mshardey/incident-report-analysis.md

## incident-report-analysis.md

      
    Raw
  

              incident-report-analysis.md
            
          
    Applied the National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF) to investigate a network incident. The resulting incident report provides actionable insights, aligned with NIST CSF's best practices for identifying, protecting, detecting, responding to, and recovering from cybersecurity threats.
Incident Report Analysis


    Summary
      
The company encountered a security incident when every network service abruptly ceased its operation. Investigation by the cybersecurity team unveiled that the disturbance stemmed from a distributed denial of service (DDoS) onslaught, inundating the network with a barrage of ICMP packets. In swift response, the team thwarted the attack and halted all non-essential network services, prioritising the restoration of critical network functions. 


    Identify
    A malevolent individual or a group of bad actors directed an ICMP flood attack at the company, causing widespread repercussions throughout the internal network. It became imperative to safeguard and reinstate all essential network assets to ensure a return to normal functioning. 


    Protect
      
The cybersecurity unit introduced a fresh firewall directive to curtail the influx of incoming ICMP packets. Additionally, they deployed an Intrusion Detection System/Intrusion Prevention System (IDS/IPS) configured to sift through ICMP traffic and selectively block content exhibiting dubious characteristics. 


    Detect
      
The cybersecurity team enacted source IP address verification on the firewall, scrutinising incoming ICMP packets for potential spoofed IP addresses. Simultaneously, they deployed network monitoring software designed to identify irregular traffic patterns. 


    Respond
      
In anticipation of future security incidents, the cybersecurity team plans to isolate compromised systems to curtail any additional network disruptions. Their priority is the restoration of critical systems and services that may have been affected during such events. Subsequently, the team will meticulously scrutinise network logs for signs of unusual and suspicious activities. Additionally, they are committed to promptly reporting all incidents to upper management and relevant legal authorities when necessary. 


    Recover
      
In the aftermath of an ICMP flooding DDoS attack, the restoration of network services to their regular operational state is crucial. As a proactive measure for the future, the firewall can be configured to preemptively block external ICMP flood attacks. Subsequently, a strategic approach involves halting all non-critical network services to mitigate internal network congestion. The restoration process prioritises bringing critical network services back online first. Following the timeout of the ICMP packet flood, the reactivation of non-critical network systems and services can be safely executed. 


    Reflections/Notes:
Summary	The company encountered a security incident when every network service abruptly ceased its operation. Investigation by the cybersecurity team unveiled that the disturbance stemmed from a distributed denial of service (DDoS) onslaught, inundating the network with a barrage of ICMP packets. In swift response, the team thwarted the attack and halted all non-essential network services, prioritising the restoration of critical network functions.
Identify	A malevolent individual or a group of bad actors directed an ICMP flood attack at the company, causing widespread repercussions throughout the internal network. It became imperative to safeguard and reinstate all essential network assets to ensure a return to normal functioning.
Protect	The cybersecurity unit introduced a fresh firewall directive to curtail the influx of incoming ICMP packets. Additionally, they deployed an Intrusion Detection System/Intrusion Prevention System (IDS/IPS) configured to sift through ICMP traffic and selectively block content exhibiting dubious characteristics.
Detect	The cybersecurity team enacted source IP address verification on the firewall, scrutinising incoming ICMP packets for potential spoofed IP addresses. Simultaneously, they deployed network monitoring software designed to identify irregular traffic patterns.
Respond	In anticipation of future security incidents, the cybersecurity team plans to isolate compromised systems to curtail any additional network disruptions. Their priority is the restoration of critical systems and services that may have been affected during such events. Subsequently, the team will meticulously scrutinise network logs for signs of unusual and suspicious activities. Additionally, they are committed to promptly reporting all incidents to upper management and relevant legal authorities when necessary.
Recover	In the aftermath of an ICMP flooding DDoS attack, the restoration of network services to their regular operational state is crucial. As a proactive measure for the future, the firewall can be configured to preemptively block external ICMP flood attacks. Subsequently, a strategic approach involves halting all non-critical network services to mitigate internal network congestion. The restoration process prioritises bringing critical network services back online first. Following the timeout of the ICMP packet flood, the reactivation of non-critical network systems and services can be safely executed.
No results found