Exercise and Team Overview
Background
The Federal Government of the United States is the United States’ national government made up of 50 states. The U.S. federal government runs under three distinct branches, including the executive, the judicial, and legislative branches. The federal government’s role is to ensure all federal systems are protected against cybercrimes. The federal government also protects the nation’s critical infrastructure and individual’s sensitive data and privacy against existing cyberthreats. Federal agencies and United States critical infrastructure, such as communication, energy, financial services, and transportation systems, highly depend on Information Technology (I.T.) systems for operations and processing of essential information. However, in the past decade, cyberthreats targeting federal government agencies and the nation’s critical infrastructure have increased, making the federal government tighten security and safety regulations at federal agencies and the nation’s critical infrastructure. The federal government is also on a constant search and development of cybersecurity systems to provide more advanced and sophisticated cybersecurity to its agencies, the nation’s critical infrastructure and citizens’ data and privacy. The federal government also aims to prioritize national research and development investments regarding cybersecurity by updating the National Critical Infrastructure Security and Resilience Research and Development Plan to set priorities for addressing the nation’s critical infrastructure’s security risks. The federal government expects to ensure all departments and agencies align their investments to the priorities that focus on approaches of building new cybersecurity systems that use emerging technologies, enhance information-sharing and management of risks related to cross-sector interdependencies, and building resilience to long scale disruptions.
Exercise Goal
• To increase cybersecurity, react and respond procedures by responding to cyber-attacks targeting federal government agencies and the nation’s critical infrastructure.
Scenario and Adversary
• An extremist hacker group has carried out an attack to undermine the public confidence in the federal government’s ability to provide public safety and security by causing disruption on the intelligent transport system (ITS). The attack targeted connected vehicles, which are equipped with internet access and are connected with wireless Local Area Network, allowing the vehicles to share access to the internet with devices in the vehicle or outside the vehicle. The attack also targeted autonomous vehicles, which are more advanced and can sense the environment and navigate without human input through technological features, such as LIDAR, GPS, RADAR, and stereoscope cameras (Trend Micro, 2017). The hackers used the Distributed Denial of Service attack and the false information attack to disrupt the vehicle’s movement. The attack intended to bring vehicles to a stop and to redirect other vehicles towards wrong road lanes so that the traffic flow can stop (D.C. Velocity, 2019). The federal government, through the transportation sector, managed to stop the attack. The federal government recommended all companies that manufacture internet-connected vehicles to take measures to protect the vehicles against cyber threats. A program to compensate the individuals who were affected by the attack was launched.
• Three police stations computers were infected by WannaCry ransomware. More than 500 computers were reported to have been infected by the WannaCry, affecting the police stations’ ability to operate due to system failure as a result of a Trojan attack. The hackers utilized the system’s vulnerability and exploited a Server Message Block (SMB) vulnerability to spread and infect some unpatched systems. The attackers demanded a ransom of $400 that was to be paid in bitcoins for decryption. Failure to pay the ransom would have seen all the decrypted files on the systems deleted and sensitive data released to the public. As a result, all the systems were properly patched, and older versions of Windows were replaced. Strict firewall rules were also put in place by the federal government to prevent intrusions.
Sectors
The team’s efforts were successful in preventing hackers’ full access to government systems. Their actions were based on assigned decisions to each team member. The following were the relevant sectors that each decision could have an effect on.
• Financial
• Security Index
• Downtime
• Profitability (Surplus)
Introduction to Sector Risks
Threat Risk Rating Likelihood Impact
Nation States Extreme Risk will occur Extreme
Insider Threat High Risk will likely occur High
Criminal Gangs Medium Risk will likely occur Medium

The table above summarizes our Risk profile analysis. The Nation-State Attacker Risk is the most significant threat to federal government agencies and the nation’s critical infrastructure. Nation-State attackers specialize in targeting government agencies, national critical infrastructure and industries known to poses sensitive data and property. The main motive of Nation-State hackers’ best on the current events is to steal a national intellectual property in order to gain a competitive advantage in various sectors. Nations-sponsored attackers look for data that can benefit their country in terms of economy and strengthen their military and business strategies. Not only do the attackers look for data, but they can also cause a devastating impact on the nation’s security and its critical infrastructure. The attacks can result in the shutting down of critical infrastructures, such as energy, military contractors, transportation, and government operations, affecting millions of citizens (O’Malley, 2020). Typically, National State attackers are highly skilled, well funded and deploy sophisticated techniques to conduct the attacks. The position of the United States federal government in the world makes a target of government-sponsored attacks, which justifies the high likelihood of the Nation-State occurring with an extreme impact on the nation.
The Insider Threats rating is but is not as likely as the Nation-State attacker risk. The insider threat’s likelihood is rated as “Will likely occur,” with the high impact expected. Insider threat occurs when an employee or a person with access, such as a contractor, uses their authorized access, either willingly or unwillingly, to harm the nation’s cybersecurity. Insider threats are difficult to detect and prevent, posing a high risk to the federal agencies’ data and information and the nation’s critical infrastructure (Homeland Security, 2020). What motivates insider threat is the value of data in the federal agencies and nation’s critical infrastructure that has a wide variety of interested parties, such as financial instructions, media, corporations, terrorist groups, enemy nations, and other parties that can utilize the data for financial gain, political leverage, or competitive business advantage. The insider threat against the federal government will likely occur since most federal agencies lack proper response plan to insider threats and others have insider threat program that is immature as the concentration is normally focused on outside threats.
Criminal Gang risk is considered a medium-level risk since it is likely that the federal government’s information and data would be highly valuable to criminal gangs. The attack is rated as medium because most criminal gangs specifically target a certain federal agency or critical infrastructure, but the attack could still affect national security. Criminal gangs risk involves highly skilled hacking teams well funded and controlled by organized criminal gangs. The motive behind the criminal gang’s risk is mainly to generate revenue for the gangs through various attack schemes, such as phishing, ransomware, and drive-by-download. National governments can also contract criminal gang hacking groups for political cyberattacks, such as fraud and espionage targeting the federal government.
Cyber Security Team
The federal government dispatched a team to coordinate the responses to the two incidents. The coordination team was composed of the Chief Risk Officer, Forensic Investigator, Chief Information Security Officer, and Magic hat.
Team Sectors
The five sectors represented in ELITE are Avisitel Telecommunications, the Federal Government, Hytema Consulting, DTL Power, and Mistral Bank. Your team has been assigned a sector responsibility in ELITE and should already be working on an overview of specific cybersecurity challenges in your sector, as instructed in previous steps. Just as you have provided information on your sector in previous steps, you should have begun reading about the challenges faced by all the other sectors in the ELITE Industries Sharing discussion. Hopefully, you are making notes about similarities, cybersecurity challenges faced by all industries, and a list of things unique to each sector. You need to be thinking about the possible ways your sector decisions may affect other sectors and also ways your sector might collaborate with others. The challenge of ELITE preparation is getting to know the other business entities in the ELITE. Remember, ELITE is about represented industries against the “bad guys” to protect the infrastructure of the United States—not a team vs. team competition.
ELITE Rounds
Round 1:
Cyber Event
Round one consisted of three cyber events; the first cyber event was a sabotage attack, the second was an insider attack, and the third was a malware attack by a criminal hacker for ransom. The sabotage attack, which is nation-state sponsored have a critical level of impact on the target. The sabotage attack aimed at disrupting the transportation sector through wireless hacking. The probability of when the sabotage attack could occur is normally low, considering the wide range of infrastructure or organization the attack can target. The sabotage attack can cause an adverse impact on the infrastructure, depending on how deep the attack was conducted.
The insider attacks are high risks events that can cause devastating impacts. Since most organizations focus on outside attacks, predicting and defending against insider attacks has been difficult. Insider attacks can access the database and still sensitive information that can harm the organization and the government (Jin, 2012). Insider attacks are normally launched by malicious users entrusted with authorized access to the system.
Malware attack involves the use of malicious software that is injected into the system. The event can have a major effect on the organization, while the worst can have a mild impact. The malware attacks considered to have an adverse impact on the organization include ransomware, which blocks the victim access to the system and demands a ransom by threatening to delete the data on the system or publish it public (Melnick, 2020). Another malware attack is a Trojan, which enables the attackers to create a back door to the system to access the data or launch other types of attack. Trojans have the ability to cause a system failure.
Outcome
The outcome of the attack saw the Global National Security Index affected due to the downtime impact. The security team worked hard to minimize the downtime to reduce the impact on the Global National Security Index, which was successfully accomplished. Minimizing downtime was essential, considering its relationship with finance spends. The move to tighten the security poster saw the profitability being affected due to the downtime’s impact on the revenue. However, the decision made to minimize downtime enables the security team to increase the index points related to downtime. The loss of revenue due to money spend to tighten the security poster resulted in the team losing a few Cross-Team Impact points. The security team’s main focus is to make better financial decisions to improve profitability, which will improve the team’s reputation.
Round 2:
Cyber Events
In Round 2, two forms of attack were used. They included the WannaCry and SQL injection. WannaCry is crypto-ransomware utilized by cybercriminals to encrypt the valuable data on the computer or lock the user of the computer access. The attack targets Windows computers by utilizing the vulnerability in the operating system (Kaspersky, 2020). WannaCry incorporates various components, including an application that can encrypt and decrypt data, files containing encryption keys, and a copy of Tor. The attack vector targets the vulnerability in Windows’ Server Message Block (SMB) protocol, which executes various nodes on a network communicate, allowing the possibility of packets containing WannaCry into executing arbitrary code. Hackers normally target outdated or unpatched windows to execute WannaCry. Once the attack vector is executed, it tries to access the hard-coded URL and encrypted files, making them inaccessible to the victim (Fruhlinger, 2018). The attackers then demand a ransom to be paid through cryptocurrency, making it impossible to tress. WannaCry has a devastating impact on the organization if the ransom is not paid as valuable data could be deleted or sensitive information released to the public domain.
Structured Question Assignment Language (SQL) injection is a network-based attack that involves SQL Question Assignment being executed to the database via an input data-plane to a server to run predefined SQL commands. The execution of SQL injection can enable the attacker to have access to the database. The attacker access to the database means they can modify the data, execute commands to the operating system, and execute administration operations (Melnick, 2020). A successful SQL injection attack can enable attackers to affect the infrastructure’s functioning connected to the system, causing significant impact.
Outcome
For the Global National Security Index, the parameter that had the greatest impact is the amount of spending allocated to enhancing the cyber defense. The option of increasing financial spending ratings is by utilizing the available talents instead of spending more on defense. Since the security poster had to be tightened, the profitability was affected by dropping down to -2 points in the second round, which also saw the cross-team impact dropping to -2 points. Based on the result, smarter decisions were to be made to ensure profit is achieved, which will result in a higher cross-team impact. The decision made in this round saw the Index points of the security team decreasing by -2, which was an improvement considering the first round Index point’s decrease of -10. Also, the second round’s decisions improved the security team’s reputation despite the continuity of cyber-attacks. Better decisions in this round enabled the downtime to remain stable. In the final round, the security team plans to decrease spending while still executing smart decisions to tackle problems at hand, which will help solve the reputation issue. The security team plans to focus on developing a plan that will enable them to utilize their expertise to decrease spending, which will increase profits.
Round 3:
Cyber Events
Two cyber events were held in round three, a social engineering attack and a password attack. The social engineering attack is a minor threat that usually involves a range of malicious activities executed through human interactions. The attackers use psychological manipulation to trick their target into making security mistakes or providing sensitive information that can be utilized to access systems. Social engineering’s general goal is to make the user provide login information that they can use to access the account of the user connected to the system or the system directly (Lord, 2019). Two types of social engineering attacks were recorded. They included scareware, where the target is bombarded with fictitious security threats or false alarms to deceive the user into thinking the system is infected with malware, which prompts the user to install a software containing malware. The second social engineering attack technique was pretexting. Pretexting involves the attacker impersonating trust personnel to obtain sensitive information.
Password attack is commonly used, although it may be hard to execute, considering the password protection mechanisms and policy in place, the attack still holds a possibility of a significant impact when successfully executed. Access to the user password can be conducted through various techniques, including sniffing the network connection for an unencrypted password, using social engineering, and brute-force password guessing.
Outcome
There were no changes recorded in round three concerning events dealing with Global National Security Index, direct contributors, and indirect contributors. However, when considering the overall summary of the three rounds of the security team, profitability had the greatest impact as it directly affects the team’s Cross-Team impact. The impact of profitability resulted from the financial spending that the team had to conduct to tighten the security poster. The other factor that affected profitability is the complications of dealing with cyberattacks that saw the security team losing money. The downtime remained stable in this round, with the team not losing any points, resulting in positive index points. Reputation remained as it was in the second round, which indicated how difficult it is to mitigate constant attacks.
Lessons Learned
The security team expected various things to happen based on the decisions made. Some of the expectations include eliminating the downtime issue, which was expected since the team decided to implement security measures that would ensure the system remains running even during an attack. The decision to eliminate downtime was also to ensure the business operation continue to provide revenue required by the organization. Another expectation based on the security team’s decisions was the security breaches were not successful by tightening the security poster. The security also expected to incur financial expenditure to put in place measures to eliminate downtime and tighten the security poster. The reason for the expectation was that the security team had an understanding of what the priority was. In this case, it was security over profitability.
Based on the results, the security team made various adjustments to their cyber defenses. The decision to utilize its professionals as much as possible to develop and come up with strategies that can be implemented to ensure the existing cyber defense is capable of protecting the systems against the attacks. The other adjustment that the team implemented on the cybersecurity defenses was establishing a compressive cybersecurity strategy and performing effective oversight. Critical actions implemented concerning the adjustment included utilizing technologies that can tighten the security poster. The technologies utilized included the installation of firewalls to control incoming and outgoing traffic; installation of anti-malware software that scan the system to detect, block, or remove various types of malware attack including Trojans, ransomware, rootkits, worms, and viruses. Breach Detection Systems (BDS) was also installed by the team to ensure targeted attacks and sophisticated threats designed to steal information from the system, especially those that might be compromised, are detected in time. The BDS could also analyze network traffic patterns to detect and identify malicious domains. The other technology implemented was the patch management software for physical and virtual. Patch management software is an auto-update system that ensures the endpoints, remote computers, and servers remain updated with the latest security patches and software.
The security team was able to learn various concepts regarding interrelationships in cybersecurity. The team learned key components of cybersecurity and how they related to each other. The team learned that cybersecurity mainly targets the data, with the confidential data being the most targeted. The cybersecurity breaches’ ability to be executed relies on how the data is stored, processed or communicated by or to assets, including networks, software, websites, devices, and people. The team also learned that threat actors, such as nation-state and crime gangs, deploy threats via the assets or targeting the assets to access the data. The team learned that the most effective controls against the threats are applied to assets with others directly to the data (Galinec et al. 2017). The other important interrelationship in cybersecurity that was a learning point to the security team is the controls’ deployment. The team learned that some controls are deployed to specific threats, such as encryption of assets to protect against a specific threat. Where else, other controls were deployed to offer protection against multiple threats. For instance, conducting software patching would offer protection against espionage, crimeware, and web app attacks. For the attacks to be successful where controls have been deployed, the threats find ways of exploiting vulnerabilities in the controls to access the data. However, the deployment of the right controls to the right assets with effective implementation relative to the threat level is conducted; the organization will be able to defend the assets against threats. The failure of implementing the right controls effectively creates a vulnerability that is exploited by the threats, and the data breach will likely occur.
The security team was also able to learn various inherent challenges in cyber defense as opposed to cyberattacks. Cyber defense involves mechanisms that focus on preventing, detecting, and offering timely responses to cyberattacks to ensure data or infrastructure is not tempered with. The increase in volume and complexity of cyberattacks has created challenges in executing the cyber defense processes. Some of the challenges in cyber defense have remained inherent. These inherent challenges as opposed to cyberattacks include collaboration, which has been a key advantage of cybercriminals. Cyberattacks are contacted collaboratively, as attackers work together by sharing information and knowledge of exploits and collaborating in the development of new hacking techniques. However, collaboration among cyber defense has long been a challenge. Security vendors engage in competition best on their products rather than collaborating towards the development of robust and sophisticated cybersecurity products. Government and industry have shown less co-operation between them regarding cyber defense, and organizations have remained afraid of sharing information or reporting having been breached or hacked for fearing the economic impact on their business or share price. Therefore, to eliminate the challenge and improve cyber defense, free sharing of information among organizations, cybersecurity experts, government agencies, and security software vendors is crucial (ACS, 2016). Another inherent challenge in cyber defense, as opposed to cyberattacks, is the existence of legal and regulatory. The cyber attackers do not operate within the legal framework, allowing them to freely share information regardless of privacy limitation in the normal cybersecurity world. In contrast, the legal and regulatory limitations, especially concerning information sharing, have created a cyber defense challenge. Privacy regulations have made it impossible for some of the cyber defense mechanisms to be implemented. Therefore, for the challenge to be bypassed, laws and regulations should be reviewed to facilitate better communication, information sharing, and collaboration for enhancing cyber defense processes.
The team faced challenges that were presented by business vs. technical decision making. The team struggled to determine what aspect of security to sacrifice in order to increase our profits, considering the profits were an essential aspect of the business. The team learned that it had to make a priority choice regarding business vs. technical since it was difficult to prioritize both business and technical decisions simultaneously. The team’s impression regarding the challenge was prioritizing technical as the risks of cyberattacks, and the impacts they could cause will affect the business and its reputation. Therefore, the team’s decisions were more based on the technical side than the organization’s business side.
Overall, the team learned that it had to develop mechanisms that can both support the technical side and the business’s business side. With the team unable to deal with the profitability issue, it is possible it would lack enough funds in the future to support the implementation of security mechanisms coasting them reputation, security, and profitability.

References
ACS. (2016). Cybersecurity: Threats, Challenges, and Opportunities.
DC Velocity. (2019). Cyber attacks targeted transportation sector in third quarter, report finds. Retrieved from https://www.dcvelocity.com/articles/44155-cyber-attacks-targeted-transportation-sector-in-third-quarter-report-finds
Fruhlinger, J. (2018). What is WannaCry ransomware, how does it infect, and who was responsible? CSO. Retrieved from https://www.csoonline.com/article/3227906/what-is-wannacry-ransomware-how-does-it-infect-and-who-was-responsible.html
Galinec, D, Možnik, D., & Guberina, B. (2017) Cybersecurity and cyber defence: national level strategic approach. Automatika, 58:3, 273-286, DOI: 10.1080/00051144.2017.1407022
Homeland Security. (2020). Insider Threat. Retrieved from https://www.dhs.gov/science-and-technology/cybersecurity-insider-threat
Jin, X., Kant, K., and Zhang, N. (2012). Handbook on Securing Cyber-Physical Critical Infrastructure. Elsevier Inc. https://doi.org/10.1016/C2011-0-04434-4
Kaspersky. (2020). What is WannaCry ransomware? Retrieved from https://www.kaspersky.com/resource-center/threats/ransomware-wannacry
Lord, N. (2019). Social Engineering Attacks: Common Techniques & How to Prevent an Attack. Digital Guardian. Retrieved from https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack
Melnick, J. (2020). Most Common Types of Cyber Attacks. Netrix. Retrieved from https://blog.netwrix.com/2018/05/15/top-10-most-common-types-of-cyber-attacks/
National Cyber Strategy. (2018). National Cyber Strategy of the United States of America. Retrieved from https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf
O’Malley, M. (2020). Concerned about Nation State Cyberattacks? Here’s how to Protect Your Organization. Security Magazine. Retrieved from https://www.securitymagazine.com/articles/91889-concerned-about-nation-state-cyberattacks-heres-how-to-protect-your-organization#:~:text=Nation%2Dstate%20cyberwarfare%20hackers%20target,key%20business%20and%20military%20strategies.
Trend Micro. (2017). Cyberattacks Against Intelligent Transportation Systems: Assessing Future Threats to ITS. Retrieved from https://documents.trendmicro.com/assets/white_papers/wp-cyberattacks-against-intelligent-transportation-systems.pdf

Published by
Essays
View all posts