Similarities

All the countries, United States, United Kingdom, Canada, and New Zealand have a special agency to manage geospatial intelligence. Every country has an agency that analyzes gathered intelligence that is used across the government. New Zealand and Australia are remarkably similar in terms of Parliamentary and independent oversight mechanism for its intelligence agencies

Australia, Canada, United Kingdom, and New Zealand have ministries that are responsible for each of the country’s intelligence community; ultimately, the Prime Minister leads the national security systems. On the other hand, the United States’ President leads the effort on its national security matters(Talbott et al., 2018).

Differences

Australia has a broad national assessment agency; with six bureaus that makes up its defense community; geospatial, foreign, signals, and security intelligence. There is no specific agency that gathers foreign intelligence for Canada or even a national law enforcement agency. This is also the same case for New Zealand. Only three agencies make up New Zealand’s intelligence community. These are Security, Signal Intelligence, and National Assessments(Barker et al., 2017).

Analysis and Conclusion

Cybersecurity trainings programs are both offered by the United States, United Kingdom, and Australia. Procedures are vastly different between these countries. Both Australia and New Zealand have development programs that supports the Cyber workforce. Canada and Australia have similar guidelines on handling classified information and transfer processes; most of which are consistent with the Tallinn Manual 2.0

Tension between the nations will never go away but can only be lessen. Every country has its own unique characteristics that calls for a framework that is more suitable to its structure, history, and culture. Still, each country has managed to create a check and balance to ensure that the intelligence gathered is controlled without exploitation. Recent times have presented new predicaments that challenges the current rules and guidelines. The best plan of action is to evolve and find ways to improve standard practices while learning through experience from other countries(Barker et al., 2017).

International Standard Report

In the face of modern advancements in information technology, the cyberspace and the technological platforms that enable it to facilitate international cooperation in the face of globalization and internationalization. Although there are benefits of cooperation in the cyberspace in sharing information and intelligence, some companies can exploit vulnerabilities in they IT network of other nations. To enhance cooperation in the cyber space, several initiatives have been put in place to protect players and enhance integrity, trust, and confidence in the cloud. The measures have been put in place to assure free and protected flow of information and give countries the ability to respond to increasingly serious risks while at the same time enhancing risk-based approaches(Kiener, 2019).

Global Cybersecurity Agenda

The ITU came up with the Global Cybersecurity Agenda that is focused on strengthening international cooperation to foster confidence and security in the cyberspace. To achieve this, the Global Cybersecurity Agenda promotes key strategic pillars in the aspects of legal, technical, organizational, capacity-building, and cooperation needs (Kiener, 2019).

The Budapest Convention on Cybercrime

Another initiative adopted by 66 countries is The Budapest Convention on Cybercrime (PGA, 2022). The Budapest Convention on Cybercrime is a vital guideline for countries that are trying to come up with a proactive comprehensive national legislation against cybercrime. It is also a reliable framework for international cooperation between States that subscribe to the provisions of the convention. In response to the evolving cybersecurity environment, the First Additional Protocol regarding criminalization of unbecoming acts of a racism and xenophobia executed through computer systems was established. In realization of the urgent need to cover modern developments in the cyberspace, it is imperative for a Second Additional Protocol to be adopted to support enhanced international cooperation in respect to sharing information, sharing secrets, intelligence and enhancing integrity on information on the cloud (Fromiti, 2018).

Methods and Techniques:

Results:

This section is a presentation of the collected information and data analysis. Relevant tables and figures should be included. All deliverables within the project should be discussed.

Appendices

Security Baseline Report:This is a comprehensive analysis of networks,

tools, threats, and vulnerabilities surrounding this event. The report

comprises three reports: Attribution Report, Network Security Checklist, and

System Security Risk Vulnerability Assessment Report.

The following materials are developed by you and your teammates

throughout the project

Attribution Report

Active cyber threat intelligence is required for successful cyber incident response and intrusion investigations. It is critical to obtain correct information on threat actors and their methodologies and communicate this knowledge with allies to repair cyber-attacks and avoid future attacks properly. IP addresses are considered useful intelligence in any cyber security activity. It’s critical to collect as much information about these IP addresses. As the number and frequency of cyber-attacks have grown in recent years, the corporate sector and governments have spent heavily obtaining and disseminating accurate and timely information on attackers(Lord, 2020).

A big cyber-attack might be considerably minimized or averted totally if this information is collected and disseminated in a timely way. The purpose of incident response teams is usually to identify accurate Indicators of Compromise (IOCs). Indicators of compromise (IOCs) are “pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network.” Indicators of compromise aid information security and IT professionals in detecting data breaches, malware infections, or other threat activity. By monitoring for indicators of compromise, organizations can detect attacks and act quickly to prevent breaches from occurring or limit damages by stopping attacks in earlier stages. (Lord, 2020)example of IOCs is Unusual Outbound Network Traffic, Anomalies in Privileged User Account Activity, HTML Response Sizes, and Unusual DNS Requests and Signs of DDoS Activity(Lord, 2020).

Incident responders and cyber security specialists commonly possess logs and other networking artifacts, including IP addresses and other pertinent information. It is critical to distinguish between malicious and non-malicious IP addresses. Logs and other digital evidence will contain IP addresses linked with attackers and IP addresses associated with normal user activity within the known time of a cyber-attack or intrusion. For instance, if an attacker tries to connect to the victim network from a known malicious IP address, network perimeter equipment such as Intrusion Prevention Systems (IPS) could terminate the connection and block the malicious IP address from the network entirely, preventing further harm actions from the malicious IP address(Sikorski, 2012).

However, blocking a genuine IP address may severely influence the organization’s operations. As a result, it is critical not to block IP addresses randomly without first determining whether each IP address is harmful based on acceptance criteria(Sikorski, 2012).

IP addresses associated with threat actors could be considered malicious for different reasons. An attacker(s) command and control servers are examples of IP addresses that should be identified and blocked. This information can be learned through a review of logs, the incident response of computers and servers, or malware reverse-engineering(Sikorski, 2012).

By conducting static and behavior analysis of malware, investigators can determine hard-coded IP addresses for command-and-control servers and other computers part of the attack, such as relays or proxies (Sikorski 2012). For this project, Group 4 analyzed the provided IP addresses that had been associated with anomalous behavior(Sikorski, 2012). The group was provided with the following IP addresses:

(IPADDRESSCOUNTRY7.26.42.136UnitedStates190.142.94.44Venezuela113.245.133.236China17.158.163.43UnitedStates82.196.6.46Netherlands207.88.46.144UnitedStates46.3.152.107Russia222.215.134.15China85.209.52.248SaudiArabia174.73.217.102UnitedStates161.234.248.208UnitedStates16.106.9.38UnitedStates209.183.236.40UnitedStates203.96.22.39NewZealand(Aotearoa))

Identifying what network functioning comprises is necessary to prepare for future risks and offer proper remedies for our networks. The team’s investigation findings showed that Venezuela, China, the Netherlands, Russia, Saudi Arabia, and New Zealand were identified as nations with suspicious activities. The countries all meet these requirements due to their disruptive attacks and cyber threats to intercept and capture data obtained from other countries to exploit it(Lord, 2020).

A bad actor is a person or agency acting maliciously to disrupt resources attributed to another organization, an individual, or a community. After analyzing the criteria for bad actors together, it was concluded that, because these nations are all bad actors, FVEY should proceed with the meticulous defense of infrastructure facilities and networks, particularly in New Zealand. In general, the FVEY countries will benefit from moving forward in a positive direction by having solutions on standby(Sikorski, 2012).

Network Security Checklist

Running a network security Audit can be stressful, but not something you should skip if you want your company data to remain as safe as possible. To simplify we’ve made a quick security and audit checklist to prevent cyber-attacks. This will include Hardware and software and different protocols being configured on different devices (Knapp & Langhill, 2015).

Network infrastructure devices are components of a network that transport communications needed for data applications, services, and multimedia. These devices include routers, firewalls, switches, servers, load-balancers, intrusion detection systems, domain name systems, and storage area networks. These devices are ideal targets for malicious cyber actors because most or all organizational and customer traffic must pass through them. There are different layers that will also be covered, first layer (Network Data Transmit Layer). This layer will cover any network-based devices and all the data transit requirements. Second is the lower Layer is the (Host Network layer)that will cover the physical transmission of data (knapp& Langhill, 2015).

Firewall

A firewall is a security system for computer networks, firewalls monitor and control the network traffic-incoming and outgoing based on security rules set by you. A simple term a firewall is a filter between your internal network and the external network such as the internet. Here is the firewall-related checklist. You have the firewall in place to protect your internal network and external communication to protect you against unauthorized access. The password for your firewall device has been changed from the default to strong password. Your default posture on all access lists, inbound as well as outbound is “Deny ALL”. Every rule on the firewall is documented and approved by an authorized individual. Every alert is promptly logged and investigated. You use only secure routing protocols which use authentication. You promptly disable any permissive firewall rules that are no longer required (Huang et al., 2020).

Figure 1

SwitchSecure Network Devices

A switch is one of the important devices in your Network Checklist, it is the network device that allows other devices on the network to communicate and share information. You will have PC, San Storage, Servers, VOIP, Printers, on the network and the switch which is used to tie these devices together. For small and medium size offices there are three types of network switches to choose from. These types are based on configuration options and are as follows (Huang et al., 2020).

Unmanaged Switch

An unmanaged switch is the most basic kind of switch. It’s simple because you can use it out of the box. Does not need any configuration (Maiwald, 2001).

Managed switch

A managed switch gives you control over the operations of the switch. You can configure your switch to decide how your network consumes and internet connection. You can configure the switch via a CLI Command line Interface), SNMP (Simple Network Management Protocol), or web interface (Maiwald, 2001).

Figure2

VLANS

Vlans (virtual LAN) is a subnet which can group together a collection of devices on separate physical local area networks. (LANS) A Lan can group together computers and devices that share a communications line or wireless link to a server within the same geographical area (Haq& Parveen, 2017).

Figure 3

Antivirus and anti-malware

Anti-malware and antivirus software protect you from viruses, trojans, ransomware, spyware, worms, or other unauthorized programs planted on the network. These can enter your system in various ways, through a corrupted file or link or even through other infected devices (Rafael et al., 2022).

Malware, which stands for malicious software, is designed by cyberattacks to infect your system for various reasons. Ransomware, for example, is designed to encrypt your files. So, you get locked and must pay a fee to access important business information. Other forms of cyberattacks using malware may also take over your network to use it in a DDoS attack or to simply do damage to your system (Rafael et al., 2022).

Data loss prevention

Software is designed to monitor your network for sensitive data that are being stored and transferred and, ultimately, protect them from leaks. Data loss prevention solutions play a bigger part if your company has a BYOD policy, employees who work remotely, or if your data is stored in the cloud. If your network consists of various devices that need to be updated, including network devices like routers or work PCs, consider investing in patch management software (Huang et al., 2020).

Consistent Software Updates other than containing performance improvements, software updates are highly likely to contain fixes to know security vulnerabilities. Delaying these updates may cause you to miss the fixes to know security vulnerabilities, putting your data at risk and allowing cybercriminals to enter your system (knapp& Langhill, 2015).

All about passwords

An estimated 81% percent data breaches occur because of poor password security. Having a strong password prevents hackers from breaking into your system. When you first get a device or install software make sure you change the default password into a strong one according to company policies. To keep everyone on the same page make sure that they know what a strong password looks like, 15 or more special characters included and two factor authentication (Harrington, 2005).

Limit remote access and IT policies

A clear IT policy that reinforces network security is necessary to keep your employees accountable. A network security policy also serves as reference for your security team and employees are on the same page about who has access to what and the kind of security measures, they need to take to protect company data. This is even more important now that remote work and BYOD (Bring Own Device) policies are the norms for most organizations. The introduction of these policies can make your users more liberal with their data. creating a strict policy to limit access to only what’s necessary for your employees to do their job is a precaution you need to take to ensure the integrity and security of your data (keuren, 2021).

Network / Data Transit Layer

IPSEC

IPSEC stands for IP security; it is an internet engineering Task force (IETF) standard suite of protocols between 2 communications points across the IP network that provide data authentication, integrity, and confidentiality. It also defines the encrypted, decrypted, and authenticated packets(Liang, 2012).

TLS

Since people can use the internet freely, a certain level of protection is needed. VPNs are responsible for ensuring that your browsing is smooth, free of obstacles like hackers and government authorities. VPNs use a variety of security encryption protocols to protect your data from start to finish. One of the protocols used is the Transport layer Security (TSP). TLS is a cryptographic protocol that provides privacy and data integrity between two communicating applications. It was first introduced in 1999 as an upgrade to SSL version 3.0. The TLS specification 1.2 was defined in 2008, and today it is the most widely deployed security protocol (Maiwald, 2001).

Public Key Infrastructure

· A PKI consist of the following A certificate authority (CA)

· A registration authority (RA)

· A central directory

· A validation authority (VA)

· A certificate management system

· A certificate policy

Figure 4

IDS/IPS

An intrusion Detection System (IDS) is a network security technology originally built for detection of vulnerability exploits against a target application or computer. There are four types of IDS and how they can protect your business (Ma et al., 2022).

· Network intrusion detection system

· Host-based intrusion detection system

· Perimeter intrusion detection system

· Vm-based intrusion detection system

Types of intrusion Detection systems Methods

· Signature -based intrusion Detection Method

· Anomaly based intrusion Detection Method

· Hybrid detection Method

Top Intrusion Security System Tool

· SolarWinds Security Event Manager

· McAfee

· Suricata

· Blumira

· Cisco Stealthwatch

IPS

Intrusion system is placed inline, in the flow of network traffic between the source and destination, and usually sits just behind the firewall. There are several techniques that intrusion prevention systems use to identify threats (Ma et al., 2022).

· Signature-based this method matches the activity to signature of well-known threats one drawback to this method is that it can only stop previously identified attacks and won’t be able to recognize new ones.

· Anomaly-based this method monitors for abnormal behavior by comparing random samples of network activity against a baseline standard. It is more robust than signature-based monitoring. But it can sometimes produce false positives.

· Policy-based This method is somewhat less common than signature -based or anomaly-based monitoring. It employs security policies defined by the enterprise and blocks activity that violates those policies. This requires an administrator to set up and configure security policies.

Figure 5 IPS and IDS configuration (Ma et al., 2022)

System Security Risk Vulnerability

Authentication and credential attacks include the threat to the username, password, bank account information, social security number, and other coding keys (Abdalla, 2018). The different threats to authentication and credential are password or personal information attacks through social engineering techniques, such as phishing, credential stuffing, sniffing, guesswork, or man-in-the-middle attack (Abdalla, 2018).

Social engineering techniques involve illegitimate links with genuinely appeared information. For example, users could be asked to provide their credentials (credit card information) to purchase online from a fake website, which results in adverse consequences. Moreover, social engineering encourages messages or emails to redirect to the malicious sites once the user clicks the relevant link. Smishing, phishing, or spoofing is the technique to access email from a trustworthy source by disrupting their system with a malware attack (Aldawood& Skinner, 2018).

PKI (Public Key Infrastructure) and digital signatures encrypt or protect data from being decoded by hackers (Danquah & Kwabena-Adade, 2020). Examples- SSL (Secure Sockets Layer) certificate and multifactor authentication. The cryptographic methods to complicate algorithms incorporate symmetric or asymmetric PKIs. Digital certificates incorporate both private and public keys to enhance security and privacy with end-to-end encryption (Abdalla, 2018).

Suppose John works in a high-risk environment and shares organizational information with various clients in a day. He organizes PKIs to send messages, but the clients influence private keys to maintain the confidentiality of the information. The private messages or data reduce the risk of intended threats or attacking the environment. Also, integrated approaches during digital collaboration require multifactor authentication by the business partners (Danquah & Kwabena-Adade, 2020).

Further, PKIs could be used to provide network accessibility, authentication of transactions, and preserving sensitive information by encouraging a mechanism of specific signature based on different initiatives when the transactions could not be processed by acknowledging the valid user (Danquah & Kwabena-Adade, 2020). For instance, people receive OTP (One-Time Password) to the relevant mobile number to ensure the safety of ATM transactions.

Leapfrogging across networks is the rapid adoption of technologies by middle or low-income nations to promote opportunistic advantages (Woon, 2020). When hackers steal sensitive information in the initial stages, the process is known as a leapfrogging attack. Also, leapfrogging in multiple networks means changing traditional strategies with the trends in every place that could result in economic vulnerabilities, technological threats (low skilled users and policymakers), and opportunities for hackers to disrupt the integrated infrastructure (Woon, 2020).

Leapfrog occurs when nations bypass traditional stages of development to either jump directly to the latest technologies (stage-Skipping) or explore an alternative path of technological development involving emerging technologies with new benefit and new opportunities (path-creating). This leapfrogging of PC-based internet access has been hailed I many quarters as an important means of rapidly and inexpensively reducing the gap in internet access between develop and developing nations, thereby reducing the need for policy interventions to address this persistent digital divide (Woon, 2020).

Vertical and Horizontal Privilege Escalation

Cybersecurity is divided into five phases, where escalation is the fourth stage before the potential mission. During escalation, the hackers accomplish targeted information and data to corrupt the channels, systems, and mail servers with ransomware activities. We have identified the social engineering threats (phishing or spoofing).

First, we would report it to the anti-phishing department, disconnect the device from the channels to prevent identity theft, change the password, and provide the information to the stakeholders to reduce the significance of cybercrime (Aldawood& Skinner, 2018). The countermeasures against social engineering threats are spam filters, multifactor authentication, updated version of the software for automated scans against viruses (Abdalla, 2018). Also, VPNs (Virtual Private Networks) provide a secured environment between the users and communicated channels through encrypted proficiencies (Osawa, 2017).

What is escalation in the cyberattack phase, the attacker seeks to identify and gain the necessary level of privilege to achieve their objectives, they have control over the access channels and credentials acquired in the previous phases. There are two types of escalation attacks, and they can be separated into two broad categories -horizontal privilege escalation and vertical privilege escalation. Often confused with each other, these terms can be different as follows (Osawa, 2017).

Horizontal Privilege Escalation involve gaining access to rights of another account human or machine with similar privileges. This action is referred to as account takeover typically, this would involve lower-level accounts (ie standard user), which may lack proper protection. With each new horizontal accountcompromised, and attacker broadens their sphere of access with similar privileges (Osowa, 2017).

Vertical Privilege escalation also known as privilege elevation attack, involves an increase of privileges /privileged access beyond what a user, application or other asset already has. This entails moving from a low-level of privileged access, to a higher amount of privileged access. Achieving vertical privilege escalation could require the attacker to perform a number of intermediary steps (Osowa, 2017).

Forensic Analysis Report:The culmination of your investigative efforts,

this report will document the eDiscovery process, your findings, and how

they are connected to the countries involved. The Forensic Analysis Report

comprises the following materials developed by you and your teammates

throughout the project:

Figure 6 Chain of Custody Form

Case Number: 2346238934 Offense: Cyber Attack

Submitting Officer: (Name/ID#) Joe Friday

Victim: New Zealand

Suspect: Anonymous

Date/Time Seized: Oct 08 2018 Location of Seizure: New Zealand

EVIDENCE CHAIN-OF-CUSTODY TRACKING FORM (Continued)

ENVIRONMENT REVIEW AND ANALYSIS

The Global Economic Summit’s international environment is a complicated aggregation of numerous security methods, understandings, and regulations that need a full explanation. Each of the Five Eyes countries has an individual and collective interest in keeping all assets and information secure. However, each country’s approach will be slightly different. A complete understanding of the environment can only be obtained by acknowledging the junction between international law and cyberspace.

The main point of contention regarding the legal issues of offensive and defensive cyber warfare is how it interacts with current regulations developed in quite different situations. To put it another way, “how do we apply old laws of war to new cyber-circumstances, staying faithful to enduring principles, while accounting for changing times and technologies?” (Koh, 2012).

The challenge of reassessing international interactions in an increasingly cyber-enabled world presents a once-in-a-lifetime opportunity to assess existing guidance and determine whether it should continue to govern international relationships or be replaced to reflect modern challenges more directly. “At least one country has questioned whether existing bodies of international law apply to the cutting-edge issues presented by the internet. Some have also said that existing international law is not up to the task, and that we need entirely new treaties to impose a unique set of rules on cyberspace. But the United States has made clear our view that established principles of international law do apply in cyberspace” (Koh, 2012). New Zealand forensic law includes the business of providing accurate, timely, and thorough information to all levels of decision-makers in the criminal justice system. Increasing disruptive activities by cyber threat actors prompted New Zealand’s second Cyber Security Strategy, Action Plan, and National Plan to address cybercrime in November 2015. “New Zealand’s Cyber Security Strategy 2015 has four goals: Cyber Resilience, Cyber Capability,Addressing Cybercrime and International Cooperation” (Connect Smart, 2015).

Cybersecurity attack vectors are changing at a quick pace. As cybersecurity professionals discover how to neutralize a single sort of attack vector, fraudsters switch up the attack vectors they use to make specialists comfortable. Cybercriminals shifted to utilizing Trojans to steal data as New Zealand tightened security technology and processes to resist malware while adware surged in volume.

Most of these attacks results rely on social engineering techniques or low-tech delivery payloads assessed through the Dark Web. New Zealand’s national infrastructure depends upon cyberspace, and this means that preventing unwanted access by securing its networks, systems, programs, and data from attack is vital and profoundly important. New Zealand’s geographical isolation does not protect it from criminal hostility and offensive intention in cyberspace (New Zealand Foreign Affairs & Trade, n.d). Cyber threats facing the country are:

· Cyber espionage and intellectual property theft for political, economic, and commercial advantage.

· Cyber terrorism or state-sponsored offensive action, like the disruption of services or damage to New Zealand critical infrastructure systems.

· Cybercrime and cyber-enabled crime like scams involving online trading, dating sites, and fake investments on personal financial or identity data theft.

· Cyber vandalism or issue-motivated “hacktivism,” such as websites being defaced, or their services interrupted for political purposes.

New Zealand engages internationally in cyberspace because of its trans-boundary nature. The focus is on detecting problems, building understanding and awareness, developing norms and “rule of the road” and identifying supportive measures. Also, discussing cybersecurity with United Nations in regional forums and at multi-stakeholder discussions like the Internet Governance Forum and sharing threat information and best practices with international partners is vital as it helps New Zealand assess cyber threats and put in place systems to address them (New Zealand Foreign Affairs & Trade, n.d).

Conclusion

In practice, a digital forensic environment review and analysis involves a thorough forensic analysis of the laws and regulations of the international community. One needs to assess procedures for acquisition, preservation, analysis, and transfer of data at rest or in transfer. With improvements in information technology and the evolving cyber space, the threat environment continues to become highly sophisticated with hackers acquiring and fine tuning their attack techniques. Globally, cyberattacks are increasing rapidly(Kshetri 2016).

Massive data breaches are occurring with alarming frequency (Kshetri, 2016). Today, there is an eminent skills gaps which serve as a significant challenge for law enforcement agencies, forensics team and prosecutors for international relations and cross border enforcement. When conducting an environmental analysis, it is important to consider the regulatory and legal aspects of securing the upcoming Global Economic Summit from inevitable cyber-related threats(kshetri 2016).

There are globally agreed cybersecurity norms. However, nations should have robust cybersecurity mechanisms in the event one nations decides to contravene the norms. The defensive nature of nations should include measures to secure communications of our nations and its IT infrastructure from cyberattacks. The ever-expanding risk of cybercrime have become a threat to not only the national security but also the economy. If breached, our cell phones, pipelines, electric grid, and servers can be exploited by hackers and criminals. It is important to define measures to creating accountability when a hostile state chooses to ignore globally agreed norms(Kshetri 2016).

References

Barker, C., Dawson J., Godec, S., Petrie, C., Porteous, H. Purser, P. (2017). Oversight if

Intelligence Agencies: A comparison of the ‘Five Eyes’ Nations. Parliament of Canada. https://lop.parl.ca/sites/PublicWebsite/default/en_CA/ResearchPublications/22035249

Susan Snedaker. (2014). Business Continuity and Disaster Recovery Planning for IT Professionals: Vol. 2nd ed. Syngress.

Talbott- Jensen, E (2018). The Tallinn Manual 2.0: Highlights and Insights. https://www.law.georgetown.edu/international-law-journal/wp- content/uploads/sites/21/2018/05/48-3-The-Tallinn-Manual-2.0.pdf

UlHaq, S. E., & Parveen, S. (2017). Implementation of Network Architecture, Its Security and Performance Analysis of Vlan. International Journal of Advanced Research in Computer Science, 8(7), 555–560. https://doi-org.ezproxy.umgc.edu/10.26483/ijarcs.v8i7.3247

Verma, P. (2015). Wireshark Network Security. Packt Publishing.