CSIA 310 DISC 3

profileBYSTANDER
CSIA310_Week_3_Discussion.docx.pdf

Discussion 3:

The process of incident response involves the development of a strategy in response to

the occurrence of a security on the network or in a system which. “The process includes

formulating a security policy and identifying the goals of the incident response, creating an

incident response team, analyzing threats, establishing methods for detecting a breach, and

preparing to combat threats and mitigate damages in the event of a security breach” (EC-

Council). Computer forensics is the legal process of gathering, analyzation and presenting

evidence in a court of law and organizations often include it as part of the incident response

plans to track the perpetrators of an incident. When investigating security issues or attacks on

the organization, it is important to properly analyze what was attacked and how, analyze the

environment to determine what types of forensic evidence should be collected after the

attack(s) and where that evidence can be collected from.

To help meet the security requirements of a contract, Sifers-Grayson hired a consulting

firm whose Red Team conducted a penetration test and presented us with a report.

In the first attack, the Red Team managed to gain access to the R&D servers located in

the Engineering Center. This was done using an unsecure and unprotected network connection

to hack into the enterprise network after which they proceeded to exfiltrate files from the

servers and also managed gain access to the source code and design documents for the AX10

Drone System. The attack technique used was Data Exfiltration that is often exercised by

cybercriminals to steal sensitive company information. The unprotected network could be one

that was set up for visitors or customers to use the network to work or simply not well secured

and unscrupulous individuals or cybercriminals cruise around looking for unprotected

connections to exploit. “other risks are hackers snooping on data sent over your network and

using your network to access your computer's files and system information” (Poland). When the

organization fails to protect their network, unintended users and attackers can easily conduct

illegal activities, monitor and capture their web traffic and perform data exfiltration to steal

important files and information. When looking for forensic evidence, it is important to analyze

the network’s firewall logs to see which IPs were connected just before or during the

exfiltration. Check web history for connections in that time period, shimcache and .Pf files

which are excellent artifacts for such forensic investigations. Evidence can be collected from the

RAM as well which will contain the remote IP addresses and port numbers as well that were

used in network connections which can prove to be critical in investigating computer intrusions,

data exfiltration and the destination of the organization’s exfiltrated data.

The Red Team then reported that it managed to steal the password for 20% of the

employee logins by using keylogging software that was installed on USB keys that were left back

on a lunch table at the employee lounge in the headquarters building. This vector is called

Keystroke Logging which is often referred to as Keylogging which is the action of covertly logging

This study source was downloaded by 100000766134782 from CourseHero.com on 05-23-2022 08:58:35 GMT -05:00

https://www.coursehero.com/file/79442913/CSIA310-Week-3-Discussiondocx/

or recording the keys that are struck on the keyboard and the person typing is unaware that

their keystrokes are being monitored. Data can be retrieved by the person remotely operating

the keylogging program as in this case, the Red Team was able to capture the passwords of

employees while they unsuspectingly typed them out. “Data captured by keyloggers can be

sent back to attackers via email or uploading log data to predefined websites, databases, or

FTP servers. If the keylogger comes bundled within a large attack, actors might simply

remotely log into a machine to download keystroke data” (Swinhoe). In this case, the USB

keys belonging to the employees need to be collected as evidence. The keylogging software

would have to taken off the USB when plugged in to a safe system. The keylogger software will

show up among a list of programs or has an initiator program listed which then opens the

keylogger. Review each one and make a list of suspicious or unrecognized programs and

uncheck them so that they don’t run automatically upon startup. “Reboot your computer in

Safe mode. Open your Computer or Computer Properties window and search for the program.

When the keylogger program is found, delete it and shut down your computer” (Murray).

The Red Team then continued its efforts to penetrate the enterprise and used a stolen

login to install malware over the network on the workstation connected to a PROM burner in

the R&D DevOps. This malware then made its way onto a PROM that was then installed in an

AX10-a test vehicle undergoing flight trials at the Sifers-Grayson test range. The malware

“phoned home” to the Red Team over a cellular connection to the R&D center. The Red Team

took control of the test vehicle and flew it from the test range to a safe landing in the parking lot

at Sifers-Grayson headquarters. This was a malware attack. “A malware attack is when

cybercriminals create malicious software that’s installed on someone else’s device without their

knowledge to gain access to personal information or to damage the device, usually for financial

gain” (van der Kleut). As evidence, the workstation that was initially infected with the malware

needs to be collected as evidence. The next step would be to document information regarding

the malware that was installed on the workstation as to when it was installed and how it made

its way on to the AX10-a test vehicle.

Thus, to summarize, the recently conducted penetration test by the consulting team’s Red Team

has helped point out the various vulnerabilities and the various attacks that can be carried out

against Sifers-Grayson. After the penetration tests were conducted Sifers-Grayson executives

were also provided with a diagrammed report showing the analysis of the threat environment

and potential weaknesses within the organization’s security posture thus giving an on what

security improvements need to be made in order to prevent any such attacks occurring in the

future. The incident response and the gathering of evidence can prove to be extremely

important in such cases. To review, as in the first attack the Red Team gained access to the R&D

servers located in the Engineering Center using an unsecure and unprotected network

connection to hack into the enterprise network after which they proceeded to exfiltrate files

from the servers. The network firewall logs and web history as well as the RAM can be used to

This study source was downloaded by 100000766134782 from CourseHero.com on 05-23-2022 08:58:35 GMT -05:00

https://www.coursehero.com/file/79442913/CSIA310-Week-3-Discussiondocx/

gain evidence of the attack and are excellent artifacts for such forensic investigations. Regarding

the keylogging attack, employee training can prove to be beneficial in ensuring employees do

not leave their USB keys or any devices that can compromise passwords or important

information, unattended. The USB keys need to be collected as evidence, analyzed and have the

covert keylogging software deleted off them. Regarding the malware attack, the affected

workstations need to gathered as evidence, taken off the system and analyzed. In the attack

involving the theft of login credentials which helped launch the malware attacks,

This study source was downloaded by 100000766134782 from CourseHero.com on 05-23-2022 08:58:35 GMT -05:00

https://www.coursehero.com/file/79442913/CSIA310-Week-3-Discussiondocx/

Sources used:

EC-Council Certified Incident Handler (ECIH) Version 2 (2nd ed.). (n.d.). Retrieved September 6, 2020, from https://evantage.gilmoreglobal.com/#/books/978-1-63567-276- 3/cfi/303!/4/2@100:0.00

Poland, A. (2016, October 26). What Does It Mean When Internet Access Is Unsecure? Retrieved September 07, 2020, from https://smallbusiness.chron.com/mean-internet-access- unsecure-69147.html

Swinhoe, D. (2018, December 11). What is a keylogger? How attackers can monitor everything you type. Retrieved September 07, 2020, from https://www.csoonline.com/article/3326304/what-is-a-keylogger-how-attackers-can- monitor-everything-you-type.html

Murray, J. (2017, November 21). How to Rid a PC of a Keylogger. Retrieved September 07, 2020, from https://smallbusiness.chron.com/rid-pc-keylogger-66930.html

Van der Kleut, J. (2020, April 30). Malware attacks: What you need to know. Retrieved September 07, 2020, from https://us.norton.com/internetsecurity-malware-malware-101- how-do-i-get-malware-complex-attacks.html

This study source was downloaded by 100000766134782 from CourseHero.com on 05-23-2022 08:58:35 GMT -05:00

https://www.coursehero.com/file/79442913/CSIA310-Week-3-Discussiondocx/

Response 1:

Herbert Pagan,

Well-written and informative post! The attack by the consulting firm’s Red Team proved to be

beneficial in determining the various vulnerabilities present and showed how easy it is for

cybercriminals to exploit those vulnerabilities. I like how you mentioned that “the success of the

team and the company is based on the ability to identify the weaknesses available..” and

organizations ought to constantly work on identifying the various vulnerabilities and eliminating

them. You did a great job summarizing each attack and identifying the what type of evidence

and where it can be collected from. Regarding the attack involving the theft of login credentials

which helped launch a malware, the affected workstations would need to be gathered as

evidence analysis and taken off the network. Great point mentioning how the Red Team may

possibly have left a backdoor in order to facilitate more attacks in the future as well.

Great post. Good luck!

Anette Nash,

Great post and you’ve summarized the attacks and the evidence to be collected.

In the attack involving keylogging software on the USB keys left behind by

employees, this could have been prevented if the employees were careful in

protecting who can access their personal USB keys. This highlights the importance

employee training which can prove to be beneficial in the company not being

infiltrated as easily again and prevent such attacks in the future. This keylogging

software installed on the keys then allowed the Red Team gain access to

important information. Thus, it is important that the USB keys and as well as the

workstations that they were plugged into need to be quarantined for analysis of

forensic evidence.

Good luck!

Chris

This study source was downloaded by 100000766134782 from CourseHero.com on 05-23-2022 08:58:35 GMT -05:00

https://www.coursehero.com/file/79442913/CSIA310-Week-3-Discussiondocx/

Follow up:

Sokchindria Phoung

Sokchindria,

Thanks your response and feedback! I agree that that the test conducted by the Red Team sure helped reveal how easy it is for attackers to attack, penetrate and infiltrate pretty much every area of the organization, especially the part when they were able to take over the Test Drone and fly it. This shows how important it is for companies/organizations to constantly check and eliminate any vulnerabilities. I agree that the workstations or devices that came into contact with the malware would need to be checked for evidence and more importantly taken off the network to prevent other devices being affected as well.

Thanks for the feedback again. Good luck!

Chris

Cassandra,

You’ve provided some good suggestions to improve the plan such as collecting the

mobile devices that had accessed the company’s network considering the fact that

the network as a whole was breached leaving them susceptible to attacks. Great

point on how to track down the cybercriminals who sent the phishing emails by

gathering the sender information and the HTML of the infected videos.

Good luck!

This study source was downloaded by 100000766134782 from CourseHero.com on 05-23-2022 08:58:35 GMT -05:00

https://www.coursehero.com/file/79442913/CSIA310-Week-3-Discussiondocx/ Powered by TCPDF (www.tcpdf.org)