| Date: July 23, 2024 | Entry: #1 |
| Description | Documenting a cybersecurity incident This incident occurred in the two phases: Initial Detection and In-Depth Analysis: The situation describes the organization’s initial discovery of the ransomware attack. To further scrutinize the incident, the organization engaged multiple external experts for specialized technical guidance. Containment Measures, Eradication Procedures, and Recovery Actions: The account elaborates on the various measures the organization implemented to limit the impact of the incident. As an immediate action, the company deactivated its computing infrastructure. Recognizing the complexity of fully eradicating the ransomware and recovering affected systems, the organization enlisted the support of multiple external agencies for specialized assistance. |
| Tool(s) used | None |
| The 5 W’s | Who: An organized group of unethical hackers What: A ransomware security incident Where: At a health care company When: Tuesday 9:00 a.m. Why: The incident was precipitated by malicious actors who exploited the company’s systems through a phishing scheme. Upon securing access, these individuals deployed ransomware, leading to the encryption of vital files. The primary motive behind the attack seems to be financial gain, as evidenced by a ransom note demanding a substantial monetary payment in return for the decryption key. |
| Additional notes | How could the healthcare company prevent an incident like this from occurring again? Should the company pay the ransom to retrieve the decryption key? |
| Date: July 25 2024 | Entry: #2 |
| Description | Analyzing a packet capture file |
| Tool(s) used | For this exercise, I utilized Wireshark to examine a packet capture file. Wireshark is a network protocol analyzer equipped with a graphical user interface. Wireshark is instrumental for cybersecurity analysts as it facilitates the capturing and analysis of network traffic. This capability is essential for the detection and investigation of unauthorized or malicious activities within a network. |
| The 5 W’s | N/A |
| Additional notes | Initial Experience: This was my inaugural use of Wireshark, and I was eager to delve into the exercise of analyzing a packet capture file. Upon initial interaction, I found the interface to be quite intricate, underscoring its potency as a tool for dissecting network traffic. |
| Date: July 25 2024 | Entry: #3 |
| Description | Capturing my first packet |
| Tool(s) used | In this exercise, I employed tcpdump, a command-line network protocol analyzer, to capture and scrutinize network traffic.Much like Wireshark, tcpdump serves as a valuable asset for cybersecurity professionals. It enables the capture, filtering, and in-depth analysis of network traffic, which is crucial for identifying and investigating potential security threats. |
| The 5 W’s | N/A |
| Additional notes | Being relatively inexperienced with the command-line interface, capturing and filtering network traffic posed some difficulties for me. I encountered a few hurdles due to incorrect command usage. However, by meticulously adhering to the guidelines and revisiting certain steps, I successfully managed to capture the network traffic during this activity. |
| Date: July 27 2024 | Entry: #4 |
| Description | Investigate a suspicious file hash |
| Tool(s) used | In this exercise, I utilized VirusTotal, a tool that specializes in analyzing files and URLs for potential threats like viruses, worms, and trojans. The tool is particularly useful for quickly assessing indicators of compromise, such as suspicious websites or files, based on data reported by the cybersecurity community. The activity focused on the Detection and Analysis phase of incident response, simulating my role as a security analyst in a Security Operations Center (SOC). I was tasked with investigating a file hash that had triggered a security alert. My responsibility was to conduct a more in-depth analysis to determine whether the alert indicated a genuine threat. |
| The 5 W’s | An unidentified malicious actor sent an email with a harmful file attachment to an employee at a financial services company. The file had a SHA-256 hash of 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b. The incident occurred on the employee’s computer and triggered an alert at 1:20 p.m., which was sent to the organization’s Security Operations Center (SOC) after the intrusion detection system identified the file. The incident happened because the employee downloaded and executed the malicious file attachment from the email. |
| Additional notes | How can this incident be prevented in the future? Should we consider improving security awareness training so that employees are careful with what they click on? |
| Reflections/Notes: Challenging Activities: The tcpdump activity was particularly challenging for me, primarily because I’m new to the command-line interface. The syntax was a steep learning curve, and initially, I felt frustrated due to incorrect outputs. However, after revisiting the activity and pinpointing my errors, I realized the importance of meticulously following instructions and taking my time to understand the process. Evolution of Understanding: My grasp of incident detection and response has significantly deepened after completing this course. While I started with a rudimentary understanding, the course has illuminated the intricate complexities involved. I’ve gained insights into the lifecycle of an incident, the critical role of planning, processes, and personnel, as well as the tools commonly used in the field. Favorite Tool or Concept: Network traffic analysis captivated me the most. Using network protocol analyzers for the first time was both a challenging and exhilarating experience. The ability to capture and scrutinize network traffic in real-time was fascinating. This has piqued my interest in the subject, and I aim to further hone my skills in using network protocol analyzers. |
Tri Nguyen's Cybersecurity Portfolio 