Blue Moon Financial Company’s Incident Response Essay

A plan for responding to the network intrusion incident

First steps after the attack are confirmed

The initial step would be containment. The senior security analyst will focus on containing the attack before it can overwhelm BMF resources and cause more damages. The senior security analyst will develop a specific remediation response for the attack. The immediate part of containment includes making critical decisions involving shutting down the system, disconnecting the network, and disabling some functions (Cichonski, Millar, Grance, & Scarfone, 2012).

The senior security analyst will have to determine the most appropriate containment strategy for the active attack. The following factors will be considered to identify a suitable strategy.

• Possible damage and resource theft.
• A focus on evidence protection.
• Service available for both internal and external BMF stakeholders, including customers (Internet connectivity).
• Partial or total containment (effectiveness).
• Duration for the solution to be found.

The senior security analyst will also consider sandboxing or redirecting the attacker to provide an opportunity for monitoring the attacker’s activities and gathering further evidence.

The senior security analyst will observe for any further damage once the attack has been contained.

The second step involves evidence collection and handling. Evidence will be gathered for two purposes – to resolve the issue and for later purposes for possible legal proceedings. This process will require all procedures and legal processes required to gather admissible evidence.

A log of collected evidence will include identifying information, details of personnel involved in evidence collection, time, date, and location of storage (McCarthy, Todd, & Klaben, 2012).

The senior security analyst should target a system of interest once the attack has been reported.

The third step will involve the identification of the attacking hosts. While information regarding the attacking host is vital, the team must focus on attack containment, eradication, and system recovery. Host identification is, however, a cumbersome process that could prove difficult and deter the team from attaining its main goal of minimizing the impacts of an active attack on BMF. Activities for host identification will include:

• Attacking host IP address validation.
• Research of the attacking host.
• Evaluating possible communication paths.
• Database assessment for a similar incident.

The final step involves eradication and recovery. Once the senior security analyst has contained the attack, the next important process is eradication to eliminate elements related to the attack. These procedures may involve the removal of malware, disabling attacked user accounts, and locating and fixing all vulnerable points that were attacked. The senior security analyst will also identify all the affected hosts of the BMF for remediation.

Personnel to be involved in the response

The following personnel will be involved in the response.

IT Desk Technician

• Notifies the senior security analyst and other qualified information security specialists.
• Assesses the incident, nature, and scope.
• Alerts other Incident Response Team members.
• Escalates the attack.
• Monitors progress, evidence collection, chain of custody, and safe preservation.
• Presents a summary of the incident and the response action.
• Assesses network for any denial of service and other possible attacks.
• Performs tracing procedures with sniffers, port monitors Transmission Control Protocol (TCP) and event logger.
• Assesses any potential firewall compromise.
• Contacts service providers for help in handling the attack.
• Responds by blocking traffic for any suspected case of attack.

BMF System Administrator

• Assesses status of all service packs and patches on all mission-critical systems.
• Provides backups for all vital computers.
• Reviews system logs for any suspicious activities.

BMF Senior Security Officer

• Assesses all business applications for potential attacks.
• Evaluates the audit log of mission-critical applications for possible breach.
• Coordinates with the IT Desk to get all relevant information related to the attack.
• Gathers vital information about the attack at the request of the BMF Chief Information Security Officer.

Compensating for the team’s inexperience

Given the BMF IT department inexperience of the response team, the senior security analyst will compensate for the inexperience.

• Conducts all the necessary security event log reviews and analyses for various business applications and systems to identify the active attack on the Internet.
• Monitors and provides all the details concerning cybersecurity attacks on the BMF network and database.
• The senior security analyst will also focus on external sources of data to review currently reported attacks on other financial institutions.
• Performs security incident triage – initial assessment, scope, urgency, and possible impacts on the BMF.
• Recommends on expeditious containment and remediation of the attack and do real-time security incident handling and tracking, which will include forensic evidence collection, tracking and correlating intrusion, attack analysis, and channels activities to the Incident Response Team.
• The senior security analyst will offer the required information to the IT Desk during the attack.
• The analyst will ask for external help if necessary.

Given these roles, the senior security analyst needs to have multidisciplinary and multitasking capabilities in operational risk and active attack security management. Collaboration with all members of the Incident Response Team will be highly critical during the initial stages of response.

The types of resources required

Multiple resources will be required during the attack.

• Contact information resources – for all Incident Response Team members, backup teams, law enforcement officers, and other related Incident Response Teams.
• On-call information of the team for issue escalation.
• Issue tracking system for assessing the current status.
• Smartphones for communication.
• Encryption software (FIPS-validated encryption algorithm) for both internal and external communication with the concerned authorities.
• Secure storage resources for collected evidence and other confidential information.

Incident Analysis Resources – Software and Hardware

• Digital forensic tools and other backup resources for evidence collection, preservation.
• Laptops for data analysis, sniffing, and report writing.
• Workstation, servers, and related network equipment for system restoration.
• Removable devices for evidence collection.
• Portable printers for log files.
• Protocol analyzer and packet sniffer resources.
• Evidence collection gadgets, including notebooks and evidence protection accessories.

Incident Analysis Resources

• Port lists prone to Trojan and frequently used ports.
• Documentation for BMF systems, applications, intrusion detection, protocols, and installed products.
• Network diagrams and database services.
• Cryptographic hashes for important files for enhanced attack analysis, review, and eradication.

Incident Mitigation Resources

• Access systems for OS, BMF applications required for back and recovery.

For a swift response, a jump kit with the most vital resources will be required instantly.

Protection Measures

• Prevent potential further damages and widespread of the attack.

Communication and Coordination Plan

Who to call, when

BMF has some inexperienced staff members; therefore, the senior security analyst will only call members of the response team with primary roles during the Incident Response.

• Chief Information Security Officer
• Security Manager – Information Technology Assistant
• Vice President of Finance and Administration
• IT Service Desk

Also, the following members of the team will offer supporting roles during the Incident Response.

• Security Analyst Assistant
• IT system Windows Systems Administrator
• IT Network Engineer
• Internal Audit

Management

The management team will be informed immediately because of its role in coordinating Incident Response among different stakeholders, including external ones, reducing the extent of the damage, and reporting to various external parties.

Information Assurance

The team members will be required during the critical stages of the incident the attack. They will provide valuable input during attack containment, eradication, and system recovery. For instance, they might work on network security systems and controls, such as firewalls.

IT Support

The attack will require immediate availability of IT support team members, including network and system administrators. They will use their technical expertise and the best comprehension of the technology to manage and prevent the attack from causing further damage. They will provide the most valuable decision on whether to disconnect the compromised computers from the network system.

Facility management and physical security

The attack could have taken place by compromising physical security, or it could have been executed from the BMF offices. Also, the Incident Response Team will require the physical security team to provide access to network and server rooms during incident management. For instance, breached systems or workstations will be physically accessed from restricted rooms or offices.

During the incident handling, it is also imperative to recognize other internal stakeholders who may utilize relevant information during incident handling. Moreover, their cooperation and roles based on skills, judgment, and capabilities would be vital.

Business Continuity Team

This group of stakeholders will get relevant information for business continuity purposes. The affected departments would wish to understand the incident, its impacts on business and business continuity processes. The attack on BMF will undermine business operations and resilience. The business continuity team must be informed about the attack, identified business impacts, risks, and the procedure for operational continuity. Also, the business continuity team has extensive experience in mitigating operational disruption when such incidents occur. Therefore, the team will be vital in planning specific responses to particular cases such as DoS.

Legal Department

Once the Incident Response Team has identified the legal ramification of the attack, it must notify the legal department immediately. The legal department will assist in specific areas related to evidence collection or possible criminal proceedings. In case of a memorandum of understanding or other legally recognized agreements, the legal department will be required to provide its view on liability limitations on the extent to which information may be shared.

The Human Resource Department

In case an employee is the main suspect in the attack, the human resource manager will have to determine the disciplinary actions and subsequent steps.

Media

The Incident Response Team should have information ready for media just in case they want information, and by extension, inform the public. In this case, only authorized personnel will be allowed to engage the external audience.

The senior security analyst understands the limitation of its team. In this case, the credibility and efficiency of the Incident Response Team will be driven by the technical expertise and capabilities of few available members. The system administrator, technical support, network administrator, and intrusion detection team will provide these skills and capabilities.

Collaboration, specifically on information sharing, will be a vital success factor for BMF during incident handling. The senior security analyst will handle various tasks, including providing support for the inexperienced personnel, liaising with executives, business continuity groups, and organizing for supplies of required resources, among others. Thus, the senior security analyst must be adept and demonstrate effective communication skills.

Identifying priorities and assigning resources

The major priorities during incident handling will involve developing the most effective framework in a manner that:

• Restricts further damage.
• Reduces costs and time associated with the recovery.
• Sustains confidence of BMF internal and external stakeholders.

Resources will be specifically allocated to achieve these primary priorities.

Communicating with incident responders during the response

Communication with the Incident Response Team will be swift and as accurate as possible. The communication shall be used to facilitate solution delivery. The rapid sharing of information will be driven by various channels, such as e-mails, telephone calls, Web site or Intranet, or in person.

Communicating with management during the response

Senior executives and business managers will require timely information on the affected systems and the appropriate response taken. They will also be informed about expected outcomes and potential time for the resumption of normal operations.

Determining Further Information about the Source of the Attack

Type of attack

The senior security analyst observed port scanning and other types of reconnaissance activities at the BMF network. Port scanning shows a thorough scanning of computer ports fully when information is exchanged through ports (Sanghvi & Dahiya, 2013). The scanning process allows attackers to identify open, vulnerable ports. Also, the attacker can disrupt available services while noting points of attack. The main goal is to gather data for analysis.

Further, through reconnaissance activity, the attacker would collect the necessary information to launch an attack on the BMF network (Sanghvi & Dahiya, 2013). There are possibilities of a distributed denial of service (DDoS) attacks on BMF services. In most cases, DDoS is not uncommon or surprising in the financial services sector (Ashford, 2016). It is the most common threat to most of these financial institutions, and, therefore, there are possibilities that the attacker used DDoS to attack BMF. DDoS attacks simply overwhelm the network and disrupt online banking services, such as Internet banking, ATMs, and other online platforms of the institution with massive data. The attack would overload the network and disable services by taking them offline (Ashford, 2016).

It is also suspected that the attacker could have used DDoS to distract the security system while an active malware infiltrates the network and gathers consumer data (Sikorski & Honig, 2012). Bots and malware are known to apply unwavering strategies, including mimicking real users’ behavior to sidestep normal security systems (Ashford, 2016). This situation causes serious implications for financial institutions in different parts of the world. Malware and bots are not easy to detect and may cause losses resulting in billions of dollars.

Possible origin of the attack

It is generally suspected that the attack could have originated from one of the rogue states. A wide range of diverse reasons, including excitement to demonstrate prowess, financial benefits, threats, or revenge, drive these attacks (Dimov, 2015). It is also imperative to recognize attacker communities are active in most parts of the globe (Dimov, 2015). Some data have shown that cyberattacks originated from about 199 countries or unique regions (Dimov, 2015). Some notable sources of attacks were China, the US, Turkey, Taiwan, and Russia. Other states that are suspects and cannot be left out are Iran, Pakistan, and India, among other small emerging economies.

Therefore, the senior security analyst will focus on specific hacker-active states by looking at various attack parameters.

At the same time, the senior security analyst should not rule out potential attackers by employees. Therefore, investigations should emanate from BMF.

The extent of the attack

This attack appears to be a multi-channel attack, and it can, therefore, cause massive damages to BMF. The funds are at huge risk, while consumer and commercial organizations’ data may be breached.

Also, BMF online banking and payment systems could have been exposed during the attack. Attackers could have seized and gained control of BMF ATM networks and perhaps initiated multiple transactions, including predetermined, complex transactions, to dispense cash to recipients waiting outside the ATMs.

Whether there is a single attack or if this is part of a complex series of incidents

The senior security analyst must look beyond a single attack because several ports were scanned, and multiple other types of reconnaissance activities were observed.

Given the number of ports scanned and other related activities, the attack explored and determined multiple points of weaknesses and observed how BMF would respond and mitigate the attack, and subsequently determined how fast it could act. Besides, there are possibilities that DDoS could have been used as a smokescreen or a method to divert the Incident Response Team while the attacker executes massive financial fraudulent transactions (Crosman, 2015).

Other considerations

While an external attack is possible, the Incident Response Team must also focus on potential sources of internal attacks. The team must assess motives driven by revenge, financial rewards, excitement, or threats from potential hackers.

It is also noted that most financial institutions have failed to recognized and develop DDoS mitigation strategies into their security response plans. BMF must treat such attacks as real and extremely dangerous threats.

BMF must assess potential data and financial losses and develop the most effective response plan for a massive attack.

It would also be vital to determine the number of days it would take to restore the system. In the case of BFM, it will take several days because most of the IT department members are inexperienced. The senior security analyst will perhaps ask for external assistance to deal with the attack swiftly.

Handling Potential Evidence

Chain of custody and preservation

The Incident Response Team will gather and share information. However, it must consider many security issues. BMF will interact with different types of external institutions during incident handling processes. Apart from the internal Incident Response Team, there might also be an external Incident Response Team, law enforcement authorities, customers, and Internet service providers.

BMF will ensure that its incident coordination approaches are flexible to accommodate other external parties. Still, it will not allow for interference with evidence to ensure that it is admissible in courts during legal proceedings. As such, it will observe the following rules.

• Only authorized individuals will handle specific information to protect sensitive data.
• Sensitive data may be eliminated from the incident information.
• Any pieces of information shared with external stakeholders must be protected.
• BMF will consider all legal issues related to handling and sharing of data.

BMF will preserve data for prosecution. If there are possibilities that there could be legal proceedings against the attacker, then BMF will retain all pieces of evidence until the legal process is concluded. It is difficult to prosecute such cases. Therefore, the legal process may take many years. Also, any pieces of evidence should be preserved for future purposes, even if they appear insignificant. For instance, if an attacker performed multiple port scanning and other types of reconnaissance activities to collect valuable information, such evidence should be preserved because the attacker can launch attacks that are more critical later by relying on the previously gathered evidence.

BMF will rely on its data retention policies to clarify how long it may keep data for reference. The duration should be, however, guided by the importance of data.

Analysis and reporting

Analysis and reporting will also contain learning and improvement based on outcomes of the incident response.

Once the Incident Response Team has gathered data, it will analyze for threat identification, damage, sources, and other related information. Besides, it will use the date to determine how threats evolve, new technologies, and lessons learned as post-incident activities. The analysis and report should contain the following parts.

• An overview of the incident and time of the attack.
• It should reflect how effectively the senior security analyst and the Incident Response Team responded to the incident.
• It must reflect all procedures followed and their adequacy.
• The report will have to clarify the vital information, resources, and expertise required immediately after detection and during incident handling.
• The report should also contain any actions used to mitigate further damage, inhibit the attack, and enhance recovery.
• The senior security analyst will have to report the need for enhanced training and retention of qualified, trained IT employees.
• The report will detail what BMF will have to do differently to mitigate future attacks.
• The report will detail information sharing within the organization, information sharing with other external stakeholders, challenges faced, and planned improvement strategies.
• BMF will demonstrate how well it is prepared to handle similar attacks in the future, developments in cyber protection and new knowledge acquisition.
• Key indicators to observe in the future.
• The report should also present resource allocation and expertise required to mitigate attacks, analyze and recover the system.

Other items

For several years, storing original hardware with vital information could be costly for BMF, especially if several pieces of hardware are affected.

BMF should collect all relevant data regarding the attack. The collected data would be useful in various capacities. Data on costs and total hours necessary to handle an incident will help the senior security analyst to justify additional funding and retention of qualified employees in the department.

Incidents should be investigated based on characteristics to determine possible failures and threats in the network while learning about changes in trends of attacks. The data collected will help BMF assess cyber threats and possible impacts and determine the best protection and further controls. It will also help the company to determine the effectiveness of the Incident Response Team. BMF shall collect and store incident data well and use it to assess response capabilities based on inexperienced staff. It will also be important to assess where critical resources are necessary to improve the capabilities of the Incident Response Team.

References

Ashford, W. (2016). DDoS is the most common cyber attack on financial institutions. Computer Weekly. Web.

Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology. United States: National Institute of Standards and Technology Special Publication. Web.

Crosman, P. (2015). Banks Lose Up to $100K/Hour to Shorter, More Intense DDoS Attacks. Web.

Dimov, D. (2015). The Most Hacker-Active Countries. Web.

McCarthy, N., Todd, M., & Klaben, J. (2012). The Computer Incident Response Planning Handbook: Executable Plans for Protecting Information at Risk. New York: McGraw-Hill Education. Web.

Sanghvi, H. P., & Dahiya, M. S. (2013). Cyber Reconnaissance: An Alarm before Cyber Attack. International Journal of Computer Applications, 63(6), 36-38. Web.

Sikorski, M., & Honig, A. (2012). Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. San Francisco, CA: No Starch Press. Web.