Incident Handler's Journal

Created during Google's Cybersecurity Course based on fictional information

Tools/Skills: Documentation, Playbooks, Wireshark, Splunk, Chronicle, VirusTotal, Linux CLI, Incident Response, Post-Incident Analysis, Logs, tcpdump

Based on 8 fictional scenarios, I was asked to write a journal entry in the format depicted below, including a description of the event, any tools that were used, basic information as to the W's (who, what, where, when, why), and any additional notes on thoughts or questions to consider.

Entry 1: Phishing Email -> Ransomware

Date: Sept 7, 2023
Entry: 1

Description

A small healthcare company experienced a ransomware attack after a phishing email link was clicked. All files were encrypted and the clinic had to shut down.

This occurred during the containment, eradication and recovery stage.

Tool(s) used

None.

The 5 W's

Capture the 5 W's of an incident.

  • Who: An organized group of unethical hackers known to target organizations in healthcare and transportation industries

  • What: Ransomware security incident - encrypted all files

  • When: Tuesday morning at about 9:00am

  • Where: A small U.S. health clinic (primary care)

  • Why: Several employees clicked on a link from a phishing campaign

Additional notes

  1. Should the company pay the ransom?

  2. Is the data backed up?

  3. How long until systems can get up and running again?

  4. What are the consequences of this: financial, reputational, health of patients, etc.?

  5. Whose in charge of ensuring patient care at this time? Are we keeping them informed?

  6. How did the malware spread from a computer to get access to all of the business’ files?

  7. Would it have mattered if only one person opened the email? Did the number of people who clicked on it matter?

  8. What was in the phishing email that made it believable? Is there a way to better filter out these emails? Is there a training that could help employees better identify phishing emails? Are there any additional controls in place so that even if a phishing email link is clicked, it won’t do as much damage?

Entry 2: Email with Malicious File Hash

Date: September 7, 2023
Entry: 2

Description

Investigate a suspicious file hash of a document an employee received via email.

An employee received an email with a password protected file. The password was included in the email. The employee opened the file and entered the password. A malicious payload was then executed on their computer. The payload was verified as malicious through checking its hash with known malicious hashed files on VirusTotal.

57 vendors on VirusTotal flagged this file hash as malicious. It is listed as a trojan. This malware could potentially be creating a backdoor into the system. This is a high priority incident that should be escalated.

This occurred during the detection and analysis phase.

Tool(s) used

VirusTotal - to explore any concerns with a file hash.

The 5 W's

Capture the 5 W's of an incident.

  • Who: An employee opened an email from a possible threat actor

  • What: An email with a password-protected spreadsheet & a password in the email that contained a malicious payload was opened (SHA-256 file hash: 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b)

  • When: 1:13PM the file was opened; 1:15PM unauthorized executable files are created on employee’s computer

  • Where: An employee’s computer at a Financial Services Company

  • Why: Motive - TBD; It happened because an employee opened the attachment from the email.

Additional notes

  1. What is the best course of action to take once the file is identified as malicious? What is the response laid out in the incident response plan/playbook?

  2. If we delete the files and the malware will that take care of the problem completely?

  3. How can we make it easier for employees to check links/documents before opening them in the future?

  4. Could a script be written to automatically check the hash of attached files before forwarding emails on?

Entry 3: Email with Malicious File Hash - Next Steps

Date: September 7, 2023
Entry: 3

Description

After identifying a suspicious file hash from a phishing email as malicious, a phishing playbook is followed for next steps. Ultimately, since the link was malicious and opened, the alert was escalated. See here for details.

This occurred during the detection and analysis phase.

Tool(s) used

Phishing Playbook

VirusTotal - to explore any concerns with a file hash.

The 5 W's

Capture the 5 W's of an incident.

  • Who: The email was sent by the email address 76tguyhh6tgftrt7tg.su and IP address 114.114.114.114 with the name “Def Communications” in the header and “Clyde West” in the signature.

  • What: This is a verified phishing attempt (see entry 2) with a malicious download attached.

  • When: Wednesday, July 20, 2022 at 9:30:14am

  • Where: An employee’s computer at a Financial Services Company. The email was received by hr@inergy.com (IP: 176.157.125.93).

  • Why: Motive - TBD; It happened because an employee opened the attachment from the email.

Additional notes

  1. Are there any steps in the phishing playbook that I think should be recommended to be updated?

Entry 4: Ransomware/PII, Summary of Longer Report

Date: August 9, 2023
Entry: 4

Description

After an incident involving PII occurred, I was asked to summarize the information based on a longer report.

The organization received a ransom-note email that stated PII was stolen. Initially disregarded as spam, when an employee received a second email, they sent the email to the cybersecurity team. The cybersecurity team found the claim of stolen PII was true. The data was stolen by a forced browsing attack, where the attackers could change the url of a purchase page to access other receipts with PII. In the end, the ransom was not paid, customers were informed with help from the PR team, and the web vulnerabilities were fixed.

This incident covers the detection and analysis, containment, eradication and recovery, and post-incident activity phases.

Tool(s) used

Web Application Access Logs

Web Server Logs

The 5 W's

Capture the 5 W's of an incident.

  • Who: An unknown ransom attacker

  • What: PII of customers were stolen and threatened to be released without a ransom payment. 50,000 customers affected. $100,000 financial loss.

  • When: The first ransom email was sent Dec 22; the second was sent Dec 28

  • Where: The attack happened through a website vulnerability

  • Why: The attack happened because the url could be changed and no authorization gates were in place

Additional notes

  1. Are there any other url-based vulnerabilities in the website?

  2. Is it easy for customers to access the company-provided identity protection?

  3. Can something be done so that employees forward potential data breach information sooner?

  4. Can/should anything else be done to improve the company’s reputation?

  5. What is the financial loss from this incident?

  6. Is it possible that anyone else took advantage of this vulnerability but didn’t announce it?

Entry 5: Phishing Email, Chronicle

Date: Sept 7, 2023
Entry: 5

Description

An alert of a possible phishing email from an employee was received.

A chronicle search of the domain name in the email’s body showed signs of it being a malicious email. The address resolves to the IP: 40.100.174.34, which Chronicle has labeled as high severity with high confidence.

This incident occurred in the detection and analysis phase.

Tool(s) used

Chronicle - to explore any security concerns associated with a web address.

The 5 W's

Capture the 5 W's of an incident.

  • Who: signin.office365x24.com

  • What: Employees clicked on a malicious link in a phishing email

  • When: January 31, 2023 between 2:40pm and 2:52pm

  • Where: Financial Services Company; 6 people accessed this domain (Ashton Davidson, Bruce Monroe, Coral Alvarez, Emil Palmer, Jude Reyes, and Roger Spence)

  • Why: 5 employees clicked on a link in a phishing email

Additional notes

  1. What about this phishing email was convincing enough that employees clicked on a link?

  2. What controls can be put in place to minimize the chance of this happening in the future?

  3. Is there something in the protocol about informing other employees of a found phishing email to reduce the likelihood of someone else clicking on it?

  4. Can we easily remove any other emails like this from someone's inbox if they've already been received? Is it legal to do this? If it's possible and legal, but not easy, can we write a script to make it easier in the future?

Entry 6: Packet Capture Analysis, Wireshark

Date: Sept 7, 2023
Entry: 6

Description

Analyzing a packet capture file.

I was asked to analyze a packet capture file, including traffic to/from a specific IP Address, a specific ethernet MAC address, DNS traffic on UDP port 53, traffic on TCP port 80. In the end, nothing was wrong with the traffic and it was able to be identified as not a concern.

This incident occurred during the detection and analysis phase.

Tool(s) used

Wireshark - to analyze network traffic

The 5 W's

Capture the 5 W's of an incident.

  • Who N/A

  • What N/A

  • When N/A

  • Where N/A

  • Why N/A

Additional notes

Entry 7: Packet Capture Analysis, Linux CLI, tcpdump

Date: Sept 7, 2023
Entry: 7

Description

Capture a packet.

I identified network interfaces available to capture traffic with ifconfig, used tcpdump to filter live network traffic, captured network traffic with tcpdump, and filtered the captured network traffic.

This incident occurred in the detection and analysis phase.

Tool(s) used

Linux CLI; tcpdump - to capture and analyze logs

The 5 W's

Capture the 5 W's of an incident.

  • Who N/A

  • What N/A

  • When N/A

  • Where N/A

  • Why N/A

Additional notes

Entry 8: SSH logins, Splunk

Date: Sept 8, 2023
Entry: 8

Description

Splunk Query from over 100,000 events. I needed to identify whether there were any possible security issues with the mail server by specifically looking at any failed SSH logins (over 300) for the root account at a fictional e-commerce store Buttercup Games.

There are no signs of a present security issue, but there is data that suggests the email server could be vulnerable to a brute force attack. A few ip addresses had multiple failed logins greater than 5. This suggests that there is no security control in place to manage the number of failed logins allowed. If that is the case, the configurations should be updated to reduce the possibility of a brute force attack in the future.

This incident occurred in the detection and analysis phase.

Tool(s) used

Splunk to query data.

The 5 W's

Capture the 5 W's of an incident.

  • Who: N/A

  • What: Possible security issues with the mail server

  • When: Feb 27 - March 6, 2023

  • Where: E-Commerce Store Buttercup Games

  • Why:

Additional notes

  1. What controls are in place to prevent a brute force password attack?

PreviousSample DocumentationNextCybersecurity Incident Report: Network Traffic Analysis

Last updated