Develop the Intelligence Debriefing
jrbasagic
CYB670TeamUKProject3SITREP3.docx2
Project 3, Step 9: SITREP #3
Team United Kingdom: Michael Arizieh, Julian Chandler, Justin Basagic, Ayman Gismalla Mohammed,
Oluwasegun “Saji” Ijiyemi
University of Maryland Global Campus
CMP 670 9047 Capstone in Cybersecurity (2231)
Prof. Thaddeus Janicki
Mar 9, 2023
Table of contents
Table of contents……………………………………………………………………………………………………………………2
Introduction…………………………………………………………………………………………………………………………..3
Security Incident Report - SITREP #3………………………………………………………………………………………4
Summary..……………………………………………………………………………………………………………………………..5
Introduction
Malware known as ransomware keeps users from being able to utilize their machines (or recover information). After the attacker acquires illegal access by introducing malware into the victim's system, ransomware attacks are typically used to encrypt or destroy crucial data. In most cases, even if the ransom is turned over, the files are rarely unlocked, and access returned. To mitigate this situation, the most important files and data should always be kept in a current offline backup because of these reasons.
Security Incident Report - SITREP #3
Our UK team will discuss the early findings and lay out the steps our organization plans to take considering the mentioned indications in this study. In order to communicate incident data and obtain this report, the Five Eyes (FVEY) Alliance institutions can access US-CERT databases for more intricate details. Also, our UK team will describe any indicators, such as file system alterations, the timing of the occurrence, services, IP addresses, and other actions, that could be used by affected parties to search within their networks for the ransomware.
Summary Questions:
· What actually happened? What do you know as fact?
An employee's laptop was left in public areas unattended, with the passwords taped to the computer and only visible when it was opened.
· What was said in the letter of resignation? Can this document be trusted as representing the true intentions of Ms. Grascholtz? Why or why not?
No. Even though the letter was password secured, there is no way to prove Ms. Grascholtz typed it. The resignation letter seemed dubious, while there isn't a set pattern or flow for this kind of paper.
From worries about a terrible sickness to complaining to management about being extorted and experiencing her family threatened with "germ warfare packages," the letter cuts back and forth quickly. The information in the letter is not specific nor accurate according to online searches. The order and convenience of the list of URLs visited for the acts conducted during the ransomware attack seem appropriate.
· Several staff have commented that the USB devices found in Ms. Grascholtz's work area are of the same type and brand as the USB found inside the server cabinet. Is this significant? Why or why not?
Actually, it is impossible to determine the USB device's genuine source. It does, however, cast a doubtful shadow over everyone who has access to the server cabinet. With the precise knowledge of the tool a business utilizes, this may be an inside job.
· What is the significance of the list of passwords found taped to the laptop?
The fact that the list was visible indicates that several people have the authorization needed to use the device and access the network. The account was formed in accordance with the rules, as stated in the report, but without higher rights. This strengthens the idea that someone with admin rights created the account because no supporting evidence was provided.
· What is the significance of a multipartition USB storage device?
This can indicate the purpose for which the USB was intended to be used. Although it is not unusual, the multipartition was designed to conceal information due to the nature and seriousness of the circumstance.
· What conclusions can be drawn from your analysis of the browsing history?
It was a feeble effort to leave a digital trail. This trail was intended to be misleading, but failed in its attempt.
· Is there sufficient evidence to show a link between the Reveton malware and Ms. Grascholtz?
While there may be a fair amount of circumstantial evidence to suggest that Ms. Grascholtz was involved, there is no way to determine, definitively that she had a hand in the attack(s).
· Is there evidence supporting the supposition that an insider other than Ms. Grascholtz may have been responsible for the Reveton malware's entry onto the organization's networks?
Yes, but determining that individual would require other methods of investigation and reporting.
· What other conclusions can be drawn from the information you have at hand?
It is reasonable to conclude that this attack was a planned, multi-faceted, and multi-actor inside job.
· What are the next steps that the CISO and staff should take to further this investigation into the Reveton malware?
I advise utilizing CCTV footage to compare network activity time stamps with employee movements within the facility. There is only one device under consideration (at this moment), and it was used to determine who was around, particularly those who had no need to be there.
