Task 3: WLG Policies  This task will be presented in a practical session associated with the IR part of the module. IR Maturity – Improve Strengths and Weaknesses You have been supplied the WLG company profile, internal staff have

adminQuest Posted in Uncategorized

CSEC2002 CTI and IR Coursework Overview

There are several tasks to complete for the coursework. All tasks are linked to various lectures throughout the module. You are tasked to produce a report style document that includes all coursework tasks with the exception of the two timed coursework tasks. 

Your report must include title and table of contents pages. Please supply a few lines of introductory text for each of the coursework tasks. 

The following task outputs are to be included in this CTI report.

•        Task 1: Attack Tree screenshot

•        Task 2: STIX Screenshot and accompanying code (code to be placed in appendix)

•        Task 3: WLG potential policies and selected completed policy 

•        Task 4: IR Maturity WLG Company Profile v2

•        Task 5: Screen shot of updated SIMv2 model showing ENISA Basic Compliance

•        Task 6: Updated SIMv2 maturity assessment table

•        Task 7a: WLG v1 Infrastructure diagram screenshot

•        Task 7b: WLG v2 Infrastructure diagram screenshot

•        Task 8: Not included in this report

•        Task 9: Not included in this report

 Please note – the order of tasks presented in this document are not the same order you will do the tasks in your practical sessions.

Task 1: Attack Tree Modelling 

This task was presented in week 10 session 2 practical. See the practical session for instructions.

Task 2: STIX

This task was presented in week 11 session 2 practical. See the practical session for instructions.

Task 3: WLG Policies  This task will be presented in a practical session associated with the IR part of the module.

IR Maturity – Improve Strengths and Weaknesses

You have been supplied the WLG company profile, internal staff have completed a SIMv2 self-assessment examining their current IR practices. WLG wish to improve their IR capabilities as they will be bidding for European contracts in the future which require bidding companies to be at the minimum ENISA Basic compliant. You are an external IR analyst who has been tasked to recommend improvements to WLG’s IR processes as well as other company procedures so they can at a minimum be ENISA Basic compliant. You have been supplied with the following prepared documents. 

•        Current WLG Company Profile v1

•        SIMv2 IR maturity assessment based on current WLG company profile

•        ENISA Basic mapping to current WLG company profile

•        SIMv2 table of results with self-assessed level and required ENISA Basic level

Use either link below to access the SIMv2 Self-Assessment Tool

SIMv2

https://sim3check.opencsirt.org/#/

        

 

Examine the current WLG IR capability from the company profile and determine what needs to be improved and put in place to make the company ENISA Basic compliant. Use the table below for specific IR maturity levels. To meet ENISA Basic compliance requires a mix of maturity levels 2 – 3. You can however suggest level 4 improvements where you feel these would be best suited.    

Rate WLG for:

•        Preparation

•        Detection & Analysis

•        Response (Containment/Eradication/Recovery)

•        Post-Incident Activity

Level

Description

0 – Non-Existent

No IR capability or planning

1 – Ad Hoc

Informal, inconsistent, individuals rely on improvisation

2 – Basic

Some processes documented but inconsistently applied

3 – Intermediate

Repeatable processes, partially automated, roles defined

4 – Advanced /
Optimised

Proactive IR, regular exercises, integrated tooling,
continuous improvement, measurable performance

            

Task 4: Update the WLGv1 Company Profile

Using the V1 WLG company profile as a template you will update areas of the v1 document you feel would improve the current rating across the SIMv2 organisation, human, tools and processes parameters. You must identify the current practices and procedures and determine how these can be improved to meet each of the required ENISA Basic IR maturity levels. 

You do not need to be highly technical, keep your recommendations at the strategic or operational level. For example you could suggest the following:

P-9: Emergency Reachability Process

Current – Level 1 

• No evidence of emergency contacts (not defined in profile)

To move from level 1 to level 3 you might want to consider 

•        The operations 24/6 – could include dedicated out-of-hours incident escalation  

•        IT operations Team – could include defined IR on-call responsibilities

Using this example you do NOT need to define the incident escalation or on-call responsibilities, these are examples your high level (strategic / operational) recommendations. Specifics about defined IR on-call responsibilities would be tactical level information.

 

Task 5: IR Maturity – Update SIMv2 model to show ENISA Basic Compliance

Produce an updated SIMv2 version using your recommendations from the WLGv2 company profile.

 

            

Task 6: IR Maturity – Updated SIMv2 Maturity Assessment Table 

Complete the blank table for the four SIMv2 parameters with the new level and your justification for this new level.

Coursework Hints

Recommend your improvements based on:

•        Organisational scale

•        Resource constraints

•        Cultural challenges

•        Technical environment

•        Third-party dependencies

 

Think about the IR Lifecycle and what needs to be improved

Preparation

Indicators:

•        IR policy updates

•        Playbooks

•        IR roles

•        Training frequency

•        Asset visibility

•        Backup governance

• DR planning Detection & Analysis

Indicators:

•        SIEM + logging completeness

•        EDR coverage

•        24/7 alerting

•        Triage workflows

•        Monitoring of critical systems

•        Alert-to-action maturity

Containment, Eradication, Recovery

Indicators:

•                   Ability to isolate hosts

•                   Privilege access management

•                   Clear authority for emergency actions

•                   Backup restore verification

•                   Change-control flexibility

•                   Recovery plan rehearsal Post-Incident Activity

Indicators:

•        Lessons-learned cycle

•        Blameless review culture

•        Metrics for IR performance

•        Remediation tracking

•        Process refinement based on incidents

•        Stakeholder communication

Task 7a: WLG Infrastructure v1

This task is NOT attempted in a practical session, this is to be done in your own time. Use the WLGv1 company document and all other supporting information provided in various other WLG related practical sessions. Devise a possible infrastructure showing both IT and OT networks. You need to link devices together but you DO NOT need to configure these devices or ensure device connectivity. You can ONLY use Cisco Packet Tracer to complete this task.

 

 

Task 7b: WLG Infrastructure v2

This task is NOT attempted in a practical session, this is to be done in your own time. Use your newly updated WLG company profile document and all other supporting information provided in various other WLG related practical sessions. Using your v1 infrastructure CPT diagram devise a possible reconfiguration of the v1 infrastructure showing both IT and OT networks ensuring that any failings in v1 have been addressed and mitigated. You need to link devices together but you DO NOT need to configure these devices or ensure device connectivity. You can ONLY use Cisco Packet Tracer to complete this task.

 

Task 8: Timed Task 1

This task will be started and completed in an associated practical session. This is NOT to be included in the coursework report it will be marked separately.

 

 

Task 9: Timed Task 2

This task will be started and completed in an associated practical session. This task is NOT to be included in the coursework report it will be marked separately.