5-2 Discussion Mindset Incident Response Procedures, Forensics, and Forensic Analysis
pdf
keyboard_arrow_up
School
Southern New Hampshire University *
*We aren’t endorsed by this school
Course
620
Subject
Information Systems
Date
Apr 3, 2024
Type
Pages
2
Uploaded by JusticeGoldfishPerson769
discuss what next steps you should take as a defender. As a defender discovering a successful remote login from North Korea after a security audit is alarming and presents critical security incidents that must be addressed immediately. The first step that would be taken is to verify the authenticity of the login and verify that the logs are legitimate unauthorized access and not false positives. Once the threat is verified to be a true positive, the next step taken would be to isolate or disable login credentials used to access the system (Microsoft, 2023). This would revoke access from the IP address in North Korea, the reason for this is to stop the attack from escalating and block the hacker’s access to the network. Once the account is disabled and access revoke, we can start an investigation and gather evidence on how the security incident occurred and how the unauthorized user gained access to the system. The evidence gathered about the intrusion includes file logs, network traffic logs, system images, etc. To understand the extent and length of the intrusion. This evidence will allow me to see what files and applications on the network the intruder accessed, modified, transferred, or deleted. For example, the get-event command can be used to get the log history for a remote login –
this data wo
uld include the connection time, the user’s IP address, and the remote username. Next, I would review the system logs and audit trails, as well as security controls, to determine the attack vector and which vulnerabilities the hacker exploited. It is important that I identify the root cause of the attack to prevent future attacks of a similar nature. My next step would be to inform all relevant stakeholders within the organization of the security incident such as the IT security team, management, legal team, etc. These stakeholders will play a crucial role in resolving the incident, updating the incident response, and fix vulnerabilities to match the cybersecurity climate (Windows OS Hub, 2024). I will coordinate response efforts and minimize the incident impact through secure, clear, and timely communication. Next, I would collaborate with the relevant stakeholders to implement security measures to protect the organization and improve its security posture. These measures could include patching vulnerabilities, updating access controls, improving monitoring and detection, implementing multifactor authentication, providing employees with security awareness training, and implementing geo-restriction. By using geo-blocking, the organization can improve its security by blocking access from areas where they do not operate or have authorized users. This helps to reduce the risk of another successful unauthorized remote access login to the network from outside the country, especially from countries with high levels of cyber threat or from adversaries. Once the incident is fully resolved, with the help of the incident response team, I would conduct an impact assessment to evaluate the response process’s effectiveness and identify areas of improvement (Pryimenko, 2023). The results of the impact assessment will be used to update incident response plans/procedures based on the lessons learned. References:
Microsoft. (2023, April 23). ATA suspicious activity guide
. Microsoft Learn. Retrieved March 28, 2024, from https://learn.microsoft.com/en-us/advanced-threat-analytics/suspicious-
activity-guide Pryimenko, L. (2023, June 28). Unauthorized Access: Top 8 practices for Detecting and responding | Ekran System
. Ekran System. Retrieved March 26, 2024, from https://www.ekransystem.com/en/blog/detecting-and-responding-to-unauthorized-access Windows OS Hub. (2024, March 15). Tracking and analyzing remote desktop connection logs in Windows | Windows OS Hub
. Retrieved March 26, 2024, from https://woshub.com/rdp-
connection-logs-forensics-windows/
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help