident below:

Incident Details: DDoS (Distributed Denial of Service) Attack

At 2:26 CST the internet facing firewalls peaked at 100% CPU load. This load level caused any additional connection to be lost, giving the appearance that the corporate website and connectivity to the other IoT devices supported by this site to lose connectivity. Initial investigation of the log data showed 1.25 million syn requests by the following external IP addresses:

1.169.228.122, 5.254.97.84, 27.254.56.45, 37.48.80.165, 37.186.206.134, 41.32.37.226, 42.61.188.34, 103.213.45.145, 111.91.82.161, 151.233.52.209, 168.187.104.130, 186.167.1.54, 190.205.33.163, 213.184.112.102, 217.219.150.126

In the first 8 minutes, the following remediation techniques were used:

The addition of attacking IP addresses to a global block list. Result, a new attacking IP appears with the same number of syn requests.

When the website is disabled, the syn requests drop to zero.

When the website is brought up in a new location, the syn requests return, and bring down the protecting firewall.

Remediation:

After 8 minutes of complete down-time, a decision was made to disable the site in IIS until an appropriate solution could be implemented.

At 23 minutes, a recommendation was made to the support team to offload the syn requests to a cloud-based firewall, called incapsula.

At 42 minutes Incapsula implemented solution with a 30-day free trial.

Setup of Incapsula Tool

Configuration of primary website within Incapsula

Configuration of DNS from original location to Incapsula

At 45 minutes the website was returned to functional status, by re-enabling the site in IIS.

Future State:

XYZ currently has only 2 websites with public facing addresses. These two sites will be protected by the incapsula tool to offload any future DDoS attempts.

After reviewing the incident above, create a RCA (Root Cause Analysis) report based on this incident. While your report is a technical document, rich in detail, it is your role as the cybersecurity professional to tailor this RCA to meet the expectations of the target audience of non-technical, executive leadership, and customers. Please be sure to address the following:

A breakdown of the incident details (Areas Affected, Dates, and Times).

Information on the root cause of the incident.

Specifics of how the incident was resolved, or if additional steps need to be taken to fully resolve the incident.

Preventative measures for future incidents.

Be sure to tailor this RCA so that it is rich in detail but does not rely on technical language to meet the expectations of the target audience of non-technical, executive leadership, and customers.

Step by Step Solution

There are 3 Steps involved in it

Step: 1

blur-text-image

Get Instant Access to Expert-Tailored Solutions

See step-by-step solutions with expert insights and AI powered tools for academic success

Step: 2

blur-text-image

Step: 3

blur-text-image

Ace Your Homework with AI

Get the answers you need in no time with our AI-driven, step-by-step assistance

Get Started

Recommended Textbook for

Spomenik Monument Database

Authors: Donald Niebyl, FUEL, Damon Murray, Stephen Sorrell

1st Edition

0995745536, 978-0995745537

More Books

Students also viewed these Databases questions