Evaluating Incident Response Operations
JC4433
IncidentandNetworkSecurityArtifacts-Copy.docxAssessment Code and Task
VUN1: Task 2 Incident and Network Security Artifacts
C845 Task 2
Incident and Network Security Artifacts
The provided artifacts are excerpts and summaries adapted from realistic incident and network data. The artifacts are representative but not exhaustive. You are required to analyze and infer from the available information.
1. Incident Summary and Timeline
Incident: On June 24, 2025, an HR employee opened a malicious PDF attachment from a phishing email, resulting in the installation of a GhostX remote access Trojan (RAT). The IDS detected unusual outbound traffic, triggering containment procedures.
|
Time Stamp |
Event Description |
|
06/24/2025 – 09:12: |
HR user receives phishing email with "Updated Benefits Plan" PDF |
|
06/24/2025 – 09:14: |
Attachment opened; malware installed silently |
|
06/24/2025 – 09:52: |
Unusual outbound traffic detected by IDS |
|
06/24/2025 – 10:07: |
Affected machine isolated from network |
|
06/24/2025 – 11:25: |
Malware identified as GhostX RAT |
|
06/24/2025 – 13:45: |
End point restored from backup; AV scans initiated on HR subnet |
|
06/25/2025 – 08:30: |
Antivirus definitions updated across all end points |
|
06/25/2025 – 10:00: |
Internal review initiated to evaluate incident handling |
2. Current Incident Response Procedure (Summary)
1. Detection: All alerts monitored through a centralized IDS
2. Notification: On-call IT staff alerted via SMS and email
3. Containment: Affected machine isolated by disabling the network port
4. Eradication: AV and antimalware tools deployed to remove known threats
5. Recovery: Systems restored from the most recent backups
6. Post-Incident Review: Debrief scheduled only if the threat affects multiple departments
3. Network Architecture Diagram (Simplified)
4. Firewall Rule Set (Excerpt)
|
Rule # |
Source |
Destination |
Port/Service |
Action |
|
100 |
Any |
Web server |
443 (HTTPS) |
Allow |
|
101 |
Any |
Email server |
25 (SMTP) |
Allow |
|
102 |
Any |
Internal networks |
Any |
Allow |
|
103 |
Internal |
External |
Any |
Allow |
|
104 |
Any |
Firewall console |
8080 |
Allow |
5. IDS Alert Log (Excerpt)
|
Time Stamp |
Alert Type |
Source IP |
Destination IP |
Description |
|
06/24/2025 – 09:50 |
Outbound C2 Traffic |
10.1.1.45 |
45.33.122.88 |
Possible GhostX RAT traffic |
|
06/24/2025 – 10:14 |
Port Scan Attempt |
162.155.10.102 |
10.1.2.4 |
External host scanning internal subnet |
|
06/24/2025 – 10:45 |
Unauthorized Access |
10.1.1.45 |
10.1.2.10 |
Lateral movement via SMB |
|
06/25/2025 – 08:02 |
Suspicious DNS Query |
10.1.1.45 |
8.8.8.8 |
Query to known malicious domain |
PAGE 1
PAGE 2
