COMP9038: Incident Response &Forensics

Assignment 1

Student: Lai Gianmario R00156214

This assignment evaluates your understanding of the Incident Response process and the Incident
Response handbooks.

Tasks

Attack timeline

• what steps should the attacker perform to get access to all ProjectMaker files on ACME’s servers?

To Rebuild the steps that the attacker should have followed I used the attack lifecycle scheme, as the
picture below1:

Initial Recon: Kevin gather OSINT (Open Source Intelligence), and found that ACME it’s a client of
ProjectMaker, then from LinkedIn gather the list of employees, and some of the email of the
employees.

Initial Compromise: Kevin most probably used spear-phishing or internet-based attack, and social
engineering to compromise Alice laptop, injecting a trojan, or penetration tools, (e.g. mimikat) stole
her credentials

Establish Foothold: Kevin at this point with the Alice credentials can access by vpn to the Server

1
https://www.fireeye.com/blog/executive-perspective/2014/04/zero-day-attacks-are-not-the-same-as-zero-
day-vulnerabilities.html
Escalate Privilege: Kevin need just to save, in the Alice folder on the server, the specially crafted
ProjectMaker document, that because of the bug will allow him to escalate privilege.

Internal Recon-Lateral Movement-Maintain Presence: Kevin escalate privilege, as admin, and can
move into the Server to download and delete all the projectmaker from all the users, as discovered
later by Charlie.

Complete Mission: Kevin delete all the project form the Server, and send an email to Charlie
requesting Bitcoin ransom for the ProjectMaker files.

Incident Response

What external contacts should Ernest have

• consider that Ernest’s team is dedicated to ACME

• the contacts should be generic IR contacts as well as specific to ACME

Contacts:

 Management, Line manager on duty (Acme)

 Remediation team leader
 Pr/Comms, (Acme), law enforcement for the ransom email
 Legal, for the ransom email received, and customer data possibly exposed

Present a timeline of the Incident Response

• use the IR stages suggested by the SANS handbook

• keep in mind the questions to be asked about the incident (e.g. goal of the attack, scope of the
attack)

1. Preparation

According with the preparation for incident, the company have his policy, for the use of
Projectmaker:

i) no ProjectMaker files on user laptops (due to IP), only remote work, so have enabled
ProjectMaker option to disable downloading
ii) due to IP value of ProjectMaker files, they are backed up to an additional server
iii) uses NetFlow to monitor internal and external network activity
iv) keeps an Incident Response Team (CIRT) on retainer, Ernest it’s the team leader and
contact.

2. Detection & Analysis

How the attack type, scope, damage, source was determined by the CIRT?

CIRT is Engaged when Charlie the IT Admin contact Ernest, the CIRT team lead, that after the first
analysis determine that this is a security incident, and then will proceed to the next stage of the
incident response stage. Detection and analysis.

CIRT analysts, analyse NetFlow, ProjectMaker logs, server logs, Alice laptop, vpn logs; They found the
spear-phishing email,(the attack vector) and the malware/trojan/rat in Alice’s laptop(I can suppose
that most probably was a pdf or office document, that when open execute a malicious code in
Alice’s PC). Attack access has been identified that used Alice’s credentials (impersonation). CIRT
suspect something wasn’t right on the software, contact software vendor. As the access has been
determinates, need to scan the actual spreading of the Incident, it already infected another server,
user or network segment? It’s the attacker still on the network? Does he had left any backdoor?
Attacker downloaded all the project to his server, so, it should be found the network activity related.
Backup server wasn’t touched by the attack. The attack motivation seems only money related. In
collaboration with Officepainters, developer of the software will be discovered that Steve
(developer) has been contacted before about a vulnerability, from a bug hunter that wanted in
exchange money to reveal it, but it was turned down. Following the 5 H:

 Who? (Kevin), attacker is the bug hunter turned down

 What? Delete all the ProjectMaker project from the server and receive money to restore it,
attacker send an email with a ransom request.
 Where? Remote Access with Alice’s vpn credentials to the ACME company server
 Why? Revenge because he was turned down, and money
 How? After access the Server, exploit a vulnerability on the software ProjectMaker and
escalate privilege, become admin and complete mission deleting all the files from the server

3. Containment
According to the containment policy plan of the company scope of this step it’s to contain
the attack, company could prepare an honeyserver, in case the attacker will try to connect
again looking for backup server for example to delete also the backup copy. This will work as
short-term containment and give the time to CIRT to take copy or system backup of the
server and the laptop compromised for further research. When team will be sure that long
term containment and shutting down system will not affect either further analysis and the
production, then the server can be isolated, with his network segment, before the next step
to wipe out all the compromised system. Containment it’s also the response strategy for the
incident, in this step the CIRT according with the management decide if necessary, to engage
third party as law enforcement, or if the incident it can be closed internally with
administrative sanction. In our case as a ransom has been requested it is necessary to
involve the legal team, and law enforcement.
4. Eradication & Recovery
On this phase every system involved, in this case Alice laptop’s and the server, plus network
equipment need to be thoroughly investigated to remove anything, possible related, to the
attack, and deeply cleaned with reimaging of system hard drive “This phase is also the point
where defences should be improved after learning what caused the incident and ensure that
the system cannot be compromised again (e.g. Installing patches to fix vulnerabilities that
were exploited by the attacker, etc).”
 5. Lesson Learned

Collect all the documentation and steps happened during the incident, with also the experience
gained in the security team, and create a summary, a lesson learned brief, it’s one of the most
important steps/actions to prevent and be ready for the same or a similar attack in the future.

What we can learn from this attack, and to prevent similar event to access:

The attacker was able to find open source information regarding either the company and the
employee, even if is impossible and especially a marketing company must share many information
either for business and marketing purposes, it is worth it to check, time by time, how and what data
are exposed. The attacker used a common social media engineering vector attack, probably a spear
phishing email with a crafted pdf or office document that when opened execute malicious code, this
type of attack are more common nowadays, and, upgrading equipment to analyse email for possible
threat, and equip endpoint with endpoint protection software can help to stop, but as demonstrated
from historical data of cyber-attacks, growing awareness and educate employees to recognize and
report suspect emails it’s the best countermeasure. The Attacker was able to login into the fileserver
remote via VPN, that’s means a lack of two factory authentication on the VPN, it could be also a lack
of policy or IDS/IPS system, (or even a SOC where possible or if can afforded) that could have raise
an alert if the login happened in uncommon working hours, or for the uncommon amount of data
downloaded by a single account. Keeping a log of the network communication it is a good policy, but
only NetFlow, without a follow up, or monitoring SOC it’s not enough. It is always recommended to
have always the last updated patches of any software, in this case the patch wasn’t released and
wasn’t even available, the software company should be more aware and implement a better policy
about bug, especially vulnerability like in this case, and also inform in time his clients, in dedicate
channels. Attacker even if skilled couldn’t find the backup server, in this case the company policy and
the security of the backup server was good, reducing the operational time to recovery from an
attack.