-Describe the nature of the event:
A sophisticated intrusion was detected in the company’s financial records that encompassed multiple stealthy tactics, leaving the company in a predicament they never would have imagined. A financial auditor performing their daily tasks identified an error within the company’s financial amounts. They identified that multiple paychecks with modified amounts were sent to an individual. In their attempts to notify appropriate personnel via email, the emails were sniffed; modified and fictitious communications were conducted between the auditor and the attacker. The attacker was then able to gain additional access into more financial records, whereby more modifications were conducted; to include the presidents and other’s salary and then took those deductions and added them to their paycheck. IT personnel were able to identify that an internal system was conducting a man-in-the-middle attack by spoofing an internal Internet Protocol address, whereby all traffic that was sent to a specific location was involuntarily sent to another system. The culprit was lack of access controls, central reporting systems, authentication controls, and a lack of host based intrusion prevention systems. These controls and systems would have prevented this type or at minimal detected this type of attack and could have saved the company many hours of labor costs.
-Identify who needs to be notified based on the type and severity of the incident:
In incidents such as this, Management must be notified and kept abreast of the situation each step of the way as they will ultimately be held responsible if fault is identified on their end. The Computer Emergency Response Team or the Emergency Management Team should be notified. They are experts at dealing with similar situations and know the proper processes and procedures required in identifying the cause, the remediation actions required, and building lessons learned report. A company should have a Forensics Investigator (FI) on-hand or have a way to get a hold of one. An FI will be able to review the systems used in the attack, whether sources or destinations, take a bit by bit image of the systems, label items, ensure chain of custody is completed correctly and take the appropriate MD5 or SHA signatures required to ensure evidence is not tampered with. This will be pivotal when taking the suspect to court, if data is not handled correctly, the evidence may be inadmissible and the suspect could be set free.
The Damage Assessment Team should be notified to perform an assessment and to determine the usability of the equipment and network, as the suspect could have planted logic bombs or done more damage than what was originally identified. The Recovery Coordination Team to ensure that internal notifications are being completed, and that activities and communications are occurring between the appropriate parties. The Corporate Communications Team will be needed to ensure the right message is relayed to key stakeholders of the company. The Site Restoration Team might be needed due to the equipment being confiscated during the duration of the investigation. More equipment may be required, because the FI will likely confiscate hardware so that they may perform Forensics Analysis on the systems that were involved. The System Restoration Team will be required to ensure that operating systems, software applications and databases will need to be restored and they will be required to monitor these operations at an alternate site if it is required. Also the coordination of acquiring, installation, and testing will need to occur under their watch. The Technical Support Team will be required to assist in the restoration of data communications, operating systems, applications and configurations. Human Resources Support Team, which includes legal counsel, they will be required to be involved in case the company seeks to take the suspect to court. Lastly, external law enforcement agencies may be required to assist in the investigation and the prosecution.
-Outline how the incident could be contained:
The most effective way to contain an incident is to have planned for the incident in the first place. This sometimes means thinking out of the box and planning for that which sometimes seems unimaginable. Having a well documented Emergency Response Plan will attempt to limit the amount of time and the amount of damage that is inflicted on the systems affected. Also, an ERP will have developed the policies and procedures for containing the incident. A Crisis Management (CM) Team would put their efforts into reacting to critical situations, which in this case will entail reacting to the event and dealing with those systems affected by the event. Traditional CM encompasses Response, Tangible and Intangible situations, and Recovering from an event. CM members now place more emphasis on a few different aspects to include recovery management. In CM two activities are conducted, first facing the situation and second, dealing with the impacts of the crisis so that damage is lessened. Also, an effective Incident Management Plan will seek to manage containment activities of a crisis. The technical aspects on containing the current crisis would include: Upon first identification of the event a trouble ticket should have been developed and included into the central management system. This would have ensured tracking and documentation was conducted and could have prevented the email interception that was done. Once a crime was identified a host based firewall rule should have been developed to isolate the computer from communicating with any other system, the suspects accounts should have been locked, the deployment of pki digital signatures should have been in-stated to ensure that the continued stealing and modifying of emails was stopped. Isolation rules could have been implanted on the switch where the attacker was coming from. All of these efforts would have contained the suspect and prevented further compromise and damage from occurring.
-Discuss how the factor that caused the incident could be removed:
Initially a host base security system and the implementation of host based firewall would have prevented workstation to workstation communication which would have prevent the adversary from compromising an internal workstation which was used for snooping. Additionally, utilizing encryption from hosts such as a FIPS 140-2 compliant encryption would have prevented the suspect from intercepting clear text information from which they were able to identify and further modify traffic. Secondly, ensuring strong authentication into the human resource server would have prevent the adversary from gaining access into the server. Additionally, with the proper access controls and Role Based access it would have limited the amount of damage that occurred. At best, if the suspect had been forbidden due to proper access controls and Role Based access, the suspect would have only been able to commit limited damage. Implementing VLAN centric firewalls or Intrusion Prevention System would have prevented the spoofing attack. Firewalls have the ability to prevent systems outside of their networks from impersonating internal addresses. Intrusion Prevention Systems also have forms of detecting spoofing attacks so long as someone is monitoring those events would the suspect had been caught. PKI encryption and digital signatures implemented in email would have been able to prevent the suspect from monitoring and modifying inbound and outbound emails.
-Describe how the system could be restored to normal business practice:
In order to have a good restoration plan, funding and management support is required. The recovery plan is essentially an insurance policy for a business, which requires dedication and maintenance in order to ensure it is ready to go when that time comes. The company could have also initiated a project team which would have allowed for testing of incidents similar to the incident they were forced to deal with, and thus, they would have already established the proper processes and procedures that would be required to restore operations back to normal. Restoration is a critical part of all recovery strategies; however there are many aspects of the restoration program which can only be identified once the overall impact of the event had been determined. There are, however, preparation plans that could have been planned before which could severely reduce the time and impact of the event. To assist in this, they would have required the right personnel being available to assess the damage. With a good recovery assessment, decisions could be made on if personnel should be relocated or work in an alternate duty location. If the equipment which was confiscated is expensive and unable to quickly be replaced, salvaging consideration should be considered. Essentially, this is plugging the hole in the boat mentality. Taking what is available and making it work, until the right equipment can be purchased, delivered, tested and implemented. Additionally, the company could have contracted with a restoration company, which specializes in restoring operations from disasters for a small retainer fee. The company could have restored their data which was on the server, had they had an effective backup plan, which included replication backups to an alternate site. This would have enabled the company, once they salvaged parts together or were able purchase new equipment, to pull the data from their restoration site and have it implemented in the new systems. During restoration, multiple teams have key roles that must be played out. The Crisis Management Team may be requested to be part of the restoration process which may include external personnel. The Damage Assessment Team, during their preliminary assessment, would have provided a best guess on how long it would take to recover. The Recovery Coordination Team would also have been called in to ensure coordination of all communications between users and technical personnel. The team would also have been responsible for coordinating all recovery activities. Lastly, the Site Restoration Team would have also been part of the recovery process as they would have determined if any of the systems were salvageable. Finally, a lessons learned procedure should have been place to ensure that immediately after the event, the puzzle pieces would be able to put back together. This procedure would retrace exactly what happened, what systems were affected, what the damage was, and how to prevent a similar incident in the future.
- Explain how the system could be verified as operational:
The main requirement to declare the network as operational once again, must include operational testing to ensure that all aspects of the system operate as they normally do. Furthermore, the additional security measures must have been put in place to ensure that similar events do not occur again. Anti-virus scans and must be accomplished to determine if the suspect implanted any additional malicious software onto the company network, along with reviewing all data associated with the financial data to ensure no further information was modified. Once data has been verified as good and the systems have been determined to no longer have malware or unsuspecting infiltration points, vulnerability assessment should be conducted to ensure that no gaping holes exist within their systems. Additionally, an external agency could be contracted to perform a penetration test on the network to identify vulnerabilities the vulnerability scanner could not pickup. Once the assessments and penetration tests have been completed, along with data integrity process and procedures, operations on the network should be tested. If all went well, the system and network could be declared operational once again.
-Identify areas that were not addressed by the IT staff’s response to the incident
Multiple areas were not addressed in the IT staff’s response to the incident. The IT Staff’s incident response plan essentially included only the quick fixes, but did not look at the underlying faults that should have been included in their response. Additional security controls could have been implemented to ensure similar events did not occur again. This includes implementing a ticketing system by which personnel that identify abnormal activities could report such items. Based on the nature and specifics provided, an incident response plan could have been initiated to quickly track down the root cause of the incident and take whatever actions necessary to limit the damage. Additional process and procedures could be implemented within their response plan to ensure that the appropriate teams and management were included in the response and recovery. Role Based Access controls could have been implemented to ensure that only authorized personnel with appropriate credentials are able to implement the server. This would have limited the suspect’s ability to log into the server without proper credentials. Implementing an IDS in front of the server’s VLAN in promiscuous mode would have enabled the company’s security team to detect in near real time any attempted intrusions into the system and the spoofing. Additionally, a Host Based IPs with the addition of a Host Based firewall would have been able to prevent the intrusion. The addition of a firewall in front of the VLAN would have been able to prevent the spoofing of systems on other VLANs from simulating that they were on the same network as the central system. ACL rules would have been able to prevent the system from accessing the server from the system the suspect used. Mail security should have been implemented in the response plan to include the encryption and digital signing of emails. Lastly, creating a baseline of all traffic coming into and out of the server would have enabled the security team to identify a new system accessing the server. No First Responders Evidence Disk (FRED) were initiated nor was Forensics personnel notified.
-Outline the other attacks mentioned in the scenario that were not noticed by the organization. Describe the nature of the attacks not noticed by the organization
The initial hacks were not identified by the IT Staff, which ultimately led to the compromise and modification of accounts and paychecks, nor was the change to the employee’s base salary or the president’s records identified in near real time. Only once an audit was conducted, was the “error” identified. Had this been an external intruder the suspect would have been long gone and perhaps gotten away freely. Also, no identification of the suspect moving throughout the system was detected or prevented which allowed them to identify where the data store on the system was. Lastly, act of Social Engineering that occurred whereby the suspect communicated and tricked the auditor into believing they were authenticated and required additional accesses into the system went undetected or prevented.
-Describe how these additional attacks can be prevented in the future
The initial hacks could have been detected and prevented had the IT Staff been trained in detecting intrusions and had implemented Network Based IDS’s and Host Based IPs. File Integrity Monitoring of the internal files could be initiated whereby any files modified or changed would be identified and reported on to a central location. Audits should be conducted more often, which would ensure that an “error” did not go on for days or months without ever being detected. Had audits been done more frequently, the suspect would have been detected much sooner. Social Engineering detection and awareness program should be made available and mandated. Had personnel been trained on the aspects of Social Engineering the auditor may have been able to detect that they were a target. Finally, using proper authentication before giving out additional access should be considered, whether it be face to face authentication or additional identifiers that could have been asked to verify the user was whom they said they were.
- Recommend a recovery procedure to restore the computer systems back to their original state prior to such attacks
Having a well defined strategy which establishes policy, guidance, process and procedures would help expedite the restoration of the computer systems to their original states. Along with having the proper teams in place to ensure all key aspects of recovery and emergency response are conducted. Planning would help ease the recovery process by having simulated and exercised similar events. The steps of recovery could have been fine tuned so that the recovery process was seamless. Clear objectives for each team are required so that there are no personnel stepping out of their bounds and into other’s. This could cause data to be convoluted and efforts duplicated. Personnel should also know their roles and responsibilities to ensure the authorized steps are accomplished accurately and timely. Vulnerability scanning and Anti-Virus protection must occur to ensure that all vulnerabilities are identified and remediated would help restore the system to their originality. Finally, ensuring data replication was occurring from the main server to an offsite server would allow the team, through logging, and forensics to identify when the compromise originally occurred. Having this information would have allowed the Staff to pull the data from the backups up to the point from which the compromise occurred. This would help to ensure that not all data was lost and stored in evidence and would bring the systems backup to their original state.