ISE_620_Milestone_Two

6-2 Final Project Milestone Two: Courses of Action Table Southern New Hampshire University ISE-620-Q1513 Incident Detection & Response 23TW1 10/29/2023 Objective: Help desk was notified after increase of complaints about banking portal came in around 10am on May 25. I decided to try to access the bank website from my desktop but was unable to. Instead a message from the hacker's was displayed. After analyzing the firewall logs, the CPU and memory statistics were pegged at 95% utilization and there were issues when trying to SSH in the appliance to gather log data. Once

logs were able to be pulled, hundreds of pings were found from a single foreign IP address that is linked to nefarious cybercrime activities. At 1pm, the activist hacking attack stopped, and all functions of the system resumed as normal. The investigation revealed that perimeter firewall and server logs showed that the IP address connected to each server in the bank's public IP address on May 10,18, and 23. the bank's email messaging server connected with the hacker IP address more often than other systems. After analyzing, there were several email social engineering attempts made that were successful in allowing the hackers access as well as transferring funds. Attack Methods and Features Detection Location and Methods Response Method Response Objective Attack Phase: Attack Actions(s): Step Describe Malicious Attack Indicator(s) of Attack: Detection Point: Defensive Countermeasures(s): Defensive Phase: Targeting 1 Identify insecure public-facing target section Firewall and server logs showed spike in foreign IP address with hundreds of pings. ~web server logs ~firewall logs ~ Catalog suspicious IP address for further analysis ~ conduct targets research into IP address registration and DNS data Preparation Reconnaissance 2 Gather as much information as possible, identifying the targets and determining where they are vulnerable. ~ multiple failed login attempts ~ separate access days, May 10, 18, 23, 25 ~ Phishing emails directed at employees designed to extract information and gain access ~IDPS alerts ~ Email spam filters ~ Email send/receive logs ~ Installation of antimalware software ~ Installation of Intrusion prevention systems (IPS) with alerts that prevent attacks and alert of suspicious activity ~ Close idle/unused ports and access points ~ Reconfigure firewall rules such as Inbound/outbound rules and blacklisting suspicious IP addresses. Identification Weaponization 3 Generating malware and couples with exploit into a ~ reports of performance issues and unusual ~ server logs ~ Anti- virus/Malware detection logs ~ Update the anti-virus/malware detection solutions and system patching. ~ system availability Identification

Installation 5 Installing malware onto victim servers and creating open and easy access points to transfer information back and forth as well as gaining control of the system. ~ Recurring system crashes ~system performance issues ~Unfamiliar processes running at task manager ~ Windows log files end-user detection event viewer logs ~ malware/anti- virus detection logs ~ Removal of all foreign and malicious programs/malware ~ apply patches and software updates even back to the previous version before the attack if necessary. ~ change and tighten up login credentials. Consider enforcing a MFA require for passwords. ~ Close compromised ports/access points until the threats are cleared. Identification Command & Control (C2) 6 Clear and secure communication methods between the attack system and the compromised user(s) allow for full control and access to the internal workings without the knowledge of the user. ~ Uptick in traffic pattern including excessive usage of bandwidth ~ Communicatio n with well- known malicious domains known for this kind of attack ~ suspicious processes and programs running in the system backgrounds ~large amount of data transfer found on the logs ~ IDPS ~ System logs, Firewall logs, server logs ~ email sent/received history logs ~ suspicious IP address connection ~ Utilize firewalls to monitor incoming and outgoing traffic ~ Network deactivation of unused systems. ~ employ proxy server for different ports such as DNS, FTP, HTTP, etc. ~ analyze and monitor logs in real-time to watch bandwidth usage Containment Actions on Objectives 7 Attacker(s) can now actively access all server ~ hackers gained unauthorized ~ End users can no longer access the ~ Identify attack source/location ~Disable/lock system to prevent the attack location from spreading Eradication

information, move freely within the network to collect, and access all sensitive information, corrupt data, and even destroy systems. access to the network ~successfully created a Denial-of- Service attack that overloaded the system and caused end users to be unable to log in ~Hackers were able to gain entry and access privileged user accounts to leverage against others ~ Hackers were able to have financial gain by employees transferring money into their accounts baking portal ~ Internal Employees cannot access the system via hardwire connections ~ Portal lockout ~ Review all file movement and determine if any have been moved, altered, deleted, etc. ~ Implement the Incident Response Plan Analysis 8 Post incident response session for stakeholders to review the incident, analyze the documentation of the incident, determine what went correctly, and where there are still ~ Review of the efficacy of the Incident Response Plan ~ review all documentation taken at each step of the attack, containment, eradication, and recovery. ~ formulate ways to improve with a timeline so that actions can be taken asap. Lessons Learned