CSIA 310 DISC 3
Discussion 3:
The process of incident response involves the development of a strategy in response to
the occurrence of a security on the network or in a system which. “The process includes
formulating a security policy and identifying the goals of the incident response, creating an
incident response team, analyzing threats, establishing methods for detecting a breach, and
preparing to combat threats and mitigate damages in the event of a security breach” (EC-
Council). Computer forensics is the legal process of gathering, analyzation and presenting
evidence in a court of law and organizations often include it as part of the incident response
plans to track the perpetrators of an incident. When investigating security issues or attacks on
the organization, it is important to properly analyze what was attacked and how, analyze the
environment to determine what types of forensic evidence should be collected after the
attack(s) and where that evidence can be collected from.
To help meet the security requirements of a contract, Sifers-Grayson hired a consulting
firm whose Red Team conducted a penetration test and presented us with a report.
In the first attack, the Red Team managed to gain access to the R&D servers located in
the Engineering Center. This was done using an unsecure and unprotected network connection
to hack into the enterprise network after which they proceeded to exfiltrate files from the
servers and also managed gain access to the source code and design documents for the AX10
Drone System. The attack technique used was Data Exfiltration that is often exercised by
cybercriminals to steal sensitive company information. The unprotected network could be one
that was set up for visitors or customers to use the network to work or simply not well secured
and unscrupulous individuals or cybercriminals cruise around looking for unprotected
connections to exploit. “other risks are hackers snooping on data sent over your network and
using your network to access your computer's files and system information” (Poland). When the
organization fails to protect their network, unintended users and attackers can easily conduct
illegal activities, monitor and capture their web traffic and perform data exfiltration to steal
important files and information. When looking for forensic evidence, it is important to analyze
the network’s firewall logs to see which IPs were connected just before or during the
exfiltration. Check web history for connections in that time period, shimcache and .Pf files
which are excellent artifacts for such forensic investigations. Evidence can be collected from the
RAM as well which will contain the remote IP addresses and port numbers as well that were
used in network connections which can prove to be critical in investigating computer intrusions,
data exfiltration and the destination of the organization’s exfiltrated data.
The Red Team then reported that it managed to steal the password for 20% of the
employee logins by using keylogging software that was installed on USB keys that were left back
on a lunch table at the employee lounge in the headquarters building. This vector is called
Keystroke Logging which is often referred to as Keylogging which is the action of covertly logging
This study source was downloaded by 100000766134782 from CourseHero.com on 05-23-2022 08:58:35 GMT -05:00
https://www.coursehero.com/file/79442913/CSIA310-Week-3-Discussiondocx/
or recording the keys that are struck on the keyboard and the person typing is unaware that
their keystrokes are being monitored. Data can be retrieved by the person remotely operating
the keylogging program as in this case, the Red Team was able to capture the passwords of
employees while they unsuspectingly typed them out. “Data captured by keyloggers can be
sent back to attackers via email or uploading log data to predefined websites, databases, or
FTP servers. If the keylogger comes bundled within a large attack, actors might simply
remotely log into a machine to download keystroke data” (Swinhoe). In this case, the USB
keys belonging to the employees need to be collected as evidence. The keylogging software
would have to taken off the USB when plugged in to a safe system. The keylogger software will
show up among a list of programs or has an initiator program listed which then opens the
keylogger. Review each one and make a list of suspicious or unrecognized programs and
uncheck them so that they don’t run automatically upon startup. “Reboot your computer in
Safe mode. Open your Computer or Computer Properties window and search for the program.
When the keylogger program is found, delete it and shut down your computer” (Murray).
The Red Team then continued its efforts to penetrate the enterprise and used a stolen
login to install malware over the network on the workstation connected to a PROM burner in
the R&D DevOps. This malware then made its way onto a PROM that was then installed in an
AX10-a test vehicle undergoing flight trials at the Sifers-Grayson test range. The malware
“phoned home” to the Red Team over a cellular connection to the R&D center. The Red Team
took control of the test vehicle and flew it from the test range to a safe landing in the parking lot
at Sifers-Grayson headquarters. This was a malware attack. “A malware attack is when
cybercriminals create malicious software that’s installed on someone else’s device without their
knowledge to gain access to personal information or to damage the device, usually for financial
gain” (van der Kleut). As evidence, the workstation that was initially infected with the malware
needs to be collected as evidence. The next step would be to document information regarding
the malware that was installed on the workstation as to when it was installed and how it made
its way on to the AX10-a test vehicle.
Thus, to summarize, the recently conducted penetration test by the consulting team’s Red Team
has helped point out the various vulnerabilities and the various attacks that can be carried out
against Sifers-Grayson. After the penetration tests were conducted Sifers-Grayson executives
were also provided with a diagrammed report showing the analysis of the threat environment
and potential weaknesses within the organization’s security posture thus giving an on what
security improvements need to be made in order to prevent any such attacks occurring in the
future. The incident response and the gathering of evidence can prove to be extremely
important in such cases. To review, as in the first attack the Red Team gained access to the R&D
servers located in the Engineering Center using an unsecure and unprotected network
connection to hack into the enterprise network after which they proceeded to exfiltrate files
from the servers. The network firewall logs and web history as well as the RAM can be used to
This study source was downloaded by 100000766134782 from CourseHero.com on 05-23-2022 08:58:35 GMT -05:00
https://www.coursehero.com/file/79442913/CSIA310-Week-3-Discussiondocx/
gain evidence of the attack and are excellent artifacts for such forensic investigations. Regarding
the keylogging attack, employee training can prove to be beneficial in ensuring employees do
not leave their USB keys or any devices that can compromise passwords or important
information, unattended. The USB keys need to be collected as evidence, analyzed and have the
covert keylogging software deleted off them. Regarding the malware attack, the affected
workstations need to gathered as evidence, taken off the system and analyzed. In the attack
involving the theft of login credentials which helped launch the malware attacks,
This study source was downloaded by 100000766134782 from CourseHero.com on 05-23-2022 08:58:35 GMT -05:00
https://www.coursehero.com/file/79442913/CSIA310-Week-3-Discussiondocx/
Sources used:
EC-Council Certified Incident Handler (ECIH) Version 2 (2nd ed.). (n.d.). Retrieved September 6, 2020, from https://evantage.gilmoreglobal.com/#/books/978-1-63567-276- 3/cfi/303!/4/2@100:0.00
Poland, A. (2016, October 26). What Does It Mean When Internet Access Is Unsecure? Retrieved September 07, 2020, from https://smallbusiness.chron.com/mean-internet-access- unsecure-69147.html
Swinhoe, D. (2018, December 11). What is a keylogger? How attackers can monitor everything you type. Retrieved September 07, 2020, from https://www.csoonline.com/article/3326304/what-is-a-keylogger-how-attackers-can- monitor-everything-you-type.html
Murray, J. (2017, November 21). How to Rid a PC of a Keylogger. Retrieved September 07, 2020, from https://smallbusiness.chron.com/rid-pc-keylogger-66930.html
Van der Kleut, J. (2020, April 30). Malware attacks: What you need to know. Retrieved September 07, 2020, from https://us.norton.com/internetsecurity-malware-malware-101- how-do-i-get-malware-complex-attacks.html
This study source was downloaded by 100000766134782 from CourseHero.com on 05-23-2022 08:58:35 GMT -05:00
https://www.coursehero.com/file/79442913/CSIA310-Week-3-Discussiondocx/
Response 1:
Herbert Pagan,
Well-written and informative post! The attack by the consulting firm’s Red Team proved to be
beneficial in determining the various vulnerabilities present and showed how easy it is for
cybercriminals to exploit those vulnerabilities. I like how you mentioned that “the success of the
team and the company is based on the ability to identify the weaknesses available..” and
organizations ought to constantly work on identifying the various vulnerabilities and eliminating
them. You did a great job summarizing each attack and identifying the what type of evidence
and where it can be collected from. Regarding the attack involving the theft of login credentials
which helped launch a malware, the affected workstations would need to be gathered as
evidence analysis and taken off the network. Great point mentioning how the Red Team may
possibly have left a backdoor in order to facilitate more attacks in the future as well.
Great post. Good luck!
Anette Nash,
Great post and you’ve summarized the attacks and the evidence to be collected.
In the attack involving keylogging software on the USB keys left behind by
employees, this could have been prevented if the employees were careful in
protecting who can access their personal USB keys. This highlights the importance
employee training which can prove to be beneficial in the company not being
infiltrated as easily again and prevent such attacks in the future. This keylogging
software installed on the keys then allowed the Red Team gain access to
important information. Thus, it is important that the USB keys and as well as the
workstations that they were plugged into need to be quarantined for analysis of
forensic evidence.
Good luck!
Chris
This study source was downloaded by 100000766134782 from CourseHero.com on 05-23-2022 08:58:35 GMT -05:00
https://www.coursehero.com/file/79442913/CSIA310-Week-3-Discussiondocx/
Follow up:
Sokchindria Phoung
Sokchindria,
Thanks your response and feedback! I agree that that the test conducted by the Red Team sure helped reveal how easy it is for attackers to attack, penetrate and infiltrate pretty much every area of the organization, especially the part when they were able to take over the Test Drone and fly it. This shows how important it is for companies/organizations to constantly check and eliminate any vulnerabilities. I agree that the workstations or devices that came into contact with the malware would need to be checked for evidence and more importantly taken off the network to prevent other devices being affected as well.
Thanks for the feedback again. Good luck!
Chris
Cassandra,
You’ve provided some good suggestions to improve the plan such as collecting the
mobile devices that had accessed the company’s network considering the fact that
the network as a whole was breached leaving them susceptible to attacks. Great
point on how to track down the cybercriminals who sent the phishing emails by
gathering the sender information and the HTML of the infected videos.
Good luck!
This study source was downloaded by 100000766134782 from CourseHero.com on 05-23-2022 08:58:35 GMT -05:00
https://www.coursehero.com/file/79442913/CSIA310-Week-3-Discussiondocx/ Powered by TCPDF (www.tcpdf.org)