Project 3, Team 3 Outline

Seven (7) Project Steps

1. Establish Roles
2. Assess Suspicious Activity
3. The Financial Sector
4. Law Enforcement
5. The Intelligence Community
6. Homeland Security
7. The SAR and AAR

Three (3) Project Deliverables

1. Security Assessment Report (SAR): This report should be a 14- to 15-page double-spaced
Word document with citations in APA format. The page count does not include figures,
diagrams, tables, or citations.
2. After Action Report (AAR): This report should be a 10- to 15-page double-spaced Word
document with citations in APA format. The page count does not include figures,
diagrams, tables, or citations.
3. Presentation: This should be a five- to eight-slide PowerPoint presentation for executives,
along with a narrated or in-class presentation, summarizing your SAR and AAR reports.

Step 1: Establish Roles

Team Roles
1. Bryan, a representative from the financial services sector, who has discovered the
network breach and the cyber-attacks. These attacks include distributed denial-of-service
attacks, DDOS, web defacements, sensitive data exfiltration, and other attack vectors
typical of this nation-state actor.
2. Mikaal, a representative from law enforcement, who has provided additional evidence of
network attacks found using network defense tools.
3. Joe, a representative from the intelligence agency, who has identified the nation-state
actor from numerous public and government-provided threat intelligence reports. This
representative will provide threat intelligence on the tools, techniques, and procedures of
this nation-state actor.
4. Fernando, a representative from the Department of Homeland Security, who will provide
the risk, response, and recovery actions taken as a result of this cyber threat.

Step 2: Assess Suspicious Activity

All team members must leverage network security skills by using port scans, network scanning tools, and
analyzing Wireshark files to assess any suspicious network activity and network vulnerabilities.
 Step 3: The Financial Sector

Financial Sector
To be completed by the Financial Services Representative
Provide a description of the impact that the threat would have on the financial services sector.
These impact statements can include the loss of control of the systems, the loss of data integrity
or confidentiality, exfiltration of data, or something else. Also provide impact assessments as a
result of this security incident to the financial services sector. Ensure that the information is
appropriately cited.
To be completed by all team members
Provide submissions from the Information Sharing Analysis Councils related to the financial
sector. You can also propose fictitious submissions. Then, review the resource for industrial
control systems and explain their level of importance to the financial services sector. Explain
risks associated with the industrial control system. Ensure that the information is appropriately
cited.

Step 4: Law Enforcement

Law Enforcement
To be completed by the Law Enforcement Representative
Provide a description of the impact that the threat would have on the law enforcement sector.
These impact statements can include the loss of control of systems, the loss of data integrity or
confidentiality, exfiltration of data, or something else. Also provide impact assessments as a
result of this security incident to the law enforcement sector. Ensure that the information is
appropriately cited.

Step 5: The Intelligence Community

The Intelligence Community

To be completed by the Intelligence Community Representative
Provide intelligence on the nation-state actor and the actor's cyber tools, techniques, and procedures.
Use available threat reporting such as from FireEye, Mandiant, and other companies and government
entities that provide intelligence reports. Also, include the social engineering methods used by the
nation-state actor and their reasons for attacking US critical infrastructure. Include this information in
your SAR and AAR. Ensure that the information is appropriately cited.

To be completed by all team members

Provide an overview of the life cycle of a cyberthreat. Explain the different threat vectors that cyber
actors use and provide a possible list of nation-state actors that have targeted the US financial services
industry before.

Review this threat response and recovery resource and use what you learn to propose an analytical
method in which you are able to detect the threat, identify the threat, and perform threat response and
recovery. Identify the stage of the cyberthreat life cycle where you would observe different threat
behaviors. Include ways to defend and protect against the threat. Provide this information in your SAR
and AAR. Ensure that the information is appropriately cited.

Step 6: Homeland Security

Homeland Security
To be completed by the Homeland Security Representative
Use the US-CERT and similar resources to discuss the vulnerabilities and exploits that might
have been used by the attackers. Ensure that the information is appropriately cited.
Explore the resources for risk mitigation and provide the risk, response, and risk mitigation steps
that should be taken if an entity suffers the same type of attack.
To be completed by all team members
Provide a risk-threat matrix and a current state snapshot of the risk profile of the financial
services sector. These reports will be part of an overall risk assessment, which will be included in
your SAR and AAR. Ensure that the information is appropriately cited.
Review and refer to this risk assessment resource to aid you in developing this section of the
report.

Step 7: The SAR and AAR

The SAR and AAR

All team members
After you compile your research and your own critical assessments and analysis, determine which
information is appropriate for a Security Assessment Report (SAR) that will be submitted to the White
House, and for an After Action Report (AAR) that will be submitted to the rest of the analyst community.

Prepare your SAR for the White House Cyber National Security staff, describing the threat, the
motivations of the threat actor, the vulnerabilities that are possible for the threat actor to exploit,
current and expected impact on US financial services critical infrastructure, the path forward to
eliminate or reduce the risks, and the actions taken to defend and prevent against this threat in the
future.

Prepare the AAR. This knowledge management report will be provided to the cyberthreat analyst
community, which includes the intelligence community, the law enforcement community, the defense
and civilian community, the private sector, and academia. The purpose of the AAR is to share the
systems life cycle methodology, rationale, and critical thinking used to resolve this cyber incident.