Expositor: Osvaldo Hernández Morales

The organization prohibits the use of peer-to-peer file sharing services. The organization’s network intrusion
detection sensors have signatures enabled that can detect the usage of several popular peer-to-peer file
sharing services. On a Monday evening, an intrusion detection analyst notices that several files sharing
alerts have occurred during the past three hours, all involving the same internal IP address.


1. Would the organization consider this activity to be an incident? If so, which of the
organization’s policies does this activity violate?

Yes, because it is considering as a computer security incident, according with
the FISMA suggestion the attack vector is an improper usage of the network

2. What measures are in place to attempt to prevent this type of incident from occurring
or to limit its impact?

 Use packet sniffers and protocol analyzers to capture and analyze network
traffic, like Wireshark that can be implemented with low cost in Linux

 Use laptops for that activities such as analyzing data, sniffing packets, and
writing reports

 The network perimeter should be configured to deny all activity that is not
expressly permitted. This includes securing all connection points, such as
virtual private networks (VPNs) and dedicated connections to other

 The users need to know how their actions could affect the organization (e.g.
the use of applications like Bit torrent and Popcorn time).

Detection and Analysis

1. What precursors of the incident, if any, might the organization detect? Would any
precursors cause the organization to take action before the incident occurred?

A possible clue to what could be a peer-to-peer connection, is the installation
of a commonly programs like Tor, Skype, Bit Torrent, Popcorn time, an Internet


Television Network. system administrators. What strategy should the organization take to contain the incident? Why is this strategy preferable to others? 2 . beneficiaries. What additional tools might be needed to detect this particular incident?  Users. 3. network administrators. and others from within the organization may report signs of incidents. this could be monitored by a program that send alert to an administrator when those application are installed. employees. What indicators of the incident might the organization detect? Which indicators would cause someone to think that an incident might have occurred? A network intrusion detection sensor that alerts when a peer-to-peer connection is opened. and Recovery 1. 5. Eradication. such as protected critical infrastructure information (PCII). was accessed or exfiltrated  Integrity Loss: Sensitive or proprietary information was changed or deleted. 2. deleted. or otherwise compromised  Privacy Breach: Sensitive personally identifiable information (PII) of taxpayers. How would the team prioritize the handling of this incident?  Using the Information Impact Categories:  None: No information was exfiltrated. Containment. was accessed or exfiltrated  Proprietary Breach: Unclassified proprietary information. To which people and groups within the organization would the team report the incident?  CIO  Head of information security  Legal department (if important documents was involved) 6. security staff. etc. How would the incident response team analyze and validate this incident? What personnel would be involved in the analysis and validation process?  It is necessary to include in the team technicians trained in computer networks and possibly a network engineer who is able to identify the specific service that made the connection. 4. changed.

their job is to filter the connections of those dangerous users (eg spammers. to the initial impact assessment.  Reviewing logs. 3.)  It is important to configure a firewall to avoid intrusion problems. if necessary. appropriate external entities. a good recommendation is COMODO personal firewall or Kerio Firewall.  How long it took to report the incident to management and. the windows firewall is not a very good option (although it is better than nothing).. and to each stage of the incident handling process (e. 4.  Verify the type of information that was shared. and determine if the peer-to-peer service is close or still closed. etc. Which personnel would be involved in the containment. reports. if any.  Elapsed time from the beginning of the incident to incident discovery. What sources of evidence.  Time and resources needed to implement the strategy  Make a solution check to redirect the attacker to a sandbox with the same service. and in charge of systems or computer security.  How long it took the incident response team to respond to the initial report of the incident. and other incident documentation for adherence to established incident response policies and procedures 3 . 5. people who use the equipment to which the IP address corresponds. forms. What additional tools might be needed to respond to this particular incident?  Tool like PeerGuardian is a software designed to protect the user from the dangers of P2P networks. eradication. 2.  Make a log of the incident with de local system registry or with the network devices. and/or recovery processes?  Technicians of networks.g. What could happen if the incident were not contained?  More information can be disseminated. recovery). containment.  Check de services. should the organization acquire? How would the evidence be acquired? Where would it be stored? How long should it be retained?  Total amount of labor spent working on the incident. scammers.

What factors should be used to prioritize the handling of this incident (e. What other communications with external parties may occur? 5. and why? 4. To which external parties would the team report the incident? When would each report occur? How would each report be made? What information would you report or not report. What aspects of the handling would have been different if the incident had occurred at a different physical location (onsite versus offsite)? Scenario Questions 1. What aspects of the handling would have been different if the incident had occurred at a different day and time (on-hours versus off-hours)? 7. What privacy considerations may impact the handling of this incident? 3.  Identifying which precursors and indicators of the incident were recorded to determine how effectively the incident was logged and identified  Determining if the incident caused damage before it was detected Post-Incident Activity 1. what groups within the organization would be involved in handling this incident? 3. How would the handling of this incident differ if the computer performing peer-to- peer file sharing also contains sensitive personally identifiable information? 4 . What could be done to improve detection of similar incidents? General Questions 1.. Besides the incident response team. What could be done to prevent similar incidents from occurring in the future? 3. What tools and resources would the team use in handling this incident? 6. the apparent content of the files that are being shared)? 2. How many incident response team members would participate in handling this incident? 2. Who would attend the lessons learned meeting regarding this incident? What could happen if the incident were not contained? 2.g.