You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This journal documents my experience handling various security incidents, analysing suspicious activities, and reflecting on lessons learned. The entries below outline the incidents, tools used, and key takeaways.
Detection and Analysis: Initially, the organisation identified the ransomware incident through certain indicators. Seeking expert guidance, they reached out to various organisations for technical support and analysis.
Containment, Eradication, and Recovery: Subsequently, the organisation implemented measures to limit the incident's impact. As a precaution, they temporarily suspended their computer systems. Recognising the complexity of fully resolving the situation, they sought collaborative assistance from multiple organisations to address the incident comprehensively.
Tool(s) used
None.
The 5 W's
Who: An organised group of unethical hackers
What: A ransomware security incident
Where: At a health care company
When: Tuesday 9:00 a.m.
Why: The incident occurred due to unethical hackers successfully accessing the company's systems via a phishing attack. Subsequently, they initiated their ransomware on the company's systems, encrypting critical files. The attackers' motivation seems financial, as evidenced by their ransom note demanding a substantial sum in exchange for the decryption key.
Additional notes
How could the health care company prevent an incident like this from occurring again?
Should the company pay the ransom to retrieve the decryption key?
During this task, I employed Wireshark, a network protocol analyser renowned for its intuitive graphical user interface. Wireshark's significance in the realm of cybersecurity lies in its capability to capture and scrutinise network traffic, empowering security analysts to detect and probe into potentially malicious activities effectively.
The 5 W's
Who: N/A
What: N/A
Where: N/A
When: N/A
Why: N/A
Additional notes
As someone with experience as an IT technician and web programmer, my interaction with Wireshark has been limited. However, diving into this exercise to analyse a packet capture file was a fresh and intriguing challenge for me. Initially, I found the interface to be quite daunting, but I quickly recognised its potential as a robust tool for gaining insight into network traffic dynamics.
During this task, I utilised tcpdump to capture and inspect network traffic.
Tcpdump serves as a command-line accessible network protocol analyser. Much like Wireshark, tcpdump holds significance in cybersecurity as it enables security analysts to capture, filter, and scrutinise network traffic, aiding in threat detection and analysis.
The 5 W's
Who: N/A
What: N/A
Where: N/A
When: N/A
Why: N/A
Additional notes
Although I'm familiar with the command-line interface from my experience as an IT technician and web programmer, capturing and filtering network traffic presented a new challenge for me. I encountered some difficulties along the way, particularly due to using incorrect commands, which led to getting stuck a couple of times. However, by diligently following the instructions and retracing my steps when necessary, I successfully navigated through this activity and effectively captured network traffic.
In this task, I utilised VirusTotal, a versatile tool designed for investigating files and URLs to uncover potential malicious content like viruses, worms, and trojans. It's particularly beneficial for swiftly verifying if a given indicator, such as a website or file, has been flagged as malicious within the cybersecurity community. During this exercise, I employed VirusTotal to scrutinise a file hash, which had been flagged as malicious.
This incident unfolded during the Detection and Analysis phase, wherein I assumed the role of a security analyst at a Security Operations Center (SOC) tasked with investigating a suspicious file hash. Following the detection of the suspicious file by our security systems, I conducted thorough analysis and investigation to ascertain the legitimacy of the alert and determine whether it posed a genuine threat.
The 5 W's
Who: An unknown malicious actor
What: The incident involves an email containing a harmful file attachment, identified by its SHA-256 file hash:
54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b
Where: An employee's computer at a financial services company
When: At 1:20 p.m., an alert was sent to the organistion's SOC after the intrusion detection system detected the file
Why: An employee was able to download and execute a malicious file
attachment via e-mail.
Additional notes
What measures can we implement to prevent such incidents from occurring again? Is it worth exploring enhancements to our security awareness training to encourage employees to exercise caution when interacting with online content?
Reflections / Notes
Were there any specific activities that were challenging for you? Why or why not?
Engaging in the tcpdump activity proved to be quite challenging for me. While I'm familiar with the command line from my experience as an IT technician and programmer, delving into the syntax of a tool like tcpdump presented a significant learning curve. Initially, I encountered frustration as I struggled to achieve the desired output. However, by revisiting the activity and pinpointing my errors, I was able to identify where I went wrong. This experience reinforced the importance of attentively reading instructions and methodically working through tasks step by step.
Has your understanding of incident detection and response changed after taking
this course? Upon completing this course, my comprehension of incident detection and response has significantly evolved. Initially, I possessed a rudimentary understanding of these concepts, stemming from my background as an IT technician and web developer. However, as I delved deeper into the course material, I gained a newfound appreciation for the intricacies involved in incident detection and response. Through studying the lifecycle of an incident, understanding the significance of comprehensive plans, streamlined processes, and the pivotal role of personnel, I have broadened my knowledge base. Overall, I am now equipped with a deeper understanding and enhanced expertise in incident detection and response strategies.
Was there a specific tool or concept that you enjoyed the most? Why? Exploring network traffic analysis and utilising network protocol analyser tools was a fascinating journey for me, especially considering my background in IT. While it wasn't my first exposure to network traffic analysis, I found the experience both challenging and exhilarating. The ability to capture and analyse network traffic in real-time using specialised tools was particularly intriguing. This has sparked a desire to delve deeper into this topic, with aspirations of enhancing my proficiency in utilising network protocol analyser tools in the future.
