Incident Response Practice Questions

Unit 4 - Incident Response Model & Host Forensics

Last Update Unknown

Incident Response Model Practice Questions

Case 1

The case: Your organisation receives a call from a federal law enforcement agency, informing you that they have information indicating a data breach occurred involving your environment.

Evidence: The agency provides a number of specific details, including

the date and time when sensitive data was transferred out of your network,
the IP address of the destination, and
the nature of the content.

Challenge:

Does this information match the characteristics of a good lead?
Explain why or why not. What else might you ask for?
How can you turn this information into an actionable lead?

Reveal Answer

The correct answer is:

It is a good start. Good leads are relevant, detailed, and actionable.

If the notice actually included the time of the incident, the destination address, and the type of content, it may provide enough information to begin examining your environment for additional information.
Most external notifications will not have sufficient information to identify the originating computer. Often lacking in specificity, external leads may be less actionable than other, internally generated leads.
To begin generating actionable leads, you will need to match the provided information against logging and monitoring that may be in place.
1. Were any outgoing communications established with the destination IP address?
2. What other traffic crossed the network boundary around the time of the event?

Case 2

The case: Inspired by Mr. X's successful exploits at the Arctic Nuclear Fusion Research Facility, L0ne Sh4rk decides to try the same strategy against a target of his own: Bob's Dry Cleaners! The local franchise destroyed one of his favorite suits last year and he has decided it is payback time. Plus, they have a lot of credit card numbers.

Meanwhile... Unfortunately for L0ne Sh4rk, Bob's Dry Cleaners is on the alert, having been attacked by unhappy customers before. Security staff notice a sudden burst of failed login attempts to their SSH server in the DMZ (10.30.30.20), beginning at 18:56:50 on April 27, 2011. They decide to investigate.

Challenge: You are the forensic investigator. Your mission is to:

Evaluate whether the failed login attempts were indicative of a deliberate attack. If so, identify the source and the target(s).
Determine whether any systems were compromised. If so, describe the extent of the compromise.

Bob's Dry Cleaners keeps credit card numbers and personal contact information for their Platinum Dry Cleaning customers (many of whom are executives). They need to make sure that this credit card data remains secure. If you find evidence of a compromise, provide an analysis of the risk that confidential information was stolen. Be sure to carefully justify your conclusions.

Network: Bob's Dry Cleaners network consists of three segments:

Internal network: 192.168.30.0/24
DMZ: 10.30.30.0/24
The “Internet”: 172.30.1.0/24 [Note that for the purposes of this case study, we are treating the 172.30.1.0/24 subnet as “the Internet.” In real life, this is a reserved non-routable IP address space.]

Evidence: Security staff at Bob's Dry Cleaners collect operating system logs from servers and workstations, as well as firewall logs. These are automatically sent over the network from each system to a central log collection server running rsyslogd (192.168.30.30). Security staff have provided you with log files from the time period in question. These log files include:

auth.log—System authentication and privileged command logs from Linux servers
workstations.log—Logs from Windows workstations
firewall.log—Cisco ASA firewall logs

Security staff also provide you with a list of important systems on the internal network:

Hostname	Description	IP address(es)
ant-fw	Cisco ASA firewall	192.168.30.10, 10.30.30.10, 172.30.1.253
baboon-srv	Server running SSH, NTP, DNS	10.30.30.20
cheetah-srv	Server running rsyslogd	192.168.30.30
dog-ws	Workstation	192.168.30.101
elephant-ws	Workstation	192.168.30.102
fox-ws	Workstation	192.168.30.100
yak-srv	Server	192.168.30.90

Reveal Answer

The correct answer is:

Davidoff, S., & Ham, J. (2012). Network forensics: tracking hackers through cyberspace (1st edition). Prentice Hall. (https://napier.primo.exlibrisgroup.com/permalink/44NAP_INST/n96pef/alma9923574230102111)

8.5 Case Study: L0ne Sh4rk's Revenge

Analysis: First Steps

Let's begin by examining the logs relating to the failed login attempts.
Since this is a Linux server, let's browse for corresponding logs in the auth.log evidence file.
From these records, we search for evidence of malicious attempts to login to the SSH server on baboon-srv. (SIEM, such as Splunk can be used to search and visualise the Failed Login Attempts)
If malicious attempts show a regular pattern that is a strong indication of a brute-force password-guessing attack, targeted accounts would need to be confirmed. Then, to confirm if the attack was successful.
Activity Following Compromise, Let's take a closer look at the event logs for the time frame after the first successful login to the compromised account.
Now let's take a look at our firewall logs and see if we can find evidence of any other activity relating to baboon-srv (10.30.30.20) during the time frame of interest.
If attacking activities relating is identified, search for The Internal Victim (192.168.30.101) from the firewall logs.
Take a look at the workstation logs associated with The Internal Victim.
To confirm if the internal victim was compromised and how as well as which user account was compromised.
Take a look at the workstation logs again to see if we can find evidence of any other activity relating to the compromised account.
Let's examine the firewall logs again to see if The Internal Victim (192.168.30.101) made any other connections of interest.