Scribd Logo
Upload

Welcome to Scribd!

  • Assignment Two Requirement

    Uploaded by

    tafadzwachinaz
    3 views2 pages

    Original Title

    ASSIGNMENT TWO REQUIREMENT

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views2 pages

    Assignment Two Requirement

    Uploaded by

    tafadzwachinaz

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    ASSIGNMENT TWO REQUIREMENT (100 MARKS)

    Using a tool of your choice, demonstrate forensics in digital incident response.


    You can use the scenario provided in ANNEX A or use a hypothetical scenario
    of your choice which fits the tool you want to demonstrate. NB: Ensure that the
    scenario fits in the context of accounting and information systems environments
    which by default characterises the confluence of your programs of study

    At Wakanda Accounting Firm, forensics in digital incident response were shown using the
    Elastic Stack tool to detect the Crypto Lock ransomware assault.
    Scenario: Wakanda Accounting Firm, a renowned firm that provides accounting services to a
    wide range of clients, has become the victim of a ransomware attack on its accounting
    systems. Critical financial data has been compromised, and normal business activities have
    been hampered as a result of the attack. When an employee accidentally clicked on a bad link
    in a phishing email, the ransomware was able to access the company's network and encrypt
    accounting information.
    We will assume that the organization has deployed an elastic stack environment for log
    management and analysis in order to show the use of elastic.

    Step 1: Log Collection and Centralization

    a) Configure log collection, ensuring that the accounting system's logs are configured to
    deliver events to the centralized elastic stack environment. This can be accomplished
    by installing an agent or configuring log forwarding settings on the accounting
    system. In this situation, file beat could have been installed on the impacted
    accounting systems to collect logs pertaining to file alterations, system events, and
    network traffic. Endpoint security solutions, such as Elastic Security Endpoint, may
    have also been used to monitor and gather endpoint telemetry data, such as process
    and file activity.
    b) Index log data: In the elastic stack environment, construct an index to store the
    accounting system's log data. Define proper mappings and settings to ensure efficient
    log event storage and analysis. After collecting the data, it must be consumed into
    elastic search for indexing and storage. Log stash can be used as a data intake pipeline
    to standardize and enrich data before indexing it in Elasticsearch. The logs from file
    beat were collected and indexed in elastic search for further investigation.

    Step 2: Investigation and Log Analysis


    a) Log search and filtering, use the elastic stack's search capabilities to filter and
    search for relevant log events. You can look for certain keywords, IP addresses,
    usernames or other indicators of compromise (IOCs).
    b) Dashboards and visualizations, use Kibana, the elastic stack's visualization
    component, to develop dashboards and visualizations that provide an overview of
    the log data. Create bespoke visuals to detect patterns, abnormalities, or suspicious
    data breach activity.
    c) Correlation and alerting: In the elastic stack, establish detection rules and alerts to
    identify potential indicators of a data breach. Anomalies in user behavior,
    unwanted access attempts, or unusual data access patterns are examples of this.
    d) When hunting for threats, use the elastic search

    Step 3: Recovery and Containment


    a) Determine Compromised Accounts: Identify any user accounts that may have been
    compromised based on log data analysis. Disable or lock those accounts temporarily to
    prevent further unauthorized access.

    c) Protect the System: Take the required precautions to protect the compromised
    accounting system. Patching vulnerabilities, upgrading access rules, and installing
    new security measures may be required to reduce the risk of future breaches.

    Step 4: Reporting and Documentation


    Create a comprehensive report outlining the findings, analysis, and actions performed during
    the incident response process. Include information regarding the incident, compromised
    accounts, detected IOCs, and any remediation steps taken. Document the whole investigative
    process to guarantee a clear chain of custody and compliance with legal and regulatory
    standards.
    In this scenario, Elastic Stack is a robust tool for efficient log management, analysis, and
    visualization, enabling efficient digital incident response in accounting and information
    systems, ensuring system integrity and security.

    You might also like