Professional Documents
Culture Documents
nts405 Nseropian Finalproject
nts405 Nseropian Finalproject
Final Project
Nikolas Seropian
Author Note
This paper was prepared for Incident Response, taught by Aaron Jones
FINAL PROJECT 2
What is the first thing that comes to mind when you hear the word robbery? Chances are
you might think of your favorite heist movie or video game based around a high scale bank
robbery, a bunch of guys in ski masks drilling open a vault, or even an old western stick up.
According to the FBI’s 2018 statistics, there was a bit over 3,000 bank robberies that year, which
may sound like a large enough number, but it compares nothing to the new forms of robbery of
online which lead to at least 351,937 complaints reported to the FBI in the same year. While
some of these complaints were based on non-payment/non-delivery and extortion, data breaches
are the biggest threat to a company. In order to stay protected from a data breach, a company
must be able to prepare before an attack, react properly when one happens and successfully deal
There are many amazing benefits that can come from running or working in a business
such as bringing innovation to the world, helping people with everyday problems and being
rewarded with your success with monetary profits. Things could be going entirely well for a
company as the numbers of customers and investors grow along with its popularity, you may not
expect everything to ever suddenly spiral so out of control that your business just about loses
everything that had been worked up to and earned ever since its construction. According to the
Oxford dictionary, the term ‘Calm before the Storm’ is defined as “a period of unusual
tranquility or stability that seems likely to presage difficult times.” This may not sound like the
situation a well running business may be in, but in fact, this is always the case as any company
that has any amount of private or valuable information has a target on it that many individuals or
FINAL PROJECT 3
groups will seek after, and taking advantage of this time before a storm finally arrives can be
There are many ways a company can take precaution against future threats. Some tactics
can be as simple using password generators or setting up software to help detect unusual activity.
One of the first steps in an attack is spear phishing, a technique where malicious files are sent to
recipients in seemingly relevant emails. Ensuring that only verified accounts and files are used
and downloaded at work is a good way to prevent this. Protecting passwords to keep accounts
from being hacked into are also good to use, such as by using password managers and making
sure passwords are different to those that employees might use on private accounts.
Setting up a crisis management plan is also essential in preparing for the worst. Getting
help from another company that specializes in network security as some may offer anti-malware
software and some may also provide helpful tips such as trends in attacks to help your company
know how to react to more common threats with ease. Having a firewall set up to prevent me
files from getting in on top of anti-malware software can help to prevent and scan for potential
threats, and with a proper crisis management plan, can be ready to act on any incident that
occurs.
Responding to an Intrusion
Even after everything is set in place, things aren’t quite over yet. Despite having tools to
prevent intrusions, there is never any guarantee a break in won’t occur. A company must still
always be prepared for the worst no matter how much effort goes into preventing it. In the Event
of an intrusion, a company has a lot of work to do based on its crisis management plan as well as
have plans for business continuity, disaster recovery and computer forensics in place to ensure
FINAL PROJECT 4
that a company can continue to function during an incident, be able to recovery from it quickly
afterward, and gather enough evidence to present in court after the incident has ended.
The first step in dealing with an intrusion is finding out that one is happening and seeing
how much damage is being dealt. There are many signs to look for to see what an intruder may
be doing, such as looking for backdoors that may have been installed into a network, tools used
to extract password hashes and batch scripts that may be used for gathering loads of information.
It is also important to look for any newly archived files as this could be a sign an intruder is
about to successfully extract information. Allowing employees to look for any signs of intrusion
as well as be able to report tickets that can be organized (which can be done with the help of
software from other companies), a company can have a much easier time in not only noticing an
intrusion, but pinpointing what type of intrusion and what may be at risk. While it may seem
dangerous to wait long on acting against an intrusion, taking the time to gather data can help a
company create a battle plan based specifically on the current threat while also allowing the
gathering of presentable data for the final stage in dealing with an intrusion.
Gathering Evidence
As mentioned, computer forensics is vital in dealing with the aftermath of an incident.
But in order to properly prepare, actions must be made during an intrusion to make sure evidence
is gathered in a way that can be presented to court. While there are many facets of an operating
system to check for evidence, the most beneficial areas to check are NTFS and file system
analysis, Windows prefetch, event logs, scheduled tasks, the registry, memory forensics as well
Gathering data from all these sources yourself can offer a lot of data that can be used
later, but on top of this, you can start a live data capture to gather even more potentially helpful
data. In order to perform a live data capture, a script that can perform it is needed. The company
can either make a script itself, but at the cost of requiring high maintenance, or pay for software
online that creates scripts which require no maintenance from the company unless the company
decides to make tweaks to the scripts themselves. Information collected in a live data capture
includes data such as general system info, list of programs and tasks set to automatically run, and
Setting up an incident report using these strategies will help a company learn what went
wrong and how to prevent the issue from happening again in the future as well as providing
enough presentable evidence to use against the perpetrator in the court of law. By using these
steps along with all the others, your company will be prepared to not only lessen the likelihood
of a breach, but also help it respond and act accordingly to deal with the incident during and after
its occurrence, and should help to protect and keep the company running no matter the
challenges it faces.
Wargame
Now that all the information needed to protect a business is above, an example will be
given on how to respond to an incident. In this example, an employee that works at Chase bank
decided to use the same password for his personal account as he does for his work account. Due
to reasons unrelated to the company, his personal password was found and then used
successfully to access his work account, giving the perpetrator access to information such as his
bosses email address. A new email was created with the boss’s name tied to a goggle account.
FINAL PROJECT 6
Despite not being the email the boss uses at work, multiple employees downloaded the file
attached in the email that seemed to be a harmless letter about some event no one would want to
go to, and was given no second thought by the employees until finding out the next day that the
email did not belong to the boss. The main probably is that the files were downloaded onto
There are already a couple of things that could have prevented this issue, such as two step
authentication or forcing employees to either use different passwords than personal ones ot
password managers to prevent the first account from ever being hacked into. The situation could
have also been avoided if the employees that opened the files didn’t ignore the warnings given
by their firewall or anti-malware just because they thought the email was from their boss. But as
the malicious files have already been downloaded, the first step of preventing an intrusion has
While we already know what happened, the first step would be to organize any tickets
sent in by employees to help see that most complaints stem from an email with a file attached to
them so that the cause can be pinpointed. From here, the next step is to look for signs of a
breach. You can also get guidance from any incident reporting services you are subscribed to at
this point. But as for the employees, they should be looking for signs of a breach in the forms of
backdoors, password hash tools or new scripts on their systems. It is also important that they
look for any archived files. Using this information, it might be found out that only credit card
information is trying to be stolen, so instead of shutting everything down, only servers that
include that information should be shut down or protected while allowing other services such as
online accounts to function normally so that business can still continue to some extent.by letting
At this point, evidence should start being gathering and if they haven’t been
alerted already, the authorities should know of the breach you have confirmed to happen. As you
continue to keep track of the attacker and attempt to prevent any further breaches, running live
data captures on infected devices as well as investigating important operating facets. After the
breach ends either due to the attacker no longer being able to steal any more information or the
authorities finding them, the evidence gathered can then be used as evidence against them in
court. From this point, you can then start the recovery process of getting the company back to
the state is was in before and hopefully use the information gathered to see where the network’s
defenses were breached to further protect those areas from any further attacks.
References
FBI. (2019, March 28). Bank Crime Statistics 2018. Retrieved from https://www.fbi.gov/file-
repository/bank-crime-statistics-2018.pdf/view
FBI. (2019, April 22). FBI Releases the Internet Crime Complaint Center 2018 Internet Crime Report.
Retrieved from https://www.fbi.gov/news/pressrel/press-releases/fbi-releases-the-internet-crime-
complaint-center-2018-internet-crime-report
Mandiant. (n.d.) APT1: Exposing One of China’s Cyber Espionage Units. Retrieved from
(https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
FireEye. (n.d.). Cyber Security Consultancy Services: FireEye Mandiant. Retrieved from
https://www.fireeye.com/services.html
Luttgens, J. T. (2014). Incident response and computer forensics. New York, NY: McGraw Hill.