FINAL PROJECT 1

Final Project

Nikolas Seropian

University of Advancing Technology

Author Note

This paper was prepared for Incident Response, taught by Aaron Jones
FINAL PROJECT 2

Virtual Bank Robbery

What is the first thing that comes to mind when you hear the word robbery? Chances are

you might think of your favorite heist movie or video game based around a high scale bank

robbery, a bunch of guys in ski masks drilling open a vault, or even an old western stick up.

According to the FBI’s 2018 statistics, there was a bit over 3,000 bank robberies that year, which

may sound like a large enough number, but it compares nothing to the new forms of robbery of

online which lead to at least 351,937 complaints reported to the FBI in the same year. While

some of these complaints were based on non-payment/non-delivery and extortion, data breaches

are the biggest threat to a company. In order to stay protected from a data breach, a company

must be able to prepare before an attack, react properly when one happens and successfully deal

with the aftermath of the situation.

Calm before the Storm

There are many amazing benefits that can come from running or working in a business

such as bringing innovation to the world, helping people with everyday problems and being

rewarded with your success with monetary profits. Things could be going entirely well for a

company as the numbers of customers and investors grow along with its popularity, you may not

expect everything to ever suddenly spiral so out of control that your business just about loses

everything that had been worked up to and earned ever since its construction. According to the

Oxford dictionary, the term ‘Calm before the Storm’ is defined as “a period of unusual

tranquility or stability that seems likely to presage difficult times.” This may not sound like the

situation a well running business may be in, but in fact, this is always the case as any company

that has any amount of private or valuable information has a target on it that many individuals or
FINAL PROJECT 3

groups will seek after, and taking advantage of this time before a storm finally arrives can be

vital in defending against these potential threats.

There are many ways a company can take precaution against future threats. Some tactics

can be as simple using password generators or setting up software to help detect unusual activity.

One of the first steps in an attack is spear phishing, a technique where malicious files are sent to

recipients in seemingly relevant emails. Ensuring that only verified accounts and files are used

and downloaded at work is a good way to prevent this. Protecting passwords to keep accounts

from being hacked into are also good to use, such as by using password managers and making

sure passwords are different to those that employees might use on private accounts.

Setting up a crisis management plan is also essential in preparing for the worst. Getting

help from another company that specializes in network security as some may offer anti-malware

software and some may also provide helpful tips such as trends in attacks to help your company

know how to react to more common threats with ease. Having a firewall set up to prevent me

files from getting in on top of anti-malware software can help to prevent and scan for potential

threats, and with a proper crisis management plan, can be ready to act on any incident that

occurs.

Responding to an Intrusion
Even after everything is set in place, things aren’t quite over yet. Despite having tools to

prevent intrusions, there is never any guarantee a break in won’t occur. A company must still

always be prepared for the worst no matter how much effort goes into preventing it. In the Event

of an intrusion, a company has a lot of work to do based on its crisis management plan as well as

have plans for business continuity, disaster recovery and computer forensics in place to ensure
FINAL PROJECT 4

that a company can continue to function during an incident, be able to recovery from it quickly

afterward, and gather enough evidence to present in court after the incident has ended.

The first step in dealing with an intrusion is finding out that one is happening and seeing

how much damage is being dealt. There are many signs to look for to see what an intruder may

be doing, such as looking for backdoors that may have been installed into a network, tools used

to extract password hashes and batch scripts that may be used for gathering loads of information.

It is also important to look for any newly archived files as this could be a sign an intruder is

about to successfully extract information. Allowing employees to look for any signs of intrusion

as well as be able to report tickets that can be organized (which can be done with the help of

software from other companies), a company can have a much easier time in not only noticing an

intrusion, but pinpointing what type of intrusion and what may be at risk. While it may seem

dangerous to wait long on acting against an intrusion, taking the time to gather data can help a

company create a battle plan based specifically on the current threat while also allowing the

gathering of presentable data for the final stage in dealing with an intrusion.

Gathering Evidence
As mentioned, computer forensics is vital in dealing with the aftermath of an incident.

But in order to properly prepare, actions must be made during an intrusion to make sure evidence

is gathered in a way that can be presented to court. While there are many facets of an operating

system to check for evidence, the most beneficial areas to check are NTFS and file system

analysis, Windows prefetch, event logs, scheduled tasks, the registry, memory forensics as well

as any other artifacts of interactive sessions and alternative persistence mechanisms.

FINAL PROJECT 5

Gathering data from all these sources yourself can offer a lot of data that can be used

later, but on top of this, you can start a live data capture to gather even more potentially helpful

data. In order to perform a live data capture, a script that can perform it is needed. The company

can either make a script itself, but at the cost of requiring high maintenance, or pay for software

online that creates scripts which require no maintenance from the company unless the company

decides to make tweaks to the scripts themselves. Information collected in a live data capture

includes data such as general system info, list of programs and tasks set to automatically run, and

running processes along with plenty of other valuable information.

Setting up an incident report using these strategies will help a company learn what went

wrong and how to prevent the issue from happening again in the future as well as providing

enough presentable evidence to use against the perpetrator in the court of law. By using these

steps along with all the others, your company will be prepared to not only lessen the likelihood

of a breach, but also help it respond and act accordingly to deal with the incident during and after

its occurrence, and should help to protect and keep the company running no matter the

challenges it faces.

Wargame
Now that all the information needed to protect a business is above, an example will be

given on how to respond to an incident. In this example, an employee that works at Chase bank

decided to use the same password for his personal account as he does for his work account. Due

to reasons unrelated to the company, his personal password was found and then used

successfully to access his work account, giving the perpetrator access to information such as his

bosses email address. A new email was created with the boss’s name tied to a goggle account.
FINAL PROJECT 6

Despite not being the email the boss uses at work, multiple employees downloaded the file

attached in the email that seemed to be a harmless letter about some event no one would want to

go to, and was given no second thought by the employees until finding out the next day that the

email did not belong to the boss. The main probably is that the files were downloaded onto

multiple work computers a day prior to finding out.

There are already a couple of things that could have prevented this issue, such as two step

authentication or forcing employees to either use different passwords than personal ones ot

password managers to prevent the first account from ever being hacked into. The situation could

have also been avoided if the employees that opened the files didn’t ignore the warnings given

by their firewall or anti-malware just because they thought the email was from their boss. But as

the malicious files have already been downloaded, the first step of preventing an intrusion has

already failed, and so action must be taken.

While we already know what happened, the first step would be to organize any tickets

sent in by employees to help see that most complaints stem from an email with a file attached to

them so that the cause can be pinpointed. From here, the next step is to look for signs of a

breach. You can also get guidance from any incident reporting services you are subscribed to at

this point. But as for the employees, they should be looking for signs of a breach in the forms of

backdoors, password hash tools or new scripts on their systems. It is also important that they

look for any archived files. Using this information, it might be found out that only credit card

information is trying to be stolen, so instead of shutting everything down, only servers that

include that information should be shut down or protected while allowing other services such as

online accounts to function normally so that business can still continue to some extent.by letting

customers use their accounts.

FINAL PROJECT 7

At this point, evidence should start being gathering and if they haven’t been

alerted already, the authorities should know of the breach you have confirmed to happen. As you

continue to keep track of the attacker and attempt to prevent any further breaches, running live

data captures on infected devices as well as investigating important operating facets. After the

breach ends either due to the attacker no longer being able to steal any more information or the

authorities finding them, the evidence gathered can then be used as evidence against them in

court. From this point, you can then start the recovery process of getting the company back to

the state is was in before and hopefully use the information gathered to see where the network’s

defenses were breached to further protect those areas from any further attacks.

References
FBI. (2019, March 28). Bank Crime Statistics 2018. Retrieved from https://www.fbi.gov/file-
repository/bank-crime-statistics-2018.pdf/view

FBI. (2019, April 22). FBI Releases the Internet Crime Complaint Center 2018 Internet Crime Report.
Retrieved from https://www.fbi.gov/news/pressrel/press-releases/fbi-releases-the-internet-crime-
complaint-center-2018-internet-crime-report

Mandiant. (n.d.) APT1: Exposing One of China’s Cyber Espionage Units. Retrieved from
(https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

FireEye. (n.d.). Cyber Security Consultancy Services: FireEye Mandiant. Retrieved from
https://www.fireeye.com/services.html

Luttgens, J. T. (2014). Incident response and computer forensics. New York, NY: McGraw Hill.