Part of our Spooky Security Showdown Series
October is Cybersecurity Awareness Month, and to celebrate, we are presenting a realistic incident response challenge! We’ve crafted a simulated scenario for a fictional company, CyberSecure Inc., that has fallen victim to a cyber-attack. Your mission, should you choose to accept, involves analyzing the provided log file, identifying the malicious activities, and proposing a comprehensive incident response plan.
Scenario:
CyberSecure Inc., a rising FinTech company, started its day with several employees reporting an inability to access critical financial databases. The IT department soon discovered a ransom note demanding cryptocurrency in exchange for a decryption key. Preliminary investigations suggest a ransomware attack that originated from a phishing email.
Resources:
- Log File: A server log file capturing system events on the day of the incident.
[2023-10-19 07:45:00] INFO: System startup complete.
[2023-10-19 07:50:23] INFO: User 'admin' logged in from IP 192.168.1.10.
[2023-10-19 07:53:37] INFO: Database routine maintenance started.
[2023-10-19 08:12:34] INFO: Database maintenance completed successfully.
[2023-10-19 08:45:23] INFO: User 'jdoe' logged in from IP 192.168.1.15.
[2023-10-19 09:30:45] WARN: Failed login attempt from IP 203.0.113.5.
[2023-10-19 09:30:46] WARN: Failed login attempt from IP 203.0.113.5.
[2023-10-19 09:30:47] WARN: Failed login attempt from IP 203.0.113.5.
[2023-10-19 09:30:48] INFO: User 'admin' logged in from IP 203.0.113.5.
[2023-10-19 09:31:52] INFO: User 'admin' initiated file write operation on /financial_data/.
[2023-10-19 09:32:15] INFO: High volume of file write operations detected on /financial_data/.
[2023-10-19 09:32:20] WARN: File modification detected: /financial_data/quarterly_report.q1 encrypted.
[2023-10-19 09:32:21] WARN: File modification detected: /financial_data/annual_report.2022 encrypted.
[2023-10-19 09:32:22] WARN: File modification detected: /financial_data/client_data.csv encrypted.
[2023-10-19 09:32:30] INFO: User 'admin' initiated network connection to external IP 198.51.100.2.
[2023-10-19 09:33:00] INFO: Database backup initiated by User 'admin'.
[2023-10-19 09:45:00] INFO: Database backup completed successfully.
[2023-10-19 10:00:15] INFO: User 'mkim' logged in from IP 192.168.1.20.
[2023-10-19 10:20:00] ERROR: Ransomware detection alert triggered on /financial_data/.
[2023-10-19 10:20:05] INFO: User 'admin' logged out from IP 203.0.113.5.
[2023-10-19 10:25:00] INFO: IT Admin alerted via email to ransomware detection.
[2023-10-19 10:30:00] INFO: User 'sysadmin' logged in from IP 192.168.1.10.
[2023-10-19 10:35:00] INFO: Network traffic analysis initiated by User 'sysadmin'.
[2023-10-19 10:40:00] WARN: Unusual outbound traffic detected to IP 198.51.100.2.
Challenge Tasks:
-
Incident Analysis:
- Analyze the provided log file to identify ALL suspicious activities.
- Determine the likely attack vector and the extent of the compromise.
- Identify any external IP addresses involved in the incident.
-
Incident Response Plan:
- Propose immediate steps to contain the incident.
- Outline a plan to eradicate the threat and recover affected systems.
- Suggest measures to prevent such incidents in the future.
Submission Guidelines:
- Submit your analysis and response plan as a reply to this thread by October 31, 2023, 11:59 PM
- Each submission should include a BRIEF Incident Analysis and Response Plan.
Evaluation Criteria:
- Accuracy of the incident analysis.
- Effectiveness and comprehensiveness of the incident response plan.
Prizes:
- The top incident analysis will get a Amazon gift card $25 or £20
- The top incident response plan will get a Amazon gift card $25 or £20
- A random poster who put in the effort will also get a Amazon gift card $25 or £20
We look forward to witnessing your cybersecurity expertise in action! If you have any questions, feel free to ask in this thread. Good luck!
