TECH5100 Cyber Attack Analysis & Mitigation Report Assignment Solution

TECH5100

Cyber Attack Analysis and Mitigation Report

 

Student Name:

Student ID:

University Name:

 

Author’s Note:

Table of Contents

Introduction ……………………………………………………………………………………………………………….3

Cyber-Incidents Discussion………………………………………………………………………………………… 3

Data Breach Incident using Phishing Attack……………………………………………………………… 3

Ransomware Attack Exploiting Vulnerabilities ……………………………………………………………4

Potential Vulnerabilities ………………………………………………………………………………………………..5

Vulnerabilities causing data breach incident ………………………………………………………………..5

Vulnerabilities causing ransomware attack …………………………………………………………………..6

Impact on Organization Systems …………………………………………………………………………………….6

Recommended Countermeasures ……………………………………………………………………………………7

Conclusion ……………………………………………………………………………………………………………………8

References ……………………………………………………………………………………………………………………..9

Introduction

In this report a detailed analysis of the cybersecurity vulnerabilities occurring in a medium-sized organization. The organization has an extensive network infrastructure that comprises the hospital patient databases, several medical records and also has administrative systems. Two recent cybersecurity incidents that occurred in the organization were an external data breach attack and a ransomware attack. The attackers were able to exploit the vulnerabilities in the organization network infrastructure and gained unauthorized access to the sensitive patient database (Hoffman, 2020, p.3). The ransomware attack was targeted at the vulnerability network infrastructure of the organization which includes several important files and systems, including the hospital patient databases and other administration systems. The impact of these security incidents on the business operations of the organization has been discussed in detail along with recommending solutions.

Cyber-Incidents Discussion

Data Breach Incident using Phishing Attack

The external attackers used phishing emails and impersonated themselves as legitimate members of the organization, such as healthcare personnel and IT staff. The phishing emails are carried with infected attachments that, when opened, link to spoofed login pages and steal employees’ login credentials to gain access to sensitive information without authorization. These are socially engineered tactics that lead to the theft of login credentials in a cybersecurity attack. The attackers could then have manipulated the receivers of the phishing emails, exploiting human nature and psychology to open attachments or click links. The users were tricked by the attackers that helped them to gain access to the login credentials, email accounts, and other systems (Argaw et al, 2020, p.3). It consists of the three attack phases which are initial compromise, lateral movement, and exfiltration of data. The employee of the organization opened a malicious link and provided his login credentials at the spoofed login page. The attackers could steal the credentials of the victim and move laterally across the network infrastructure of the organization. This allowed the attackers to gain access to the sensitive databases that contained patient information. After this the sensitive data retrieved by the attackers were exfiltrated from the compromised system to the external servers that were controlled by the attackers, and sold on the dark web. 

Phishing Remains the Most Common Cause of Data Breaches, Survey Says

Figure 1: Visualization of Cybersecurity threats from 2020-2021

(Source: Hoffman, 2020, p.14)

Ransomware Attack Exploiting Vulnerabilities

Another cybersecurity incident which occurred in the organization was a ransomware attack that exploited the vulnerabilities of the network infrastructure. The attackers were able to exploit the unpatched vulnerabilities of the network architecture such as the unpatched software or outdated operating systems on the data servers. The attackers also gained access via the vulnerable remote access services with weak credentials and also exploited the configuration errors of the network. The tactics implemented by the attackers were pre-deployment reconnaissance where the attackers were able to find potential targets and vulnerabilities in the organizational network infrastructure so that entry points with the best chances of success can be determined. Automated exploitation technique was also used by the attackers using specific tools and scripts that scanned the network for systems with vulnerabilities and exploited them, therefore maximizing the potential of an attack (Gioulekas et al, 2022, p.2). The procedures implemented by the attackers included primary compromise where the attackers gain access to the organization’s network through the exploitation of vulnerabilities or weak credentials, dropping ransomware payloads on systems. A ransomware was used to encrypt critical files and systems to render them inaccessible to authorized users. The external attackers demanded a ransom payment to allow access to the decryption key. The attackers processed the payment in cryptocurrency, with the threat of permanent data loss or exposure.

Schematic diagram of attack processes of ransomware. | Download Scientific Diagram

Figure 2: Ransomware Attack procedure

(Source: Wasserman and Wasserman, 2022, p.11)

Potential Vulnerabilities

The potential vulnerabilities of the discussed cybersecurity attacks have been discussed in this section. These potential vulnerabilities might have been exploited by the attackers to perform the cybersecurity attacks in the organization.

Vulnerabilities causing data breach incident

  • Lack of Strong Email Filtering Mechanism: Without strong email filtering mechanisms, the organization was more vulnerable in detecting and blocking phishing emails with malicious attachments or links (Wasserman and Wasserman, 2022, p.5). Poor email-filtering mechanisms only mean that employees will ultimately find themselves dealing with the phishing emails, hence increasing the compromise risk.

  • Poor Employee Training: It is possible that employees were not well trained to identify and respond to phishing emails. Without an understanding of the signs to look out for in phishing and common indicators, the employees are at a very high risk of falling for such schemes and giving up sensitive information or credentials.

  • Weak Authentication Mechanisms: The authentication mechanisms used bty the organization were weak with a lack of multi-factor authentication. The use of default passwords and weak credentials allowed the attackers to easily access some critical systems or services. Such weak authentications increase the probability of credential theft through phishing and allow an attacker unauthorized access to sensitive data.

Vulnerabilities causing ransomware attack

  • Unpatched Software: The software installed in the organization’s systems might have known vulnerabilities with known vulnerabilities, such as in the operating system or other software applications that are left unpatched. Cyber attackers use these to begin attacks on the network and deploy ransomware payloads.

  • Poor Remote Access Controls: The configuration of remote access services such as RDP or VPN might have been exposed to a brute-force or credential stuffing attack. Attackers take advantage of weak remote access controls to gain unauthorized entry into the network and deploy ransomware.

  • Lack of network segmentation: The organization’s network infrastructure may not have proper network segmentation, through which the spread of ransomware can go through the network and infect the critical systems and data (Bhuyan et al, 2020, p.8). The ransomware moves laterally and encrypts the important databases and information assets and does damage to the organization.

Impact on Organization Systems

The impact of the cyber security incidents on the various aspects of the organization business processes such as systems, networks and applications have been discussed in detail in the following table.

 

Incident

Systems

Networks

Applications

Phishing-Driven Data Breach Incident

Compromised Systems: Malware infection, performance issues, disruption.

Data Loss or Corruption: Access to patient data, corruption of records.

Disrupted Operations: System shutdowns, impact on patient care.

Spread of Malware: Rapid infection of other systems.

Increased Network Traffic: Surge in traffic due to data exfiltration.

Compromised Functionality: Application disruptions, unauthorized access. Access Controls Bypassed: Exploitation of compromised apps for unauthorized access (Kelly et al, 2023, p.6).

Ransomware Attack Exploiting Vulnerabilities

Encrypted Files and Systems: Inaccessible files, system disruption.

Data Loss or Corruption: Loss of data integrity, permanent loss (Tully et al, 2020, p.4).

Downtime and Productivity Loss: Operational disruptions, financial impact.

Rapid Spread of Ransomware: Fast propagation through vulnerabilities.

Network Congestion: Slowdowns due to encryption and communication.

Application Unavailability: Critical app inaccessibility, service disruption.

Data Integrity Compromised: Loss of data integrity, affecting reliability.

 
Recommended Countermeasures

To mitigate the security risks related to the two cybersecurity incidents that have been discussed in the previous sections, the business organization should implement the following countermeasures and defense strategies.

  • For preventing phishing attacks and data breaches, the employees of the organization should be provided with regular cybersecurity training and also educate the employees about the various phishing tactics commonly used by external attackers.

  • A secure email filtering system based on automated technologies and efficient machine learning algorithms should be implemented for detecting the phishing emails and blocking the malicious attachments sent through email.

  • Multifactor authentication mechanisms can be implemented to provide an extra layer of security while accessing the sensitive information systems and patient databases (Dobalian, 2020, p.11). This helps to prevent unauthorized access attempts made by external attackers through exploitation of security vulnerabilities.

  • Enhancing the security of the network infrastructure and implementing network traffic monitoring systems, IPS/IDS systems and firewalls. These security measures will help to create a much stronger network architecture for the organization.

  • Deploying endpoint security measures such as antivirus software, firewalls and secure VPNs along with proper network segmentation to detect and block any kind of malware infections on the endpoints.

  • Patch Management: Implementing and maintaining a comprehensive patch management process on all software and systems to fix the known vulnerabilities and therefore reduce the surface for external attacks.

  • Backup and Recovery: Keeping backups of the most critical systems and data on a regular basis and store it in a remote and secure location so that it can be recovered in times of a ransomware attack. 

  • Principle of Least Privilege: Using the least privilege principle across access rights and privileges will help to enhance the security of the organization. This policy will allow only the authorized personnel to access the sensitive databases. 

Conclusion

In this report a detailed discussion of the cybersecurity incidents that occurred in the medium sized organization has been provided. The two cybersecurity incidents which are data breach and ransomware attack have been analyzed along with the techniques, tactics and the procedures of the cybersecurity attacks. The impact of these identified cybersecurity incidents on the organization’s systems, network infrastructure and the applications have been analyzed in detail. Finally, the recommendations and the mitigation strategies that can be implemented to mitigate the identified cybersecurity attacks have been provided. These include implementation of a secure email filtering system to prevent phishing emails, using multi-factor authentication mechanisms and conducting cybersecurity awareness programmes. To secure the network infrastructure, use of firewalls, network traffic monitoring, IPS/IDS and endpoint security measures have been suggested.

References