Incident Scenario - Final

INCIDENT SCENARIOS
IT GOVERNANCE
MAY 31, 2018

ESCOM-IPN
GONZÁLEZ HERNÁNDEZ FAVIO EMMANUEL
INCIDENT SCENARIOS
Contents
SCENARIO 1 ......................................................................................................................................... 2
ERRADICATION – SOLUTIONS.......................................................................................................... 3
POST INCIDENT ................................................................................................................................ 3
SCENARIO 2 ......................................................................................................................................... 4
Analysis............................................................................................................................................ 4
Scenario 3: Stolen Documents ............................................................................................................ 6
Scenario ........................................................................................................................................... 6
Analysis............................................................................................................................................ 6
Scenario 6: Unauthorized Access to Payroll Records .......................................................................... 8
Analysis............................................................................................................................................ 8
Erradication - Solutions ................................................................................................................... 9
Post incident.................................................................................................................................. 10
Scenario 7: Disappearing Host .......................................................................................................... 10
Analysis.......................................................................................................................................... 10
Post-Incident ................................................................................................................................. 12
General Questions:........................................................................................................................ 12
Scenario 8: Telecommuting Compromise ......................................................................................... 13
Analysis.......................................................................................................................................... 13
Detection and Analisys .................................................................................................................. 14
Post Incident.................................................................................................................................. 16
Scenario 9: Anonymus Threat ........................................................................................................... 18
Analysis.......................................................................................................................................... 18
Detection and Analysis .................................................................................................................. 18
Post Incident.................................................................................................................................. 19
General Questions ......................................................................................................................... 20
pg. 1
INCIDENT SCENARIOS
SCENARIO 1
Case: Altered DB.
Analysis
Would the organization consider this activity to be an incident?
Yes, an attack is considered an incident
If so, which of the organization’s policies does this activity violate?
If there are sensible information the privacy policies would be violated
What measures are in place to attempt to prevent this type of incident from
occurring or to limit its impact?
Simulating an attack to find vulnerabilities or defects in the system,
employing white hat hackers.
What precursors of the incident, if any, might the organization detect? Would any
precursors cause the organization to take action before the incident occurred?
The IDPMs, can implement an alarm, and the team of IT department can
take measures to reduce the impact.
What indicators of the incident might the organization detect? Which indicators
would cause someone to think that an incident might have occurred?
Traffic Data in the network
Integrity of files
What additional tools might be needed to detect this particular incident?
Use different DB systems or implement a security protocol in the IT
department
How would the incident response team analyze and validate this incident? What
personnel would be involved in the analysis and validation process?
Using security tools certified by the international organizations and validate
incident severity to get better results.
To which people and groups within the organization would the team report the
incident?
For the IT department and project managers.
How would the team prioritize the handling of this incident?
With the impact level that it had, for example, if the system continuing
functioning, or the information isn’t necessary to the system functions.
pg. 2
INCIDENT SCENARIOS
ERRADICATION – SOLUTIONS
What strategy should the organization take to contain the incident? Why is this
strategy preferable to others? And Why?
Using the back-up of the DB, while the original DB is being analyzed,
monitor the event of the system without advice the personnel and in this way
the attacker can be identified
What could happen if the incident were not contained? Did it got
contained/controled?
Can exist a information theft, or continuing the modifies to the DB
Which personnel would be involved in the containment, eradication, and/or recovery
processes?
The response team, or the DB management team, or in an extreme case,
some ethical hackers team
What sources of evidence, if any, should the organization acquire? How would the
evidence be acquired? Where would it be stored? How long should it be retained?
Everything that could had been reported: date, personnel, network flow, if an
extra event has happened, if a data by the attacker was forgotten or put in
the host, and should stay as a report in a document, for a future need
POST INCIDENT
Who would attend the lessons learned meeting regarding this incident?
All the personnel involucrate: managers, DB managers, response team,
executives, ethical hackers team
What could be done to prevent similar incidents from occurring in the future?
Count with a response process and the correct documentation of the
incident, if it happened; and make a simulation, to check if the vulnerability
was closed or controlled
What could be done to improve detection of similar incidents?
Implement software, like firewalls or antivirus, and increment the system
vigilance
What is the future strategy to take?
keep monitored the BD, and implements software to make safely the host
pg. 3
INCIDENT SCENARIOS
SCENARIO 2
What is a worm?
A worm is a program with the capacity of reproduce itself, this program can
travel across the network using bash or shell commands.
Scenario
One week ago, three computers were infected by a worm, it arrives by e-mail
with dangerous links or even attached files.
Analysis
Would the organization consider this activity to be an incident? If so, which of the
organization’s policies does this activity violate?
Yes it is and it would violate the policy in which it talks about not opening e-
mails in the computers of the company
-Have an effective antivirus and that is updating to date.

-Have the Windows firewall activated or the firewall that incorporates our
security application.
-Perform a safe and prudent navigation, trying to avoid pages with dubious
reputation.
-Avoid running files that we do not trust 100%, this includes the attachments
that we receive by email.
-Avoid installing illegal applications or key generators because there are
some legal consequences.
The personnel who violates security policies, previous computer attacks and
knowledge of computer attacks even outside the company.
Unusual behavior, slowdown and errors in system processes.
Run routine tests, hire personnel in charge of an immediate response only to
cyber attack.
pg. 4
INCIDENT SCENARIOS

By Protecting secret and confidential information, other information, such as
scientific data, about property or the managerial scope, information from
their environment.
And last, but not least, protecting hardware against attack. This includes
protecting against the loss or modification of system files and against
physical damage to the hardware. Damage to the systems can result in a
cost of activity time.
ERRADICATION – SOLUTIONS
Keeping up to date with operating systems and all other software patches and
updates will help reduce the risk due to newly discovered vulnerabilities,
because it’s the only way to prevent a future attack.
What could happen if the incident were not contained? Did it got contained/controled
?
The computer equipment would be practically useless and the information
would be lost.
processes?
Operational and IT staff
Recovery of lost information and system tests, by recovered files, databases,
etc./It can be stored in an indicent file of the organization and it should be
retained at least one year.
pg. 5
INCIDENT SCENARIOS
Scenario 3: Stolen Documents

Scenario
Last week a supervisor discovers that an employee has recently downloaded
thousands of pages of confidential Company billing and financial information, and e-
mailed it to her personal e-mail address. Upon further investigation, the supervisor
discovers that the employee has asked other employees to also send Company
documents to her personal e-mail address.
Analysis
Yes, it is and it would violate the privacy policy of information security and
even the privacy agreement
What measures are in place to attempt to prevent this type of incident from occurring
or to limit its impact?
Secure the electronics
Do not visit forbidden pages
Do constant psychological tests
Processes identical to ours in other companies
leakage
Low performance by staff
What indicators of the incident might the organization detect? Which indicators would
cause someone to think that an incident might have occurred?
Unusual behavior, low performance by personnel, smooth information leaks
Psychological examinations to the personnel
Analyze where the leakage of information comes from, once detected, if it is
by the staff, apply the corresponding sanction, if it is external, check the
system.
pg. 6
INCIDENT SCENARIOS
incident?
To all staff to avoid recidivism and also operating staff, even subcontracted
personnel.
The staff should review the information that was taken and determine whether
the information was already publically available or whether it contains
Company confidential or trade secret information.
ERRADICATION - SOLUTIONS
The Company should involve its internal IT Security department or an
outside IT security/forensic specialist to assess and remedy the data breach
?
Which personnel would be involved in the containment, eradication, and/or
recovery processes?
We could lose the trust of our customers, the personnel that can be involved, could
be all the personnel, but specially, subcontrated personnel and operating personnel.
What sources of evidence, if any, should the organization acquire? How would
the evidence be acquired? Where would it be stored? How long should it be
retained?
Leakage of information, evidence can be acquired by tracking the source of the
information leak and the evidence should be recorded for life, so that it remains in
the file of the person who leaked it.
POST INCIDENT
Operational, IT and management personnel, high management staff
The common case of information leaks is ‘Whistleblowing’, some
recomendations are:
Listen to the Whistleblower, Do Not Overpromise and Conduct a Fair
Investigation
pg. 7
INCIDENT SCENARIOS

The Company should probe the extent of the personal transfers, transfers
from others, and whether the employee has disclosed the documents to third
parties.
Analyze similar behaviors and activate prevention alerts every time that this
is repeated
Scenario 6: Unauthorized Access to Payroll Records

On a Wednesday evening, the organization’s physical security team receives a call
from a payroll administrator who saw an unknown person leave her office, run
down the hallway, and exit the building. The administrator had left her workstation
unlocked and unattended for only a few minutes. The payroll program is still logged
in and on the main menu, as it was when she left it, but the administrator notices
that the mouse appears to have been moved. The incident response team has
been asked to acquire evidence related to the incident and to determine what
actions were performed.
Analysis
Yes, this activity is an incident, the information issues are always a security
problem, in this case, the info of the employees are personal info, so, there
is a big security problem
access control and security cameras
yes, having a control on the door of the building, having an excellent control
of access the organization can prevent this happening
the mouse evidence shows us that something happen, the question is, what
happen?
pg. 8
INCIDENT SCENARIOS

the additional tools may be a software and hardware to control access and
security cameras, to have evidence if there is an intruder
the analysis will content the impact level, calculated using a framework, to
know which will be the priority of the issue
incident?
if the impact is high, the issue will be showed to the high range of the
organization, if we have low impacto only to the supervisor of the area, and
the administrator involved
seen the impact level, and comparing with the other security issues, if this is not t
he only one
Erradication - Solutions
The strategy may be the recognition of the impact level to make it priority or
not, after that recognize the people involved, and the data involved, to take
legal action
if that happen we must see how much it will afect the organization to make a
strategy to to minimize damage as much as possible
Which personnel would be involved in the containment, eradication, and/or
recovery processes?
The risk control team, and the departament involved
the evidence will keep save only if it is useful to an investigation or legal
action, if is useless it must be deleted
pg. 9
INCIDENT SCENARIOS
Post incident
People that handle information of the organization
Make conscience of the impact of the bad handeling of info, also restructure
the security protocols
Having more security personal, and having a better access control
Beef up the access control, make conscience of the culture of blocking
computers if you are not there, and register if any employee is using a
device that is not of him
Scenario 7: Disappearing Host

On a Thursday afternoon, a network intrusion detection sensor records vulnerability
scanning activity directed at internal hosts that is being generated by an internal IP
address. Because the intrusion detection analyst is unaware of any authorized,
scheduled vulnerability scanning activity, she reports the activity to the incident
response team. When the team begins the analysis, it discovers that the activity has
stopped and that there is no longer a host using the IP address.
Analysis
Yes, because that activity was not scheduled.
Have a plan before notifying the incident team in order to gain time and detect
the activity on time.
The IDPSs or SIEMs.
No, because these precursors act when the activity is occurring.
pg. 10
INCIDENT SCENARIOS
Unusual behavior, network flows, Information on new vulnerabilities and
exploits
Create an incident response policy, Select people with appropriate skills for
the incident response team, Host Security, using Incident Databases.
The activity coming from the host is not being done by anyone authorized.
Person in charge of the monitoring of system anomalies and vulnerabilities
incident?
To those in charge of monitoring the activity and the area
Depending on the information that could be affected in the equipment or
equipment, information Impact of the Incident.
What strategy should the organization take to contain the incident? Why is
this strategy preferable to others? And Why?
?
There could be information leakage, even a spread
processes?
Network managers
Secure storage facility, removable media.
180 days.
pg. 11
INCIDENT SCENARIOS
Post-Incident
Those in charge of each area of the organization, in order to facilitate the
process, they would be in charge of transmitting.
Have a meeting talking about the summary of the problem, the process to
recover the DNS server functionality and problems during the process of
recovery and eradication.
The organization needs to be cleverer and think beyond what is actually being
implemented. Having a intelligent monitoring control and security of critical
infrastructure systems using technologies such as artificial intelligence,
machine learning, pattern detection can leave the organization one step
further of detection of incidents.
Stays updated, otherwise the strategy must be updated.
Which other vectors are considered to be taken as a major risk?
Improper usage of information.
General Questions:
How many people and organizations got involved in this incident? All the
organization is affected by the attack, the hosts are very important to the org
To which external parties would the team report the incident? When would
each report occur? How would each report be made? What information would
you report or not report, and why? The info that we must report may be only
shared if is necessary, also, only to the people whose interests were involved
What other communications with external parties may occur?
just the necessaries ones
What tools and resources would the team use in handling this incident?
software to control and register the IPs that accesses to system
What aspects of the handling would have been different if the incident had occurred
at a different day and time (on-hours versus off-hours)?
It only means that the attack is from someone that knows a lot of the company
pg. 12
INCIDENT SCENARIOS
It means that the attack is from someone that have abilities to hack, maybe someone
paid by the competence
Scenario 8: Telecommuting Compromise

On a Saturday night, network intrusion detection software records an inbound
connection originating from a watchlist IP address. The intrusion detection analyst
determines that the connection is being made to the organization’s VPN server and
contacts the incident response team. The team reviews the intrusion detection,
firewall, and VPN server logs and identifies the user ID that was authenticated for
the session and the name of the user associated with the user ID.
Analysis
Yes, due to the fact that the IP adress belongs to a known attacker (beacuse it was
already in the watchlist) so it has to be an attack which is considered as an incident.
User Awareness and Training: Users should be made aware of policies and
procedures regarding appropriate use of networks, systems, and applications.
Applicable lessons learned from previous incidents should also be shared
with users so they can see how their actions could affect the organization.
Improving user awareness regarding incidents should reduce the frequency
of incidents. IT staff should be trained so that they can maintain their
networks, systems, and applications in accordance with the organization’s
security standards.
Network Security. The network perimeter should be configured to deny all
activity that is not expressly permitted. This includes securing all connection
points, such as virtual private networks (VPNs) and dedicated connections to
other organizations.
Host Security. All hosts should be hardened appropriately using standard
configurations. In addition to keeping each host properly patched, hosts
should be configured to follow the principle of least privilege—granting users
only the privileges necessary for performing their authorized tasks. Hosts
should have auditing enabled and should log significant security-related
events. The security of hosts and their configurations should be continuously
monitored.
pg. 13
INCIDENT SCENARIOS
Detection and Analisys

The IP adress detected by the incident response team was already in the
watchlist, so it has to exist a record associated with that IP, and the record can
be use to take action before the attacker acts.
One of the indicators could posible be people from within the organization,
specifically people who works with the owner od the ID who gave the
authentication to the IP of the attacker. It was posible for someone to notice some
strange behavior and on the other hand maybe a Network flows which is a
particular communication session occurring between hosts. And the last one
could be Operating system, service and application logs that allows you to
monitor what accounts were accessed and what actions were performed.
IDPS products, which use attack signatures to identify malicious activity; the
signatures must be kept up to date so that the newest attacks can be detected,
also, IDPS software often produces alerts that indicate malicious activity is
occurring.
The incident response team has already one ID user related to the incident, so,
by verifying the actions executed by this user, it will be very likely to check if the
authentication to the attacker was gave it or not. And the personnel involved in
this process should be the incident response team and the user associated with
the ID user.
incident?
 CIO
 Local information security officer
 Server owner
 Human resources
It involves various departments because the one who gave the authentication
was an employee, even when the IP address was on the watchlist and it could
be more, depending of what was the last attack realized by the attacker related.
pg. 14
INCIDENT SCENARIOS
The attack hasn’t ocurrered yet, so it depends of the record that the team has
related to the attacker, probably is looking for something related to that.
The best way to act in this incident would be redirect the attacker to a sandbox
(a form of containment) so that they can monitor the attacker’s activity to gather
additional evidence. This could be posible because the attack was detected in
time, before the attacker acts.
The possibilities are a lot, but the most probable cases are
Identity impersonation
Modification and deletion of information
or, as mentioned, something similar to the previous attack related to the attacker.
processes?
The incident response team
The server owner
The local information security officer
The sources of evidence could be:

Indicators related to the incident
Other incidents related to this incident
Actions taken by all incident handlers on this incident
And if it is possible that the attacker will be prosecuted, evidence may need to be
retained until all legal actions have been completed. Furthermore, evidence that
seems insignificant now may become more important in the future. For example,
if an attacker is able to use knowledge gathered in one attack to perform a more
pg. 15
INCIDENT SCENARIOS
severe attack later, evidence from the first attack may be key to explaining how
the second attack was accomplished, as happened in this case.
Post Incident
Employees who have access to server authentication and those who control
them.
The use of IDPS products, which use attack signatures to identify malicious
activity.
The future strategy must be based in the information obtained from the actions
that were taken (redirecting the attacker to a sandbox).
General Questions:
How many people and organitazions got involved in this incident?
The persons involved in this incident were the attacker the ID user owner, the
inciden response team,
To which external parties would the team report the incident? When would each
report occur? How would each report be made? What information would you report
or not report, and why?
The information obtained from the first attack and the attempt of attack , the
incident response team should report the incident to the US-CERT (United
States Computer Emergency Readiness Team) beacuse in this way the US-
CERT analyzes the information to identify trends and indicators of attacks
related to the IP address from the watchlist.
The use of IDPS systems and the redirecting the attacker to a sandbox.
Probably the attacker would have acted against the company before being
stoped, because the alert would not have been detected in time by the teams
involved.
pg. 16
INCIDENT SCENARIOS
Specific Questions
What should the team’s next step be (e.g., calling the user at home, disabling the
user ID, disconnecting the VPN session)? Why should this step be performed first?
What step should be performed second?
First, the user should be questioned about the intentions of the attack,
because in this way they will be able to act with greater security and reinforce
the points that are necessary to avoid the attack at all costs, and the next step
shoul be disabling the user ID, so the user Will no be able to do that again,
and if it is necessary to dismiss the employee.
How would the handling of this incident differ if the external IP address belonged to
an open proxy?
The handling of this incident should be considered as an action to take
immediately, since basically anyone can access through the open proxy, and
would incur many more people and departments than were previously taken
into account. It would not be necessary to resort to the record first, because
the first action should be to close that access before anything happens.
How would the handling of this incident differ if the ID had been used to initiate VPN
connections from several external IP addresses without the knowledge of the user?
The network intrusion detection software still records an inbound connection
originating from a watchlist IP address, even when the user had no knowledge
of what was happening, so the actions should be the same because the alert
would have reached to the intrusion detection analyst
Suppose that the user installed antivirus software and determined that the Trojan
horse had included a keystroke logger. How would this affect the handling of the
incident? How would this affect the handling of the incident if the user were a system
administrator? How would this affect the handling of the incident if the user were a
high-ranking executive in the organization?
Probably confidential information would be exposed through the capture of
what is entered through the keyboard, so the first action to take, before those
mentioned above, would be the uninstallation of the antivirus and the
disinfection of the computer of any element that puts the process that is going
to be taken against the attacker at risk, since it could detect what are the
measures that are taken to counteract him and evade them.
pg. 17
INCIDENT SCENARIOS
Scenario 9: Anonymus Threat

On a Thursday afternoon, the organization’s physical security team receives a call
from an IT manager, reporting that two of her employees just received anonymous
threats against the organization’s systems. Based on an investigation, the physical
security team believes that the threats should be taken seriously and notifies the
appropriate internal teams, including the incident response team, of the threats.
Case: The attack of the website of the company
Analysis
Yes, it should be considered as an incident, because there is a threat
involved, which means it will be a possible attack.
The principal solution to limit its impact is to have backups of servers where
the website is hosted and to keep a constant monitoring in purpose to verified
if there isn’t a damaged.
Detection and Analysis

The threats, since someone who wants to damage the company first wants to
tell them so they know about their action (even anonymously)
For this particular case, the company would realize very quickly, either
because they check it themselves or through customer reports.
For physical security, have someone to constantly review the page and for logically
or digitally, it could be the same but using software.
The team could first try to identify if the cause of the problem works for the
same company, knowing that, the solution that can be given to the problem is
different.
pg. 18
INCIDENT SCENARIOS
incident?
First I think that they should fix the problem and try to raise the page again,
once it is achieved, it will be possible to notify the managers of it, since time
is of the essence to solve these problems.
As answered in the question above, the main thing is the management of the
problem in time limit, it must be fast and efficient, in order to have the problem
the shortest time.
It is known that computer crimes exist and will exist forever, since it is a way
of expressing oneself and having less risk of being trapped, the only thing that
can be done is having a team specially dedicated to recover the page when it
is damaged.
?
The main thing is to know about the page that is damaged, since it is not the
same one that is pure information to another that is finance.
processes?
In the three processes should be web developers, since they are those who
know the source code of the page.
They could hire a system to record the screens of the server and in this way
to know what type of errors are displayed and thus discard many possibilities.
Post Incident
All, since it is something that affects all the advertising of the company, in
addition to its privacy management.
pg. 19
INCIDENT SCENARIOS
We can avoid it with more security and with copies of servers, so you should
throw many and not just one if you want to damage the website.
First, these types of attacks must be viewed in a certain way, and that is an
inversely proportional relationship, to more attacks, less exposed are left as
you learn from each of them.
Have a recording system of server screens to keep records of those that may
end up being evidence of the crime.
Which other vectors are considered to be taken as a major risk?
I think that something greater could be the loss of classified information.
General Questions
How many people and organizations got involved in this incident?
Senior management, the IT manager, database providers (with restricted
information), and finally, users that were involved in oder to raising awareness
about information management and training them in this topic.
To which external parties would the team report the incident? When would each
report occur? How would each report be made? What information would you report
or not report, and why? Which measures did you take for this report?
It would be reported in the event of theft of secret and confidential information.
It would be reported to the cyber police. In another situation, it is preferable
not to report this information, as disclosure may put a greater risk to the
already threatened company. Someone with access to the third party's
information could become aware of our issues, because we do not control the
access protocols of the external parties.
What other communications with external parties may occur?
They can be continuously asked for information about the security
mechanisms used by the software (in the case of suppliers). Otherwise,
communication with third parties will be restricted.
The access verification resource will be used, by means of scripts, to identify
access patterns to the company data, and if necessary to identify deviations
from it.
pg. 20
INCIDENT SCENARIOS
Since it is an anonymous threat, the actions in this case would have been the
same since it is about preventing an incident and minimizing the risk of
unauthorized access.
at a different physical location (onsite versus offsite)?
In this case it was assumed that the threat was external, but if the anonymous
threat had been detected inside the company, then actions to review access
and communication logs would have been necessary with higher priority. It
should be relatively easy to identify the origin of such an anonymous threat if
it occurred indoors. In the case of the threat that occurs from outside, it is
necessary to investigate the incident, identify the sources of threat, and if
necessary, proceed legally to mitigate it.
pg. 21

Incident Scenario - Final

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Incident Scenario - Final

Uploaded by

Copyright:

Available Formats

INCIDENT SCENARIOS

MAY 31, 2018

-Have an effective antivirus and that is updating to date.

How would the team prioritize the handling of this incident?

Scenario 3: Stolen Documents

What could be done to improve detection of similar incidents?

Scenario 6: Unauthorized Access to Payroll Records

What additional tools might be needed to detect this particular incident?

Scenario 7: Disappearing Host

Scenario 8: Telecommuting Compromise

Detection and Analisys

The sources of evidence could be:

Scenario 9: Anonymus Threat

Detection and Analysis

You might also like