Cyber Incident Response for Blue Moon Financial - Term Paper Example

Cyber Incident Response for Blue Moon Financial al Affiliation Cyber Incident Response for Blue Moon Financial As a senior security analyst for Blue Moon Financial (BMF) Company, I have detected a potential network intrusion at the middle of the night through a technician who called me to explain the suspicious act. Recently, there has been a rash of network intrusion attacks at other firms that has put them at risk of losing important information and large amounts of money. My company has also experienced an elevated amount of port scanning and other types of reconnaissance activities showing that the network intrusion attacks have become rampant and require urgent solutions to ensure that we are not affected in a manner that will lead to the loss of information and funds to the attackers. The company has been faced with several challenges with respect to addressing the network intrusion attacks and cyber security issues because it is ill equipped to deal with such issues. This paper discusses how I will deal with the active network intrusion attack in the company under various sub-topics. Responding to the Network Intrusion Incident In light of the active network intrusion incident, it important that emergency steps are taken immediately to ensure that further damage is not caused to the company. First steps The first steps to take in the current scenario are to identify the nature of attack. I am the only person who is qualified and well trained to deal with such issues. Therefore, before informing anyone else about it, I will first find out the type of the attack targeted towards the company. This will be the first step towards stopping the attack because further steps cannot be initiated if the type of attack is not known well. Secondly, I will localize the source. This means that I have to use firewall and IDS logs to try to find out where the attack is coming from to be able to know whether the attack is coming from a compromised host or from the outside world. This is also essential in ensuring that the attack can be stopped as soon as possible (Sharma, et.al, 2015). After this, the next step that I will take entails blocking the attack. Once it source and the nature of attack is clarified, I will take the necessary actions towards blocking it (Youssef, & Emam, 2011). These actions will include pulling the machines that have been attacked from the network, block the access to the network from that IP address if the attack is coming from outside. Depending on the type of the attack, I may have to use ISP if the attack is a DDoS attack. I will also backup the evidence of the attack by keeping the logs generated to ensure that I have a detailed account of the attack. I will also find other compromised machines and use appropriate tools to root out any other machines that have been attacked. The last aspect is to ensure that I do not recycle the attack by reconnecting machines that have been compromised until they are cleaned. The people to involve in the response To respond effectively to the attack, there are several important persons that should be involved in it. This group is known as the incident response team. The team must be inter-departmental containing the upper management, human resource management representatives, technical staff from the security department, and persons outside the organization, for instance security agencies that include the FBI. However, because the attack has happened at the middle of the night, the most important persons to respond to the attack will be security people and technicians. Nevertheless, all these persons are important because they will help to stop the attack in a quick manner (Alqahtani, 2013). Compensating for the team’s inexperience The team’s inexperience is a troubling issue when addressing the current attack because they do not have sufficient information on dealing with such attacks. To compensate for their inexperience, I will deploy the team depending on the areas where they are knowledgeable. Attempts to secure the networks of the organization must be done after a thorough investigation of the step that should be permitted and those that should not. Therefore, using the team in areas of their expertise will help combined with strict instructions. I will also compensate for this by bringing in experienced technicians from security organs or trusted companies by seeking approval from management (Youssef, & Emam, 2011). Resources necessary to respond to the network intrusion The resources required to effectively respond to the network intrusion are several. First, human resource is important because it will provide a variety of suggestions and labor to quickly respond to the intrusion. Secondly, safe computer machines will be required to help in blocking the attack. As it stands out, all machines at the organization could be infected and it is not proper to use any of them until they are ascertained. Therefore, new computers will new software will be required to log in to the organization’s systems and respond to the attack. An intrusion prevention system will also be needed to block the attack (Sharma, et.al, 2015). Protection measures to be considered The protection measures to be considered in the active network intrusion attack will include taking knowledge of the network infrastructure and series affected, deploying emergency action plans and installing tools and scripts that will implement these plans rapidly. However, I will need to do an inventory of the organizations networked systems, code the system into the available matrix and map it to the available contingency plans that will protect the backbone, firewalls, servers, routers and wireless IPs (Youssef & Emam, 2011). Communication and Coordination Plan Communication and coordination are important factors in responding to active network intrusion attacks. Effective communication and coordination mechanisms are essential to ensure that effective measures are taken to respond to the intrusion attack to prevent further damage to the organization. Therefore, the communication and coordination plans must be well thought-out and planned to ensure that the plans work as they should and yield the results intended for the deployment of those initiatives without delay/ People to call and when to call The response to a network intrusion attack requires effective teamwork to block it immediately meaning that various people have to be included in the response measures. First, I will call all the information security technicians available. Even though they do not enough experience and training, they offer direct help in such a scenario. I will also call the human resource representative and the top management of the organization. All these people will be called immediately the attack has been noticed because they have a key role to play in ensuring that the attack is stopped. After having urgent discussions with them, I will call FBI representatives and highly qualified technicians from reputable organizations to help block and stop the attack. These are the second group of the people to call after crunch discussions with the first group because they offer more but sensitive help in the network intrusion response measures. After the intrusion has been blocked, other employees and management executives will be called, preferably during the day for investigations and interviews regarding the attack to be able to take further steps to ensure that it is effectively handled and that proper measures are taken to address key areas of concern on the network intrusion attack response program (Alqahtani, 2013). Identifying priorities and assigning resources For communication and coordination to effectively help towards the response of network intrusion attack, priorities must be set to enable resources to be assigned to different persons and initiatives. The identification of priorities will be done in different ways. First, as the only person with significant incident response experience, I have to identify key priorities because there is no one else who can be able to make such priorities at the company especially with regard to network intrusion issues. Therefore, I will analyze the situation first and come up with priorities, for instance who to call, which machines to use, which technician to assign a particular role and also the resource to use for the response actions (Sharma, et.al, 2015). Secondly, I will call for a meeting with the persons identified, such as the human resource manager and the top management executives to help in establishing other priorities, for instance the resources that are required, the amount of the resources, quality, experience and what the organization can do to avail those resources at the required time. Assigning resources will be done based on needs analysis and consultation. With respect to needs analysis, together with the team, I will have to decide the current needs and the quality and amount of the resources needed. This is to ensure that there is no wastage of resources and time that should be used in the response actions. Consultations will also form a basis for allocating resources because the team is important in the response plan, and will help to analyze areas that I may not, thereby helping to allocate resources to the right areas where they are needed (Bolzoni, Etalle & Hartel, 2009). Communicating with incident responders during the response Communication and coordination only work best when the method of communication is suitable to the plan implemented. This response calls for different communication methods. First, I will use cell and office phones to call and communicate with the team that should help in the plan. This will ensure that we tackle the distance between the team judging by the fact that most of them are at home sleeping. However, I will have to secure the phones because they might have been targeted by the attack. I will also use word of mouth as a method of communication once we are at the office. Microphones with sound receptors in the office will also be used especially when we have to coordinate within the team, but in different sections at the organization. The most important aspect here is to ensure that all the communication gadgets are secured from the attack because they could also be targeted to prevent successful blockage (Youssef, & Emam, 2011). How and when to communicate with management during the response I will communicate with the management constantly during the response because I have to coordinate with them regarding the required resources and update them on the progress of the response plan. Therefore, I will communicate with them through the phone and by word of mouth constantly throughout the response period. Determination of Further Information about the Source of the Attack Intrusion detection refers to a variety of techniques implemented to detect attacks in the form of malicious and unauthorized activity. To ensure that further information about the source of the attack, I will use different techniques that are classified into misuse-based, anomaly-based and specification based techniques. Because the network intrusion attack against the company has not been established yet, all the techniques will be significant in ensuring that all information about the attack is known. The misuse-based approach relies on pre-specified attack signature and execution methods that match the signature that are flagged as abnormal. The anomaly-based technique employs machine-learning algorithm that discovers the normal patterns and any deviation from the normal patterns that are detected as malicious. The specification-based approach operates similarly to anomaly-based technique but detects deviations from system behaviors marked as legitimate. The difference between the two is that specification-based approach needs user guidance in the development of valid programs set as specification. The implementation of the three techniques will ensure that the loopholes in one of them are covered by the others and that all information about the attack is brought out (Bolzoni, Etalle & Hartel, 2009). With the development and improvement of network technologies and applications, network attacks are increasing at a high rate. The application of the intrusion detection system (IDS) is essential in detecting different forms of attacks and secures the networks. It is important to analyze the pre-intrusion activities to determine more information about the attack. These activities will including scanning of ports to find a way that the attacker used to get into the system. Attackers use port scans to probe the system and identify the ports that are open or find a vulnerable computer on the internet for them to use in launching an attack. Therefore, scanning the ports will give some information about the attack (Alqahtani, 2013). Secondly, the organization can investigate on IP spoofing to identify potential loopholes in the system because attackers use it to change information located in the headers of a packet to forge the source of the IP address. This can help in finding information about the attack. The identification of the attacks provides useful information regarding the local traffic that has been captured. I will use signature-based intrusion to search a database of signatures for the intrusion events. The event that will be monitored here will be matched against attack signatures to provide information about the attack. This method operates in the same way as a virus scanner and searches for the attack or signature of the specific intrusion attack. However, this could be challenging because it depends on regular signature updates to ensure that the variations of the hacker technique are recorded. Together with the management and the human resources, we will investigate whether there is an employee, past employee or organizational enemies/ competitors that might want to bring the company down and investigate whether they are capable of launching the attack. All these techniques will help towards finding more information about the type of the attack, the source/ attribution, the extent of the attack and the number of attacks on the organization (Sommer & Paxson, 2010). Handling Potential Evidence Acquiring, storing and handling evidence is an important aspect as one of the key features of network intrusion response plan. When an organization wants to take further action against an attacker, it must present evidence, for instance in a court of law to ensure that the organization can prove that the attack actually happened. Therefore, it is important that the evidence be handled and stored properly and safely for further use. Chain of custody and preservation After the evidence is retrieved, it will be taken and stored at the legal department of the organization with the help of information security personnel in the firm. This will ensure that the custody and preservation of the evidence is handled securely and that no chances of losing it exist. The evidence will be important for the organization when it is required for review or legal proceedings against the attacker. Therefore, it is important that the legal department handles it and prepares for any legal proceeding that might ensue with respect to the network intrusion attack (Youssef, & Emam, 2011). Analysis and reporting The evidence must be analyzed before even the reporting is done. The idea behind preserving the evidence is to use the evidence to make the organization better through such activities as closing the gaps and loopholes that can be used by attackers in future. It will also be done to provide a rationale for taking action against the attackers who initiated the network intrusion attack that will important in warning other attackers who could have the same thought of attacking the company (Sekar, Guang, Verma & Shanbhag, 1999). Therefore, the analysis has to be done in terms of both information technology and legal bases. In terms of the information technology approach, the evidence will be analyzed for purposes of showing how the attacker launched the intrusion and how it affected the company. This will help in the future protection of the company’s network system from attackers. With respect to the legal approach, the organization will definitely initiate legal proceedings against the attacker once the source is known and the evidence is established and stored. The legal team will analyze the evidence from the legal perspective investigating whether the evidence is sufficient to be considered a valid piece of evidence in a court of law. Therefore, the legal team will be responsible for the analysis of the evidence based on the legal approach. Both an information security expert and a legal expert who represent the company will do the reporting of the evidence. The reporting will be done to the board of governors and the executive of the firm. The report could also be made public if the executive and board of governors make the decision of it (Alqahtani, 2013). Conclusion Blue Moon Financial (BMF) Company has had a strong network system that has protected against network intrusion attacks that other financial organizations have faced. However, the company also became a victim of the attack showing that the system had been breached. In this circumstance, it is important that the company undertake an effective network intrusion response plan to ensure that the attack does not affect the company negatively and that the attackers are brought to justice. However, the most important aspect will be to use the evidence to build a stronger network system and also train the inexperienced staff, hire more trained staff and pay them well so that the company can be able to respond to such issues effectively. References Alqahtani, M. (2013). Assessing Network Intrusion Detection System performance: forensic implications (Doctoral dissertation, Auckland University of Technology). Bolzoni, D., Etalle, S., & Hartel, P. H. (2009). Panacea: Automating attack classification for anomaly-based network intrusion detection systems. In Recent Advances in Intrusion Detection (pp. 1-20). Springer Berlin Heidelberg. Deokate, G., Deshmukh, M., Khatwani, P., & Tiwari, A. (2015). International Journal Site. Journal Publication, 4(1). Sekar, R., Guang, Y., Verma, S., & Shanbhag, T. (1999). A high-performance network intrusion detection system. In Proceedings of the 6th ACM Conference on Computer and Communications Security (pp. 8-17). ACM. Sharma, A., Kansal, A., Sharma, D., Sharma, P., Sharma, R., Kaur, H., & Lal, D. K. (2015). International Journal Site. Journal Publication, 4(1). Sommer, R., & Paxson, V. (2010). Outside the closed world: On using machine learning for network intrusion detection. In Security and Privacy (SP), 2010 IEEE Symposium on (pp. 305-316). IEEE. Youssef, A., & Emam, A. (2011). Network intrusion detection using data mining and network behaviour analysis. International Journal of Computer Science & Information Technology, 3(6), 87-98. Read More