The next was about Digital Forensics, starting off with scope of incident:
It has been identified by the client that there has been a suspected social engineering attack that has compromised their O365 environment. Early indications have the point of entry stemming from a phishing attack targeting a member of staff within the risk and compliance team. From this initial point of entry, it was advised that multiple executive level users were then targeted in a second wave attack in which another phishing email was sent from the compromised account to these users. For the purpose of this analysis, we will be examining the initial compromised account and network device, as well as examination and analysis of subsequent account device compromises that have arisen from the second wave phishing emails targeting executive level users.
Plan of Action — Identification and Approach
i. Logging — We will be requesting the following logs from the resident IT personnel.
• Microsoft Office 365 Security Audit Logs;
• Relevant Office 365 Exchange Audit Logs
• Azure Sign in Logs;
• Azure Audit Logs;
• Firewall Logs;
Explanation to requesting logs — Logs are an integral part of an incident response collection. Through examination and analysis, forensic personnel can identify events such as initial point of entry and any mailbox change activity (Rule creation, mail deletion). Further to event analysis, logging provides examiners the ability trace the events back using information such as Source IP address and Geolocation attributes.
NB — Endpoint and Server logs are considered under physical device collection covered in the next point.
ii. Network and Endpoint Devices — We will request to forensically image a number of relevant devices that will allow thorough examination of endpoint activity including host logging, malware analysis and internet activity.
• Forensic image of workstation of staff member in which credentials were entered.
• Forensic images of workstations of all 6 executive level staff members as it is unclear if any credentials were entered or malicious websites visited.
• Forensic images of on-prem servers
Explanation for Network and Endpoint Devices — Although the compromise was said to have resolved from a phishing email, the importance of endpoint collection is critical as it contains key information such as windows event manager which collects all relevant event artefacts from actions on the system. This will allow examination and analysis to determine if any malicious software was installed along with the credential harvesting.
Other informational assets and staff interviews — We will request the following information from the client IT and extended team.
• Office 365 PST export of the account in which credentials were entered
• Office 365 PST export of the accounts of 6 executive level staff members.
• Interview with initial victim to determine what and how was entered and any other relevant information relating to the incident
• Interviews with all 6 executive level staff members to determine whether malicious links or credentials were entered from the second wave phishing attack.
• Interviews with relevant IT staff who were first notified about the compromise to determine what was initially done.
Explanation for informational assets and staff interviews — Mailbox extractions are key in phishing email analysis as email chains can be rebuilt if required to recreate the conversation that took place between the threat actor and the victim. It allows the identification of the phishing email in a controlled environment to examine key information such as the sender and source IP from the email header.
Interview are also key as information provided can assist in the analysis and allow examiners to get an understanding of the current network infrastructure to determine the severity and extent of the databreach.
The email to the client should be like this:
We have just been informed by our client that there has been a suspected Office 365 breach by way of a spear phishing attack within the risk and compliance department of the organisation. It has been advised by IT that a member of staff has entered credentials to a falsified Microsoft website. Subsequently, further phishing emails were sent from this user to the mail-distribution list of the executive management committee office. This mail-distribution list consists of 6 people, that is, the CEO, COO, CFO, CIO and two Personal Assistants. It is unclear at this point if any of the recipients of the second attack entered credentials.
To assist in the matter, the client has briefly run through the Infrastructure with me. In the office, each user has a single designated workstation running Windows 10 OS, with a single server operating Active Directory, as well as being the primary Domain Controller. There is a single Qotom appliance running a pfSense software firewall which manages all network traffic for the company as there are no web or application proxies running in the environment. They are running primarily a cloud setup with Office 365 being the primary storage for all mail and loose document data using SharePoint sites.
As a first step in the overall incident response, we need to derive a plan of action. This will outline who we can talk to, what information assets are to be forensically imaged/examined and what types of network logging that potentially could be relevant for collection and why (as we need to explain this to the client). Both network and end-point logs should be considered.
The task is about to pull together the plan of action document outlined above and send it to the client along with a covering email which summarises the proposed steps to be taken and what possible analysis could be conducted on the collected data. (Wow, it takes forever) Here is the mail:
Yesterday a spear phishing attacked has occurred. In order to response this incident, we are taking the immediate actions as the Incident Response Team. The team will conduct a Forensic Investigation. As a part of the incident response process, the team will examine the Logs, Servers, Applications, Security tools, Mails after Prioritizing the Assets of the Enterprise.
Also, the team will conduct a Security Incident Questionnaire. The questions will be as follows:
What is the nature of the problem?
What is the root cause?
How was the problem detected?
What is the security posture of the affected IT infrastructure?
What groups were affected?
Did the secondary attacks happen?
Which individuals are aware of the incident?
Who will conduct the examination of the affected IT infrastructure?
The logs to be examined are Microsoft Exchange mailbox log as the attack is made by mails, network logs, host logs, firewall logs.
The infrastructures to be examined are Windows 10 OS Server, pfSense Software Firewall, mail server.
The people to connect are Incident Response Team members, CIO, Senior Management. CEO, CFO, COO and two Personal Assistants.
After this Preparation phase, the team will conduct a threat analysis, investigate the problem thoroughly and then perform a post investigation review.
We assure you that we will take the actions immediately and follow the procedures by the guidance of NIST framework. In order to prevent future attacks, our company takes certain security countermeasures.
For your information,
The IR Team
— — — — — — — — —
There were several wrong login attempts and i examined the excel logs data:
Dear Client,
As the team examined the Logs file, we found the Login fails. We examined the IP adresses and looked up at whois tool. The suspicious IP adresses are 168.XXX.XXX.4 and 193.XXX.XX.57 and it is Nigeria Communications. From this IP addresses there were done so many requests and login attempts. The team is handling the situation now.
Best regards,
CIO.
— — — — — — — — —
Then a Post-Incident report needed to be written:
Following on from our incident analysis, we will provide a report in MS Word format that will give the client an executive overview of what has occurred, as well as possible recommendations and opportunities to improve.
The following information should be noted:
- The client currently has little to no cyber security measures in place to prevent a cyber-attack both at the host and network level, ie. IPS/IDS or Spam Filters.
- The client has allocated no resources currently to develop a cyber-mitigation and strategy plan.
- The client has a number of third party service providers who also have no cyber security strategies or implementations.
- The client has little to none authentication / authorization controls.
- Recommendations to consider include:
- 3rd party risk
- Safety and employee awareness
- Cyber hygiene
- Incident response improvements
- Monitoring and information management
The recommendations should align with our current cyber resilience framework which is based on the NIST Model, and how these recommendations can assist the client in meeting the standards set out by NIST.
The structure of the report should be a half page executive summary, followed by the recommendations, observations and opportunities to improve. This should equate to no more than three PowerPoint slides in total. Please keep your slides clear and concise and submit them below.
Shane Bell’s email address is returned from this form. He wants to hear from you (mmmmkay?)
Hi all,
As the incident that we faced last week showed us, the enterprise is not secure. There is no Protection or Prevention for future attacks. We recommend the implementation of NIST Framework. It has guidelines for enterprise security.
NIST Framework has functions like Identify, Protect, Detect, Respond and Recovery. All these functions help enterprises manage the Cybersecurity risks by organizing information, addressing threats, learning from previous activities and enabling risk management decisions. After an incident happens, you will also need to test your system security frequently.
All in all i recommend you to hire a proffessional who completely understands the NIST Framework and implement its functions to the workplace.
Best regards,
CIO
All in all, this one was very wordy, including strict procedures.
