ASSESSING CYBERCRIME INCIDENTS: POINTS TO CONSIDER

HE-2: Hacktivist Attack – the Epluribus Enum (page 19)

Confidentiality,because personal details of two executives were obtained and shared.

Integrity, because one of the companies websites appeared defaced. State the main
cause or causes of the incident.

The website had been targeted by hacktivists. The initial breach was made through a
social engineering attack, with a threat actor posing as company staff. Identify the real
or potential damage of the incident.

The immediate damage was the defacement of a company site. There had been DDoS
attempts; one of these could have been successful in the future. Individuals whose
information was obtained were at risk for personal attacks or fraud.

HE-3: Partner Misuse – the Indignant Mole (page 24)

Confidentiality, since client accounts had been accessed.

Integrity, because account payments had been misdirected. State the main cause or
causes of the incident.

A call center employee used photos of system screens to capture information. Using
that data, the employee’s cousin would create a fraudulent account. Identify the real or
potential damage of the incident.

Refunds had been sidetracked to fraudulent accounts. This could have continued,
leading to more losses.

HE-4: Disgruntled Employee – the Absolute Zero (page 29)

Integrity, as the employee used his administrative access to take over accounts.
Confidentiality,by downloading company information. State the main cause or causes of
the incident.

The disgruntled employee used his access to steal files and set delete commands for
future dates. Investigators also found a USB plug extension that was sending keyboard
input to a Romanian server (unrelated to the employee’s actions). Identify the real or
potential damage of the incident.

Both threats were discovered before real damage to occur. The information stolen by
the employee, as well as the future commands he set in systems, could have caused
major disruptions to the business. Information gained through the key logger could
have provided information of another threat agent to get into the company’s system
and cause different kinds of harm, depending on their motivation.

CD-3: IoT Calamity – the Panda Monium (page 46)

Availability, since the overloaded system was slowing down all activity on campus. State
the main cause or causes of the incident.

An unknown actor set up a botnet causing the many IoT devices on campus to flood the
server with requests. Identify the real or potential damage of the incident.

The immediate problem was slow internet service for users. The attacker could have
potentially begun directly affecting lights, heating systems, and other connected
systems on campus.

CE-2: DDoS attack – the 12000 Monkeyz (page 61)

Availability, trying to launch a DDoS targeted toward busy times. State the main cause
or causes of the incident.

The attacker was using several types of attacks aimed at routers running old firmware
with UPnP enabled; odds were that many of these were “NYP’d” (not yet patched).
Identify the real or potential damage of the incident.

The attack was discovered before the problem got too bad. If it the DDoS hit as
planned, the company faced the potential of angry customers and possibly lost
customers, as well as a public relations problem. This could cause long-term losses of
business and reputation.

A threat agent—or threat actor—is anything that can possibly damage or disrupt the
system’s ability to perform as it needs to. This isn’t limited to malicious actors like
hackers.