Steps after Confirming the Attack
As the security analyst for Blue Moon Financial (BMF), my plan in case of network intrusion will comprise of ten steps and will start with the identification of the incident and conclude with resuming of the normal operations of the company’s system. The first step to be taken is incident identification. It is carried out by checking the alerts from monitoring and sensors. The details discovered are brought to the attention of the BMF. The second step is incident investigation, which is aimed at understanding the scope of the damage caused to the company and the approach used by the attackers. The third step presupposes the collection of evidence and other data related to the incident, which is further followed by reporting the results being the fourth step. The report is provided to the management of BMF to assure oversight and awareness of the latter. The fifth step is curbing the incident to avoid the malicious software and attackers from operating within the environment. The sixth step presupposes repairing of malfunctions and fixing the damages within the security management, which allowed for the incident occurrence. The seventh step includes the remediation of the accounts compromised, as well as the affected computers and networks with an aim of restoring them to normal operations. Eighth is the validation of remediation and security controls being strengthened to ascertain that the condition is entirely resolved. Ninth is reporting the conclusion part of the incident to the BMF management. Last but not the least, is resuming of the normal operations of IT (Donaldson, Siegel, Williams, & Aslam, 2015).
Persons Involved in the Response
A list of the individuals who may take part in the incident examination includes a help desk person, system administrator, personnel responsible for intrusion detection checking, manager, firewall administrator, as well as the business department representative. The security staff person and an outside source may also be involved in the process (Donaldson et al., 2015).
How to Compensate for the Team’s Inexperience
I, as a senior security analyst, will compensate for the inexperience of my team by organizing in-house training on system security. To achieve this aim, I will ensure that my department, through the management of BMF, can outsource qualified experts in the relevant areas of computer and systems security. The outsourced experts will be very useful in educating my team in the process of helping to deal with incidence response attack. The external experts will not only play the role of knowledge transfer to my team but also enhance the productivity of the Blue Moon Financial firm (Chang & Gurbaxani, 2012).
Type of Resources Needed for Response Management
The necessary resources needed for this kind of response are the digital forensic tools and software for conducting the investigation process. The human resources are also required such as the digital forensic experts. Other resources include computer technology investigators network, several operating systems platforms such as DOS, Windows X, Windows XP, Linux, and Macintosh, including the current platform of Windows (Nelson, Phillips, & Steuart, 2015).
Protection Measures to Be Considered
There are a number of measures that need to be considered in the process of this incidence response. First is the determination of the company’s security chain for the purpose of determining any weak links that can expose the financial firm to attacks. Second is that the compliance plan of work ought to be developed in written form to help in checking the highest risk for the possible cyber-attack. This plan must address the procedures for cyber-attack handling, including extra matters of compliance, which include policies, training, codes of conduct, and the particular procedures for incidence response. Third is preparing disclosures that are legally needed to help in the evaluation of cyber safety risks. The risks are suitably disclosed to investors. The next measure is to carry out the coordination with the CPO and CIO together with other departments within the financial firm. The main departments to be coordinated in this case include Information Technology Department, Legal Department, Human Resources, and the Business Unit Department (“Cyber Attacks”, n.d.).
Another prevention measure is the implementation of the firm’s program for wide data management, which involves mitigating of risks as well as ensuring the safety of clients’ data. It also involves the restriction of employees’ access to the particular kinds of information job. The following measure presupposes reviewing of policies for employees in terms of data and/or information access. Also to be considered is the investment in the computer security in addition to measures of protection, which comprise the most up-to-date approaches such as the use of read-only views of documents and materials when applicable, having the database of the company on a different server than the application server within the web, using the current security patches, securing all passwords, developing the architecture of security network including the strict maintenance of input validation. Additional measures include conducting network scans for evaluation of network activities and checking activities plus procedures of contractors (third party) by either direct or remote access to computer system (“Cyber Attacks”, n.d.; Cárdenas, Amin, Lin, Huang, Huang, & Sastry, 2011).
Communication and Coordination Plan
Who to Call and When
Both the technical teams and business teams are called after the occurrence of the incidence. The technical team will take part in the discussion of the incidence and its progress from the technical viewpoint. The business team, on the other hand, is called upon so that the incidence progress can be communicated from the non-technical perspective (Ahmad, Hadgkiss, & Ruighaver, 2012).
Identifying Priorities and Assigning of Resources
In the context of communication and coordination, priorities can be identified by the level of the firm’s users’ data/information. It implies that high-level users will be given the highest priority, followed by middle-level users. The low-level users are given the lowest priority. The example of high-level users is the system administrator while secretaries form part of low-level users.
Communication with Incident Responders during the Response
I will communicate with the responders depending on the level of users. As an example, I will use relevant technical terms within the context of information technology security and computer use for the high-level users such as system administrators and information security officers because they possess the understanding of the technical concepts behind cyber-attacks. On the other hand, I will communicate with low-level users using simple terms related to their responsibilities.
Communication with Management during the Response
I will communicate the problem to the management by summarizing all the responses in an easy-to-understand language since they are not experts within the context of IT. This summary of communication can better be summarized in a written report as a way of making it clear that an attack has or has not taken place and how it affects the firm’s progress. I will communicate all the data to the senior management after all responders have given their ideas and responses concerning the issue.
Determining Further Information About the Source of the Attack
Type of Attack
One of the methods of the approach used to detect the type of attack is the total time taken to detect and resolve the issue. As an example, it takes around 170 days in average to determine that the attack was a malicious cyber-crime. The attack of malicious insiders can take up to 259 days to detect on average with an average cleaning up time up to 45 days. Another way of determining the type of attack is the total cost of detecting and cleaning it up from the system. As far as studies are concerned, malicious codes attack, denial of service attack and malicious insiders are the most costly types of attacks (Armin, Thompson, Ariu, Giacinto, Roli, & Kijewski, 2015).
Where the Attack Might have Originated from - Attribution
In this case, digital or computer forensic techniques such as fingerprinting and the DNA approach are used to determine the exact person(s) responsible for the attack. In addition, the cloud trace back model can also be used to detect attacks such as denial of service attack by means of back propagation neural network (Thapliyal, Bijalwan, Garg, & Pilli, 2013; Joshi & Joshi, 2012).
The Extent of the Attack
The extent of an attack can be determined by calculating the magnitude of losses caused by it, which implies that the larger the loss caused, the higher the magnitude of the attack. The whole process involves determining the relationship amid relevant variables and the strength of their relationship. The calculation of the loss caused will also involve the process of data analysis and interpretation by use of statistical software. The sophistication level of the attack can also be determined by analyzing the malicious attachments that were used as droppers (Shackelford & Russell, 2014; Narula & Jindal, 2015; Thonnard, Bilge, O’Gorman, Kiernan, & Lee, 2012).
Determining Whether It Is a Single Attack or Part of a Complex Series of Incidents
The advance TRIAGE data analysis can be used to carry out an in depth analysis of the attack in cyber-crime for the case of complex series of attacks and even a single attack. It is done by analyzing the characteristics and the dynamics of the attacks, as well as their effects. In addition, the average cost of resolving costs of a complex series of attacks may be over one million dollars although the figure can at times be misleading. Nevertheless, this cost can be used to determine a single attack in a network system of the company/firm, as well (Thonnard et al. 2012; Infosec, 2013).
The other methods will involve the use of unsupervised network intrusion detection systems without the employment of signatures. It will use algorithms with a series of steps in detecting an anomalous time slot. This approach helps in pinpointing various network intrusions as well as the attacks such as the denial of service attacks. It also probes the attacks, propagate worms, buffer overflows, and unauthorized access among others. The inside users who are mainly employees can also be checked by using the server that stores their individual details in terms of their user account histories (Casas, Mazel, & Owezarski, 2012).
Handling Potential Evidence
Chain of Custody and Preservation
The evidence gathered has to be stored safely for future reference. Therefore, the chain of custody and preservation for the possible evidence is such that the evidence is to be stored and managed without any modification. It involves documentation of collected evidence that is not possible to recover, backed up or those that are recognized as missing. Evidence preservation, in this case, becomes the most significant and important thing to consider (Ali, 2012).
Analysis and Reporting
The evidence collected is examined and the results analyzed by use of a legal approach that can be justified. The main purpose for carrying out the analysis is to discover the scope of the attack in relation to the loss incurred. The results of the analysis are then reported to the management. Reporting thus becomes the concluding stage, which may involve the description of actions and tools used (Guo, Jin, & Shang, 2012).
To gather the correct evidence and perform a proper analysis for accurate results before reporting, the digital forensic investigation model is the most suitable. Therefore, other phases apart from analysis and reporting within the model will comprise of evidence acquisition or collection, data/information recovery, and documentation of steps involved in the process depending on the type of model used. It should be noted that strict following of every stage of digital forensic investigation increases the degree of accuracy for the evidence gathered (Agarwal, 2011).