Breach Incident Response Essay - Initech Cyber Consulting.

cenario Initech was breached and the board of directors voted to bring in their internal Initech Cyber Consulting, LLP division to assist. Given the high profile nature of the breach and, nearly catastrophic losses, there have been many subsequent attempts at the company. Initech has tasked their top consultants, led by Bill Lumbergh (CISSP) and Peter Gibbons (CEH, SEC+, NET+, A+) to contain and perform an analysis on the breach.

Little did the company realise that the breach was not the work of skilled hackers but a parting gift from a disgruntled former employee on his way out. The top consultants have been hard at work containing the breach. However their own work ethics and mess left behind may be the downfall of the company. You have been asked to write a Breach Breach Incident Response report.

Please read all information & instructions carefully. Please ensure that you retain a duplicate of your assignment. We are required to send samples of student work to the external examiners for moderation purposes. It will also safeguard in the unlikely event of your work going astray. The following learning outcomes will be assessed:

 Knowledge

1. Incident response planning, and, preparation for cyber breach response, including the legal and professional requirements involved.
2. Evidence collection requirements and methods for securing content in a forensically sound manner. This includes the ability to acquire, analyse and report collected information
3. Breach types, consequence and surrounding legal implications on both the organization and practitioner. Skills
4. Plan and manage an effective response to a breach, including containment strategies and management of risk.
5. Respond and learn from a breach to develop and evaluate both proactive and reactive policies and procedures.
6. Investigate a breach, including methods for containment, risk, notification, evaluation and response. 

Background Information on Initech Company

A breach incident will be taken and response Technical Report will be created based on practical work (scenario). Walkthrough will be used on virtual machine as a breach investigator. Breach is a first and foremost Virtual Machine in multi-part series, it will be arranged with constant IP address and configuration will be done for host-only adaptor to this particular subnet. 

The main objective of the project will be provided. The Background of the Initech Company will then be investigated and the findings will be provided. Analysis will be provided. Suitable recommendations will be made finally.

INITECH Co., Ltd., is a financial IT and the security company, this helps in providing the information safety solutions. This mainly develops in the systems like e-banking and this offers e-banking services, there are services such as service preparation and consulting, development, control and monitoring, and maintenance; and operates data centers that provide various supplementary services for enterprises. The company also offers IT professional services, such as security system. The system has the following scenario.

Scenario Initech got through and the board of directors chosen to bring in their internal Initech Cyber Consulting, LLP division to assist. Given the high profile nature of the breach and, nearly catastrophic losses, there have been many following attempts at a company. Initech has tasked their foremost top consultants, this is led by the head, Bill Lumbergh, and Peter Gibbons to contain and perform an analysis of the breach (The Balance, 2018). 

Then the company realizes that the breach was not the work of skilled hackers but a parting gift from a disgruntled former employee on his way out. The top consultants are hard at work for containing the breach. However, their work ethics and the mess left behind may be a downfall of the company (Digital-forensics.sans.org, 2018).

Installed an Oracle Virtual Box and opened the Virtual Box is given below. After install the Ubuntu in Virtual box was running shown in figure (Baggili, 2011).

In Virtual Box after installed the Ubuntu operating system, the Ubuntu desktop is opened.

Check the IP address in Ubuntu Virtual Box,

Go to settings -> select Network settings, Network window will open. There is IP address which is with v4 taken as IP address is given below.

On the desktop Right click -> select terminal,

The window will open, then type ifconfig. Check it and there is something wrong.

Click on machine>>settings>>network window gets opened. Adapter1>> NAT is choosen

Analysis of the Breach

NAT is changed to Bridged Adapter

Network setting>>method is set to DHCP

DNS server address is set right in the option below.

IP address is changed and is shown below

Ping command is used and is shown below

In windows, go to Run

Now in command prompt, ping command is used. The screenshot is provided below

IP address of Virtual box is now connected with windows and is shown below  

There are certain tools which are analysed that they are used to investigate the breach. The tools are listed below and the explanation are provided in the analysis part.

1. Nmap
2. Tomcat
3. Ngrep
4. SSL
5. Keystore
6. Tcpdump
7. Tshark

Analysis is done for the project and the tools are analyzed. The tools are analyzed that they are used in the field of breach in Digital forensics. They are listed below with brief description. 

Nmap

With a basic functionalities of networking user can learn how to not only execute a port scanner (Goel, 2010). Nmap is the port scanner and most populist in world-wide that is a hosted security tools. Nmap is an online scanner for port can to scan your network servers and devices from an external perspectives of external of user firewall.

This helps in utilizing the framework that works. Nmap will keep running on a Windows framework, it works better and is quicker under Linux. Likewise having background with Linux based frameworks is an awesome method to access a wide choice of security apparatuses.

Steps for using Nmap in Linux

Step-1: Operating system Installation

Step-2: Ubuntu Installation

Step-3: Nmap Installation from source

Initially we need to find Nmap scan with following categories results.

Then we implemented some python code for execute Nmap scanner as follows (Stark State College - North Canton, Ohio, 2018).

Tomcat

The Java servlet or web server from the project of the Apache software is called as Tomcat. The webpages in replied to requests from a user when a web browser. It will been standard but it is often utilized behind cultural web servers such as Apache software with the cultural server providing static pages and it can providing a dynamic servlet and requests.

The following steps are used in Tomcat web server (Jahankhani, 2010).

• Install Java
• Unzip Tomcat
• Download Eclipse
• Say Eclipse about Tomcat
• Test the server
• Adjust Eclipse preferences

Ngrep

Ngrep is a basic packet sniffing and it can supports the basic packet sniffing filter condition that means to tell constraining what Ngrep looks and shows a simple as something such as”ngrephostfoo.bar.com”. The following some examples of similar invocations of Ngrep to do depends upon basic packet sniffing. The Ngrep is used to attach the specified Ethernet adaptor and recently UNIX implementations this can advised Ngrep to attach all interface at once in local and every output interfaces that may or may not be live.

Tools Used for the Investigation

Some examples of Ngrep as follows.

• Ngrep-d port 25

The Simple Mail Transfer Protocol monitor the processing of crossing source or destination port 25 (Lillard, 2010).

• Ngrep-d any ‘error’ port syslog

Ngrep controls any network depends on syslog traffic for the situation of the word ‘error’.

Ngrep-wi –d any ‘user|pass’ port 25

The File Transfer Protocol controls every traffic crossing source and destination port 21.

Now we seen a Ngrep user requests…

SSL

SSL stands for Secure Socket Layer and it is a standard security method for publishing an encrypted link between a web browser and a web server. These links are combined that each and every information passed between the web browsers and web server remain integral and private. It is an industry standard and is utilized by many websites in the security of their transactions in online with the customers. 

To be capable to implement a SSL links a web server wants a SSL certificate. When user select to enable SSL on your web server user can be prompted to finish a number of tasks about the identity of user website and user-company. User web server then implements 2 cryptographic keys such as private key and public key (Blackstone, n.d.).

The difficulties of the SSL protocol remain not visible to customers. Depends their browsers produce them with a key indicator to know them. They are recently secured by a SSL encrypted session. The lock symbol in the bottom right hand edge, clicking on the lock symbol shows user SSL certificate and the information about it. Every SSL certificates are provided to nor companies legally accountable unique.

Keystore

Java key tool is a key that also certificate management tool and it is utilized for control Java keystores and it can be included with Java. The Java keystore container for authentication certificates and public key certificates. It is often utilized by Java based applications for authentication, encryption and HTTP servers.

The entries are secured by a keystores password. It contains implementing and updating Java Keystores because they will be utilized with user Java applications (Nelson, Phillips and Steuart, n.d.).

Tcpdump

Tcpdump is a network travels for traffic in data packets and every data packet include the data that it wants to travel surround the network. This data is included in a TCP ( Transmission Control Protocol ) header. The TCP header can include the source and destination address and also it can contains the protocol identifiers and state information. The remain of the packet includes the information that been sent. The routing read the data in the packets and send them to the wright destination is responsible by devices. Tcpdump also a packet sniffing tool that utilized by admin of network to sniff and calculate traffic on a network (OpenLearn, 2018).

Nmap Tool

The pair of reasons for sniffing traffic on a network will be to validate links between to calculate the traffic and hosts that is used for traversing the network. Here, various tools available. They are Snort, Ethereal, Etherape and etc.

Tshark

Tshark is called as network protocol analyzer. It lets user shot packet information from a network and read the packets from a last saved shot file, nor printing a decoded form of packets to the organized results for writing the packets to a data (Niccs.us-cert.gov, 2018). Once the shell connects to it, this is then upgraded to the session named meterpreter.

Portpoof

Finally, the system is now much protected by portpoof. The file contains the background information or the data and the scripts are writable. 

There will be process for completing eliminate for the breaches security is an incredible task. But some important steps to be followed for avoiding breaches.

It is suggested to follow the below recommendation steps.

1. An employee leaves, that the employer account will be disable. When an employee is terminated by the company, immediately company will disable the leaving employee account even that the employee sendoff below agreeable terms or not(Weerasinghe, 2010).
2. Default passwords will be changed, because the company has more devices and the software applications are endangered by the default username and passwords is not possible, this will be easily attacked by the attackers. So the company employees have to follow password policy properly and will change the default passwords for security purpose.
3. Network scans will be do properly and regularly because there is inventory of baseline operational is invalid, then it allows to know rogue applications is install in network by the administrator. The regular network scan is done by the use programs like Net view with Microsoft command(InterWorks, 2018).
4. The traffic in outbound network will be monitor, because there is suspicions raise then the connections of outbound and traffic deviates from the normal operation of baseline. But the truth is sensitive information has stolen and also spamming, the most applications of firewall is to monitor the traffic of outbound(SearchSecurity, 2018).
5. To implement a plan for security purpose, there is no matter size of the organization small or big. When the company is in danger condition, then the security plan will give solutions for that problem. It is much more important in all organization.

Conclusion 

A breach incident is chosen and Technical Report is created based on practical work (scenario). Walkthrough is used on virtual machine as a breach investigator. The Breach is a first and foremost Virtual Machine in multi-part series, it is arranged with constant IP address and configuration is done for host-only adaptor to this particular subnet. The Background of the Initech Company is investigated and the findings are provided. Suitable recommendations are made finally. Analysis and report are also made. 

References

Baggili, I. (2011). Digital forensics and cyber crime. New York: Springer.

Blackstone, W. (n.d.). Commentaries on the laws of England. [S.l.]: Forgotten Books.

Digital-forensics.sans.org. (2018). SANS Digital Forensics and Incident Response Blog | How to Make a Difference in the Digital Forensics and Incident Response Community | SANS Institute. [online] Available at: https://digital-forensics.sans.org/blog/2011/12/06/how-to-make-a-difference-in-the-digital-forensics-and-incident-response-community [Accessed 20 Feb. 2018].

Goel, S. (2010). Digital forensics and cyber crime. Berlin: Springer.

InterWorks. (2018). What Is Digital Forensics?. [online] Available at: https://www.interworks.com/blog/bstephens/2016/02/05/what-digital-forensics [Accessed 20 Feb. 2018].

Jahankhani, H. (2010). Handbook of electronic security and digital forensics. New Jersey: World Scientific.

Lillard, T. (2010). Digital forensics for network, internet, and cloud computing. Amsterdam [u.a.]: Syngress/Elsevier.

Nelson, B., Phillips, A. and Steuart, C. (n.d.). Guide to computer forensics and investigations.

Niccs.us-cert.gov. (2018). Digital Forensics | National Initiative for Cybersecurity Careers and Studies. [online] Available at: https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework/digital-forensics [Accessed 20 Feb. 2018].

OpenLearn. (2018). Digital forensics. [online] Available at: https://www.open.edu/openlearn/science-maths-technology/digital-forensics/content-section-4.3 [Accessed 20 Feb. 2018].

SearchSecurity. (2018). What is computer forensics (cyber forensics)? - Definition from WhatIs.com. [online] Available at: https://searchsecurity.techtarget.com/definition/computer-forensics [Accessed 20 Feb. 2018].

Stark State College - North Canton, Ohio. (2018). Cyber Security and Computer Forensics Technology | Stark State College - North Canton, Ohio. [online] Available at: https://www.starkstate.edu/academics/programs/cyber-security-and-computer-forensics-technology/ [Accessed 20 Feb. 2018].

The Balance. (2018). Just What Do Digital Forensics Experts Do and What Can They Earn?. [online] Available at: https://www.thebalance.com/digital-forensics-job-and-salary-information-974469 [Accessed 20 Feb. 2018].

Weerasinghe, D. (2010). Information Security and Digital Forensics. Berlin, Heidelberg: Springer-Verlag Berlin Heidelberg