Incident Investigation
Background As cybercrimes have become more sophisticated over the years, organizations needed better solutions to prevent and manage threats. Eventually, this leads to full time incident response teams. Part of the incident response efforts are to understand and assess exactly what was done during an attack or compromise. Systems need to be scrutinized by a variety of forensic tools and in-depth investigations so that organizations can understand the depths of a compromise and the impact that compromise may have to information assets. Based on the scenario described (just before the guided exercise): a. Create an incident response report using concepts from the guided exercise and the previous labs. The report should be no more than 3 pages, and should include: i. Executive Summary (for non-technical decision-makers) Answer specifics such as: a. What was the attackers IP address? b. How did attacker know which accounts to try? c. Was root compromised? d. How do we get more information on the File Manager app? ii. Detection and Analysis (of the incident and events) Identify what, how, who, where, and when. Provide evidence (screenshots). iii. Recovery Provide recommendations a. How can they prevent this in the future? b. Should they notify customers and/or stakeholders? Create a clear and concise timeline of the major events. iv. Lessons Learned (from the companys perspective)