1. Detecting Phishing Attempts

Alert Analysis & Response Summary

Ticket ID: A-2703
Alert Type: Phishing Attempt with Malware Download
Severity: Medium

Incident Overview:
An employee inadvertently triggered a security alert by interacting with a phishing email, leading to the download and activation of a malicious file. The email, purportedly from “Def Communications,” featured numerous red flags, including mismatched sender details and noticeable grammatical errors. It contained a password-protected executable file, “bfsvc.exe,” known to be malicious based on previous analyses.

Key Details:

• Sender: Def Communications <76tguy6hh6tgftrt7tg.su>
• Received: July 20, 2022
• Target: HR Department, Inergy
• Content: The email claimed to enclose a resume and cover letter for an engineering role, enticing the recipient to open the attached executable using a provided password.

Action Taken:
Upon recognizing the severity and potential implications of the alert, I escalated the issue to a level-two SOC analyst for deeper investigation and immediate response actions.

Outcome:
This incident highlights the critical need for ongoing vigilance and rapid response capabilities in cybersecurity operations to mitigate threats effectively.

View the alert ticket here

2. Completing a Controls and Compliance Checklist

Controls and Compliance Checklist Summary

Overview: This comprehensive checklist evaluates the current cybersecurity practices and compliance with various standards including PCI DSS, GDPR, and SOC. It identifies significant gaps in security controls and compliance procedures and provides targeted recommendations for improvements.

Key Findings:

• Access Controls: Lack of least privilege enforcement and separation of duties poses risks of unauthorized data access and potential fraud.
• Disaster Recovery: Absence of disaster recovery plans jeopardizes business continuity.
• Data Protection: Inadequate password policies and absence of encryption expose sensitive data to security breaches.
• Monitoring Systems: Insufficient intrusion detection systems and manual monitoring of legacy systems increase the vulnerability to cyber attacks.

Recommendations for Improvement:

1. Implement Least Privilege: Restrict access based on user roles to minimize risks.
2. Develop and Test Disaster Recovery Plans: Regularly simulate different disaster scenarios to ensure effectiveness.
3. Strengthen Password Policies and Systems: Enforce complex password requirements and implement robust password management systems.
4. Enhance Intrusion Detection and Data Backup Procedures: Update IDS and ensure regular, secure backups to facilitate quick data recovery.
5. Expand Encryption Use: Apply encryption to all sensitive data at rest and in transit.

Compliance Enhancements:

• PCI DSS: Strengthen controls around access to customer credit card information.
• GDPR: Improve mechanisms for timely notifications to EU customers in the event of data breaches.
• SOC Compliance: Establish comprehensive user access policies and maintain confidentiality and privacy of sensitive data.

This checklist underscores the need for continuous improvement in cybersecurity practices to protect against evolving threats and ensure compliance with regulatory standards.

View the Checklist Here

3. Cybersecurity Incident Report

Cybersecurity Incident Report: Network Traffic Analysis Summary

Incident Overview: During routine monitoring, an issue was identified where requests to the domain “yummyrecipesforme.com” via the UDP protocol failed due to the destination port being unreachable. The port in question, port 53, is primarily used for DNS services, suggesting a potential disruption in these services.

Key Incident Details:

• Time of Incident: 1:24 p.m.
• Symptoms: Several customers reported inability to access the client company’s website.
• Initial Findings: Network analysis indicated that port 53 (DNS service) was unreachable, with ICMP echo replies showing “udp port 53 unreachable” errors.
• Possible Causes: The issue could stem from a DDoS attack, which may have flooded the port with excessive requests. Alternately, it might be due to network or firewall misconfiguration, DNS server issues, or ISP/upstream provider filtering.

Response Actions:

• Network Security Response: The network security team utilized tcpdump to analyze traffic and confirmed the disruption at port 53.
• Ongoing Investigations: Efforts are ongoing to pinpoint the root cause. Current steps include reviewing firewall configurations for potential blocks on port 53 and consulting with the system administrator to check for signs of cyber attacks.

Conclusion: This incident highlights the critical importance of robust DNS service management and the need for timely intervention when disruptions occur. The team’s responsive action aims to restore normal service operations and strengthen system defenses against potential future disruptions.

View the Report Here

4. Assigning and Modifying File Permissions in Linux

Project Summary: Managing File Permissions in Linux

Project Overview: This project demonstrates the examination and management of file permissions within the /home/researcher2/projects directory, assigned to the user ‘researcher2’. It provides a practical insight into handling permissions for different user groups in a Linux environment.

Key Elements of File Permissions:

• Permission Types: The permissions are denoted as d for directories, - for regular files, and l for symbolic links, among others.
• Permission Structure: Permissions are broken down into three sets of three characters each, indicating the rights of the owner, group, and others, respectively:
  • Owner (researcher2): Full read (r), write (w), and execute (x) permissions, allowing complete management of the directory and its contents.
  • Group (research_team): Read (r) and execute (x) permissions, enabling viewing and navigation within the directory without modification rights.
  • Others: Same as the group, with read and execute permissions only.

Tasks Performed:

• Examination of File and Directory Details: Analyzed the permissions assigned to files and directories within the specified path.
• Modification of Permissions: Procedures to change permissions for both visible and hidden files were outlined, ensuring appropriate access control based on user roles and security requirements.

Conclusion: This project highlights the fundamental aspects of Linux file permissions management, showcasing the ability to tailor file access in a multi-user environment effectively. The skills demonstrated here are essential for maintaining security and operational efficiency in systems administration.

View the Documentation Here

5. Incident Handler’s Journal

Cybersecurity Incident Handler’s Journal Summary

Journal Overview: This document encapsulates a series of detailed entries from an incident handler’s journal, documenting critical cybersecurity incidents over a series of days. Each entry follows a structured approach to incident documentation, using the 5 W’s method to outline the essential details of each event.

Key Incidents Documented:

1. Ransomware Attack on Healthcare Company (Date: 4/11/24)
   • Incident: A group of hackers deployed ransomware to encrypt essential files at a healthcare company, seeking monetary gain via ransom.
   • Tools Used: None
   • Analysis: Incident resulted from a phishing scheme. Questions were raised about the feasibility of paying the ransom and preventive measures.
2. Phishing Attempt Leading to Trojan Installation (Date: 4/12/24)
   • Incident: An email disguised as a resume was sent to HR, containing a malicious executable.
   • Tools Used: VirusTotal
   • Analysis: The file was confirmed as malware by multiple security services. The incident was escalated for further handling.
3. Unauthorized Data Access Via App Vulnerability (Date: 4/13/24)
   • Incident: An external attacker exploited a web application vulnerability, accessing personal and financial information of approximately 50,000 customers.
   • Tools Used: None specified
   • Analysis: The incident was discovered through sequential access to customer orders. Measures were recommended, including routine vulnerability scans and improved access controls.

Journaling Approach: Each entry methodically captures and analyses the incident details, offering insights into the initial response, tools used for analysis, and subsequent actions to manage and mitigate the cybersecurity threats.

Conclusion: The journal serves as a crucial tool in documenting and reflecting on the response to cybersecurity incidents, aiding in better preparation and response strategies for future threats.

View with Journal Here

6. Applying Filters to SQL Queries

Project Summary: Enhancing Security Framework Using SQL Queries

Project Overview: This project showcases the application of SQL filtering techniques to enhance the security framework within our system. My role involved safeguarding the integrity of our network, scrutinizing potential security threats, and ensuring that software on employee workstations is consistently updated. Below are examples of how I used SQL to manage security-related tasks effectively.

Key SQL Implementations:

1. After-Hours Failed Login Attempts:
   • Objective: Identify failed login attempts outside regular office hours (post-6 PM).
   • SQL Approach: Used a WHERE clause combined with AND to filter log_in_attempts for entries after 6 PM that were unsuccessful.
2. Login Attempts on Specific Dates:
   • Objective: Investigate unusual login activities on May 8 and May 9, 2022.
   • SQL Approach: Applied a WHERE clause with OR to capture login attempts on these specific dates.
3. Login Attempts Outside of Mexico:
   • Objective: Review login attempts originating from outside Mexico.
   • SQL Approach: Implemented a WHERE clause with NOT and LIKE operators to exclude logins from Mexico, accounting for different country code representations.
4. Employees in Marketing and East Building:
   • Objective: Identify employees in the Marketing department located in the East building for system updates.
   • SQL Approach: Used WHERE with AND and LIKE operators to filter employees by department and office location.
5. Employees in Finance or Sales:
   • Objective: Target system updates for employees in the Finance and Sales departments.
   • SQL Approach: Employed WHERE with OR to isolate employees in these specific departments.
6. Employees Not in IT:
   • Objective: Implement security enhancements for non-IT department workstations.
   • SQL Approach: Utilized a WHERE clause with NOT to filter out IT department employees.

Summary: Through strategic use of SQL queries, I effectively managed and isolated specific data sets relevant to our security assessments and updates. The application of AND, OR, NOT, and LIKE operators, along with the use of wildcards, allowed for precise targeting and manipulation of data, enhancing our overall security measures.

View the Entire Project Here

7. Final Incident Report

Project Summary: Incident Response and Management

Overview: In early 2024, I led the response to a significant security breach that compromised the personal and financial information of approximately 45,000 customers. The incident, resulting from a vulnerability in our e-commerce platform, was thoroughly investigated and effectively contained by March 17, 2024.

Key Responsibilities:

• Incident Detection and Response: I played a pivotal role in identifying the breach quickly and organizing a systematic response. This included coordinating with the IT security team to initiate an immediate investigation.
• Investigation and Analysis: My efforts were crucial in discovering a forced browsing vulnerability that allowed unauthorized access to customer data. I oversaw the detailed analysis of server logs, which confirmed the method of data extraction.
• Communication and Remediation: I collaborated with the public relations department to ensure transparent communication with affected customers. We also offered free identity protection services to mitigate the impact on those affected.
• Preventive Measures: Post-incident, I championed the implementation of routine vulnerability scans and penetration tests. I also improved our access control mechanisms by establishing an allowlist system and enhancing authentication protocols.

Impact and Outcome: The swift and decisive actions taken helped minimize the financial impact to an estimated $120,000, considering direct costs and potential revenue loss. The incident underscored the importance of robust security measures and proactive incident management within our organization.

View the Report Here