Professional Documents
Culture Documents
Summary
You are going to develop an Incident Response Plan (IRP) using the four phases we explored
during the lecture. The IRP will be based on a student registration system. You’ll also learn
about chain of custody and audit trail documents.
Activities
In this task, you will build a threat model that is tailored to the following system:
It’s a simple student registration system where Applicants provide their information to the
system and Tutors select students from applicant records to move to Student records (i.e.,
the applicant is accepted as a student).
First, you need to perform STRIDE threat analysis on this system. A quick reminder of STRIDE
which is a failure-oriented threat modelling that focuses on six main themes:
1. Spoofing: someone is attempting to gain access using a fake identity.
2. Tampering: unauthorised change to data.
To help you with the modelling, remember the security objectives you want to achieve for
this system:
2. Risk Assessment
After finishing the threat modelling, you need to perform a qualitative risk assessment to
the system by filling in the matrix below. If you don’t remember qualitative risk assessment,
please refer to last week lab sheet.
There are no right or wrong answers regarding the risks. You might choose spoofing to be
the high priority risk you want to address because it’s more likely and has a major impact.
You need to identify at least three risks to the system and prioritise them.
3. IRP Development
Now, you should prepare your IRP through the following phases:
• Preparation. In this phase, you already performed a risk assessment to assess the risks to
the student registration system, ranked them by importance and defined a prioritisation
mechanism. Now, you need a communication plan to specify how incidents should be
reported and to whom.
• Detection & Analysis. You should identify a valid set of indicators to detect an incident.
How would you record the incident? Does it need to be prioritised? Does it have a
devastating impact? Should you deal with it later (e.g., within 24 hours) or immediately?
Once done, you should choose the highest ranked risk and focus your IRP on it.
• Containment, Eradication, and Recovery. Here, you need to determine how to contain
the highest ranked incident and stop it. Based on your analysis, how can you eradicate
the threat (e.g., remove the breached user account from the system)? how can you
recover the systems to its normal operations?
• Post-Incident Investigation. In this phase, where the incident is over, you need to have
procedures to take any digital evidence from the student registration system in a
forensically sound manner. It’s important to do so to follow any necessary legal action in
court against the attackers (if any).
Have a look at this IRP from University of Connecticut to have an idea of what I’m expecting
you to do: https://security.uconn.edu/incident-response-plan/
You also need to read this document to have a better understanding of the IRP development
process:https://www.ncsc.gov.uk/collection/incident-management/cyber-incident-
response-processes
4. Chain of Custody
This document represents the paper-trail of evidence detailing the custody, control, transfer
and analysis of any evidence. Failure to keep a chain of custody can wreck your chances of
using the evidence in court whether it’s digital or physical because how can you prove it
hasn’t been tampered with?
If you can’t 1) explain who has had access to the evidence; 2) Why/When they have had
access to the evidence and 3) explain where the evidence has been at all times, you can’t
use it in court.
You can find more information here and retrieve a chain of custody form example to use in
your IRP: https://www.andreafortuna.org/2018/04/09/digital-forensic-the-chain-of-
custody/
You should refer to filling in the chain of custody in your developed IRP for the student
registration system above.
5. Audit Trail
An audit trail is a record of all processes applied to an electronic evidence. The purpose of
this trail is to ensure an independent third party should be able to examine those processes
and achieve the same results. This means that *any* activity/process should be recorded
clearly and carefully. This is important as part of incident response planning.
As you can see, every step is very clear. The audit trail records all the necessary information.
It also dictates the process to be followed allowing more consistency and allowing other
people to follow more clearly. Of course, the process will normally have been tried and
tested.
Now you have all the tools you need to create your IRP J Once you’re done, please show
your work to your tutor. If you’ve any question, just ask!