Module 06 Content
- XYZ Technologies had a DDoS (Distributed Denial of Service) attack to their environment yesterday. Your deliverable will include reviewing the incident details document and create a RCA (Root Cause Analysis) report based on this incident. Review the details of the incident below:
Incident Details: DDoS (Distributed Denial of Service) Attack
At 2:26 CST the internet facing firewalls peaked at 100% CPU load. This load level caused any additional connection to be lost, giving the appearance that the corporate website and connectivity to the other IoT devices supported by this site to lose connectivity. Initial investigation of the log data showed 1.25 million syn requests by the following external IP addresses:
1.169.228.122, 5.254.97.84, 27.254.56.45, 37.48.80.165, 37.186.206.134, 41.32.37.226, 42.61.188.34, 103.213.45.145, 111.91.82.161, 151.233.52.209, 168.187.104.130, 186.167.1.54, 190.205.33.163, 213.184.112.102, 217.219.150.126
In the first 8 minutes, the following remediation techniques were used:- The addition of attacking IP addresses to a global block list. Result, a new attacking IP appears with the same number of syn requests.
- When the website is disabled, the syn requests drop to zero.
- When the website is brought up in a new location, the syn requests return, and bring down the protecting firewall.
- Remediation:
After 8 minutes of complete down-time, a decision was made to disable the site in IIS until an appropriate solution could be implemented.
At 23 minutes, a recommendation was made to the support team to offload the syn requests to a cloud-based firewall, called incapsula.
At 42 minutes Incapsula implemented solution with a 30-day free trial. - Setup of Incapsula Tool
- Configuration of primary website within Incapsula
- Configuration of DNS from original location to Incapsula
- At 45 minutes the website was returned to functional status, by re-enabling the site in IIS.
Future State:
XYZ currently has only 2 websites with public facing addresses. These two sites will be protected by the incapsula tool to offload any future DDoS attempts.
- Root Cause Analysis (RCA) Report
After reviewing the incident above, create a RCA (Root Cause Analysis) report based on this incident. While your report is a technical document, rich in detail, it is your role as the cybersecurity professional to tailor this RCA to meet the expectations of the target audience of non-technical, executive leadership, and customers. Please be sure to address the following:- A breakdown of the incident details (Areas Affected, Dates, and Times).
- Information on the root cause of the incident.
- Specifics of how the incident was resolved, or if additional steps need to be taken to fully resolve the incident.
- Preventative measures for future incidents.
- Be sure to tailor this RCA so that it is rich in detail but does not rely on technical language to meet the expectations of the target audience of non-technical, executive leadership, and customers.
- Your report should use professional tone and vocabulary, APA format, and proper spelling and grammar.
- Submit your completed assignment by following the directions linked below. Please check the Course Calendar for specific due dates.
Save your assignment as a Microsoft Word document. (Mac users, please remember to append the “.docx” extensions to the filenames.) The name of the file should be your first initial and last name, followed by an underscore and the name of the assignment, and an underscore and the date. An example is shown below:
Jstudent_exampleproblem_101504