Description
Statement
The company Invent SL, which has offices in Australia, Italy and Spain, has suffered a security incident in each one of them.
Headquarters in Australia
On the one hand, at the headquarters in Australia, the leakage of sensitive information from several of its employees (email addresses and passwords) has been detected. The affected set indicates that they received a suspicious email campaign with similar HTML attachments to the Office 365 portal during the last days. This company does not have (2FA) authentication factor in two steps, so an attacker could access corporate mail and other types of public applications on the Internet hosted by Microsoft. Since there are more than 10,000 employees in the company, it is not possible to reset and block all accounts for reasons of business continuity, so it is necessary to locate only those affected.
Headquarters in Italy
On the other hand, in Italy there has been an unauthorized access to one of its accounting servers. This access has been detected through a periodic review by the IT team. In this case, the team plans to hire an external provider to take charge of this incident.
Headquarters in Spain
Finally, at the headquarters in Spain, an attack was detected on one of the servers of its textile factory. All files on the server have been encrypted with the extension ".NM4". These computers were patched against MS17-010.
Since we are part of the incident response team of the company, our mission is to discover what has happened in each of the situations that arise .
For this, the IT team has provided us with the following evidences:
- Australia: Navigation proxy traffic logs in the date range in which the incident occurred.
- Italy: no position that will be handled by an external provider.
- Spain: status of open ports in the system and part of the rescue message.
It is requested
Before analyzing the evidence:
- What type of threat has impacted the Australian headquarters? (0,5p)
- What type of threat has impacted the headquarters of Madrid? (0.25p)
- What risk exists for an entity when a leak of information occurs as described in the incident in Australia? (0.75p)
About the incident in Italy:
- Should the equipment be disconnected from the network for analysis? (0.2p)
- What hardware part of the server should be cloned / dump before turning off the computer? (0,1p)
- By what known command would the cloning of the hard disk be performed? Write an example of execution. (0.2p)
- What should be calculated after cloning the disk to verify its integrity? (0,1p)
- Briefly describe the chain of custody that must be followed for the transfer of evidence to the external provider (max 15 lines) (0.4p)
Analyze the evidence provided for the Australian headquarters:
- Generate a script to parse the traffic capture facilitated, so that it shows the final result by command line. (2 P)
- What user email addresses have been affected? A manual analysis can be carried out if the previous section has not been achieved. (1,5p)
Analyze the evidence provided for the Madrid headquarters:
- How does this type of threat work? (max 5 lines) (1p)
- Could the data be recovered today? (0.25p)
- What has been the input vector used by this threat? (Use the evidence spain.jpg) (0.75p)
- Implement countermeasures for the Australian headquarters so that this type of incident does not happen again. (1 p)
- Implement countermeasures for the Madrid headquarters in order to avoid repeating this type of incident. (1 p)
- It is not necessary to complicate (it is simpler than you think).
- Not everything is in the agenda, you have to look for some concepts in other sources (work done by any analyst).
- The URLs contained in the rescue message from Spain (spain_recover_files_message.png) are not relevant and therefore it is not advisable to access them, since it poses a risk to the student's team.
Unformatted Attachment Preview
Purchase answer to see full attachment
Explanation & Answer
Attached.
Running head: FORENSIC ANALYSIS
1
Forensic Analysis
Student’s Name
Institutional Affiliation
Course
Date
2
FORENSIC ANALYSIS
Forensic Analysis of Security Incident
Introduction
The number of devices connected to the internet has steadily increased over the recent
years hence the number of security breaches have increased too. The issue of security breach has
become a hot and disturbing topic. It is essential for companies to know how they should
respond and deal with the consequences of cyber security breach. All firms should have a
complete incident response plan which entails an incident detection and response plan all
together since we are living in a disruptive digital era. Therefore, having an effective security
plan leads to an effective response to malicious attacks. After the incident, computer forensics
comes in to help in the investigation and analysis of the security breaches (Teymourlouei, 2016).
The main aim of computer forensics is to conduct a structured investigation while at the same
time maintaining files of evidence to help find out exactly what happened and who was
responsible. For our case, the Invest SL experienced a security incident in three of its offices
which are Australia, Spain, and Italy. As an incidence response team, we have been provided
with evidence by the company’s IT team concerning the various attacks which were conducted.
Concerning the attack in Australia we have been provided with navigation proxy which we will
use to conduct the forensic analysis, they also provided us with evidence from the Italy attack
and that of Spain. We will use various techniques and proprietary forensic applications to
examine the evidence provided. Below is an overview of the various threats which impacted the
various headquarters.
The type of threat which impacted the Australian headquarters
The threat which the Australian headquarters are facing is the data leakage threat since
there has been a leakage of the company’s sensitive information. The leakage of the employ’s
sensitive information will lead to a significant reputational down fall of the company and its
financial gains. The loss or leakage of sensitive can even impact the company’s long them
stability. The data loss will even cost the company millions of dollars. The threat of data leakage
which faced the company is due to a malicious email which the employees received. The leakage
of this essential information may be due to both internal and external data breaches either
intentionally through the stealing of sensitive information by intruders, sabotage by inside
attackers and through accidental disclosure of the sensitive information which facilitated the
leakage of the employees’ email address which resulted to them receiving the email. It is a
challenge to big companies like Invest SL to protect data leakage in this time of big data. Data
has become one of the essential components for any business hence managing, analyzing a large
amount of information owned by these companies gives the companies a business advantage in
terms of competition. The advantages include business intelligence and giving personalized
business products delivery. The increase in the need to analyze the available also increases the
chance of data leakage or breach to happen within the company due to incidences of cloud file
sharing, web pages, the use of removable storage devices and vulnerability in the company's
database system (Teymourlouei, 2016).
FORENSIC ANALYSIS
3
There is a big challenge of detecting the cause of the leakage because it may have been
caused by use...