Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
14 views2 pages

IRP Assignment

The document outlines an Incident Response Plan for two scenarios: an attack on a corporate VPN and an insider threat involving data theft and sabotage. Each scenario includes steps for identification, containment, eradication, recovery, and lessons learned, emphasizing the importance of security measures such as Multi-Factor Authentication and strict access controls. The plan aims to mitigate risks and enhance security protocols to prevent future incidents.

Uploaded by

jobvera96
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views2 pages

IRP Assignment

The document outlines an Incident Response Plan for two scenarios: an attack on a corporate VPN and an insider threat involving data theft and sabotage. Each scenario includes steps for identification, containment, eradication, recovery, and lessons learned, emphasizing the importance of security measures such as Multi-Factor Authentication and strict access controls. The plan aims to mitigate risks and enhance security protocols to prevent future incidents.

Uploaded by

jobvera96
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

INCIDENT RESPONSE PLAN FOR THE TWO SCENARIOS

Scenario 1: Attack on a Corporate VPN

Incident Response Steps:

1. Identification:

●​ Analyze VPN, firewall, and authentication logs to confirm the attack timeline.
●​ Identify failed and successful login attempts and track the IP addresses involved.
●​ Capture logs of activities performed by the compromised account
([email protected]).
●​ Identify any unauthorized access attempts, privilege escalation, and connections to
malicious IPs.

2. Containment:

●​ Immediately disable the compromised account ([email protected]) to prevent


further access.
●​ Temporarily shut down VPN services to stop the ongoing brute-force attack.
●​ Implement geolocation-based access restrictions to limit VPN logins to known locations.
●​ Block outbound traffic to the known malicious IP address.
●​ Apply firewall rules to prevent lateral movement within the internal network.

3. Eradication:

●​ Reset passwords for all affected accounts and enforce stronger password policies.
●​ Patch vulnerabilities in the VPN service to mitigate future brute-force attempts.
●​ Enable Multi-Factor Authentication (MFA) to prevent unauthorized access.
●​ Conduct a full forensic analysis to determine if any additional accounts were
compromised.

4. Recovery:

●​ Verify the integrity of all employee accounts before re-enabling VPN access.
●​ Ensure that all systems and authentication mechanisms are updated and secure.
●​ Implement enhanced logging and monitoring to detect future brute-force attempts.
●​ Notify and educate employees on VPN security best practices.

5. Lessons Learned:

●​ MFA is essential for securing VPN access.


●​ Strict access controls and network segmentation help prevent lateral movement.
●​ Improved password policies can mitigate brute-force attacks.
●​ Account lockout mechanisms should be enforced after multiple failed login attempts.
Scenario 2: Insider Threat - Data Theft and Sabotage

Incident Response Steps:

1. Identification:

●​ Investigate logs and network activity from David R.'s workstation over the past few
months.
●​ Identify data exfiltration activities, including file transfers to external drives.
●​ Determine which logs were tampered with and analyze the extent of data theft.
●​ Verify the ransom note and assess if any systems were encrypted or deleted.

2. Containment:

●​ Immediately disconnect David R.'s workstation to prevent further data theft.


●​ Disable David R.’s account and revoke all access privileges.
●​ Segment the network to prevent further unauthorized access.
●​ Shut down affected systems to stop the execution of malicious scripts.
●​ Block unauthorized access attempts at the firewall level.

3. Eradication:

●​ Identify and remove any malicious scripts deployed by David R.


●​ Conduct malware analysis to determine if additional threats exist.
●​ Analyze and decrypt any ransomware if necessary.
●​ Implement stricter access controls to prevent similar incidents.

4. Recovery:

●​ Restore backups to recover deleted or encrypted data.


●​ Conduct a physical security audit to ensure all compromised systems are secured.
●​ Notify affected stakeholders and regulatory bodies about the data breach.
●​ Rebuild systems from clean backups to ensure data integrity.

5. Lessons Learned:

●​ Stronger access controls should be implemented for privileged users.


●​ Regular monitoring of system logs can help detect insider threats earlier.
●​ Network segmentation should limit employee access to only necessary resources.
●​ Employee security awareness training should emphasize the risks of insider

You might also like