A template for an incident handler's journal template. Entries were created as part of exercises for coursework on the Coursera Google Cybersecurity Professional certificate track.

• Date and Time: [Insert Date and Time]
• Incident ID: [Insert Unique Identifier]
• Description: [Brief description of the incident]

• Attach relevant files, logs, screenshots, or other evidence here.

• Provide recommendations for mitigation, prevention, or further investigation.

• List any follow-up tasks or actions required.

Included below are my answers and analysis for the course in the form of entries using the incident handler template to conduct mock analysis work.

• Date and Time: 08/01/2023, Tuesday morning, 9:00 AM.
• Incident ID: 01
• Description: An incident occurred for a small U.S. health care organization where employee workstations were infected with ransomware as part of a sophisticated cyberattack done by an organized group of unethical hackers. The incident investigation is within the Detection and Analysis and Containment, Eradication, & Recovery of the NIST Incident Response Lifecycle.
• Tools used : NA

• Additional notes: In the event of an incident similar to this one occurs, the following precautions need to be considered
  • How can the organization prevent an incident like this from happening again?
  • Should the company pay the ransom to retrieve the decryption key?
  • Are there any tactics or controls in place to help the organization deal with mitigating and recovering from Ransomware attacks? (e.g. restoring systems from previous backups)

• Date and Time: 08/04/2023 1:20 PM
• Incident ID: 02
• Description: This incident investigation stage is within the Detection and Analysis phase of the NIST Incident Response lifecycle. A suspicious file downloaded on an employee’s computer is investigated and analyzed to capture details and find indicators of compromise (IoCs) within the file which is called “bfsvc.exe". The file is retrieved and converted into a SHA256 hash for malware analysis.
• Tools used :
  • VirusTotal tool to analyze SHA256 file hash of the malicious file
  • MalwareBazaar from abuse.ch to check malware sample and crowdsourced information on hash file.

• Additional notes:

• A timeline of the events leading up to this alert:

  • 1:11 p.m.: An employee receives an email containing a file attachment.
  • 1:13 p.m.: The employee successfully downloads and opens the file.
  • 1:15 p.m.: Multiple unauthorized executable files are created on the employee's computer.
  • 1:20 p.m.: An intrusion detection system detects the executable files and sends out an alert to the SOC.

Email content:

From: Def Communications <76tguyhh6tgftrt7tg.su> <114[.]114[.]114[.]114> Sent: Wednesday, July 20, 2022 09:30:14 AM To: <hr@inergy[.]com> <176[.]157[.]125[.]93>

Subject: Re: Infrastructure Egnieer role ⚠️ WARNING typos present in subject

Dear HR at Ingergy, ⚠️ WARNING typo present in company name

I am writing for to express my interest in the engineer role posted from the website.

There is attached my resume and cover letter. For privacy, the file is password protected. Use the password paradise10789 to open. ⚠️ WARNING file is password protected and the password is given.

Thank you,

Clyde West

Attachment: filename="bfsvc.exe" ⚠️ WARNING (payload is an executable file)

The suspicious file’s filename: bfsvc.exe

The suspicious file’s SHA256 hash value: 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b

Steps to resolution:

• Update the alert ticket status from open to investigating
• Review the phishing Playbook and flowchart in place
• Determine if the link(s) or attachment(s) in the email are malicious
• A summary of the findings are written based on the type of danger the links or attachments may be capable of.
• Escalated the status of the ticket based on danger posed by email attachment.

VirusTotal and MalwareBazaar both score this file with negative community scores which means the file is indeed malicious. The executable is reported to be a type of Trojan malware and is referenced in the links below.

Links for reference:

• Flagpro: The new malware used by BlackTech | NTTセキュリティテクニカルブログ (security.ntt)
• Flagpro, Software S0696 | MITRE ATT&CK®
• BlackTech, Palmerworm, Group G0098 | MITRE ATT&CK®

File Analysis results

• VirusTotal - File - 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b
• MalwareBazaar | SHA256 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b (BlackTech) (abuse.ch)

• Date and Time: December 28, 2022, at 7:20 p.m., PT,
• Incident ID: 03
• Description: An organization experienced a security incident in which an individual was able to gain unauthorized access to customer PII and financial information by using forced browsing to exploit a vulnerability in the organization’s e-commerce web application. The incident investigation is within the Containment, eradication, and recovery, and Post-incident phases of the NIST Incident Response Lifecycle.
• Tools used :
  • Web application logs and web server access logs associated with the incident for investigation.
  • Incident final report for reference

Additional notes:

Response and remediation:

The organization collaborated with the public relations department to disclose the data breach to its customers. Additionally, the organization offered free identity protection services to customers affected by the incident. After the security team reviewed the associated web server logs, the cause of the attack was very clear. There was a single log source showing an exceptionally high volume of sequentially listed customer orders.

Recommendations: To prevent future recurrences, taking the following actions are recommended:

• Perform routine vulnerability scans and penetration testing.
• Implement the following access control mechanisms:

  •   Implement allowlisting to allow access to a specified set of URLs and automatically block all requests outside of this URL range.
    

  •  Ensure that only authenticated users are authorized access to content.
    

• Date and Time: December 28, 2022, at 7:20 p.m., PT
• Incident ID: 04
• Description: The possibility of security issues with an organization’s mail server are investigated and an analysis is conducted for any failed SSH logins for the root account on the mail server. The incident investigation occurred within the Detection and Analysis phase of the NIST Incident Response Lifecycle.
• Tools used :
  • Splunk Cloud SIEM tool
  • ZIP file containing relevant information in the time range and relevant to the incident: financial transactions, access, and authentication data log

Additional notes:

Network hosts from which each event originated

mailsv - Buttercup Games' mail server. Examine events generated from this host. www1 - One of Buttercup Games' web applications. www2 - One of Buttercup Games' web applications. www3 - One of Buttercup Games' web applications. vendor_sales - Information about Buttercup Games' retail sales.

Source file and log file where the events were exported to for analysis

• tutorialdata.zip: ./mailsv/secure.log

Steps

• Narrow the search results for events from the mail server, mailsv
• Under SELECTED FIELDS, click or enter host and mailsv. The complete search term added to the search bar is now: index=main host=mailsv . The search results have narrowed to over 9000 events that are generated by the mail server.
• Search for a failed login for root
• Enter index=main host=mailsv fail* root into the search bar. This search expands on the search from the previous task and searches for the keyword fail*. The wildcard tells Splunk to expand the search term to find other terms that contain the word fail such as failure, failed, etc. Lastly, the keyword root searches for any event that contains the term root. The search results show about 346 failed loggin attempt events for the root account on the mail server
• Look for any anomalous behavior

Around the same times, sessions for the root account are being opened using the sudo su command by the following users: nsharpe, djohnson, and myuan to switch to the root user. The owners of these accounts will need to be notified and interviewed asap for the actions found with in the logs for the following that shows sudo commands being invoked to determine if the accounts were compromised from a malicious hacker or for possible foulplay.

Thu Mar 06 2023 01:39:51 mailsv1 sudo: djohnson ; TTY=pts/0 ; PWD=/home/djohnson ; USER=root ; COMMAND=/bin/su

Were there any specific activities that were challenging for you? Why or why not? The most challenging activities for me was in incident entry #4 with getting access to my Splunk Cloud instance so I can set up the test environment. I also had some difficulties with providing too much information at times for all my incident journal entries and making sure I kept my log entries short but informative and with resource insights.

Has your understanding of incident detection and response changed since taking this course? It has grown to be much more greater understanding with getting to do the hands-on challenges provided within the course to test what I have learned. It made me challenge myself and got me out of my comfort zone in a good way to show the work a cybersecurity professional does and get experience

Was there a specific tool or concept that you enjoyed the most? Why?

I really loved and enjoyed using the VirusTotal and MalwareBazaar tools to investigate a suspicious email attachment to determine if it was malicious or not. It really sparked alot of interest in me as I found threat hunting to be just like being a cyber detective looking for clues within a case and to leave no stone unturned in making a final decision of if there is a possible threat.

It felt to me like a treasure hunt but with the twist of keeping organization systems as well myself safe from malicious attempts to attack or disrupt computer systems and networks. I was always fascinated with malware analysis in general and learning how malware can be used to attack and compromise systems and to find ways to stop them.