Your individual project for this unit has you responding to management as the IT Team Lead concerning the malware scenario below.
Scenario: LMJ-Ad corporate management has been informed by the network administrative team that there was a malware attack and infection overnight at the system level, now spreading to the network enterprise level, requiring the incident response team to take immediate action. The infection came from a malware attachment on a phishing email and was reported by a user with a priority trouble ticket. Initial interviews suggest the incident may have come from an internal employee.
Provide the following for your investigative report:
General Incident Information
Cover Page (Page 1 – not counted in total page count):
Date: Incident POC Name
Time: Incident POC Phone
Time Zone: Incident POC Email
Section 1.0 (Page 1): Date, time, and time zone for first detection
Example: Threat identified 8/6/20; 11:34am; ET
Section 2.0 Impacted Personnel (Page 1): List names and contact information for all persons involved in detection and initial investigation
Example: Mr. John Doe; Incident Response Lead; 555-555-5656; Mrs. Jane Doe; Network Engineer; 556-557-5678
Section 3.0 Incident Detection Specifics (Page 1; 2 paragraphs): How was the incident detected?
Example: IDS/IPS/HIDS/NIDS alerts; Violation of user behavior baseline; security event threat detection; suspicious network traffic patterns; ransomware, or malware alerts from anti-virus/malware software
Section 4.0 Threat Identification (Page 2; 2 paragraphs): What do you think the threat is?
Example: Classification of threat is based on type of behavior analyzed either live or via logs, and recovered digital forensics data
Section 5.0 Infected Resources (Page 3-4; 2-3 paragraphs): List of systems and network components involved both at the system and network levels: System 1, 2, 3; Network component A, etc., and infections found
Example: Lenovo 20L5000; Serial #; IP Address x; infection
Section 6.0 Digital Evidence (Page 4-5; 2-3 paragraphs): Where can supporting evidence be found?
Example: Location of log file, log file types, time stamps, screen shots, IDS reports
Section 7.0 Tools and Procedures (Page 5-6; 2-3 paragraphs): Describe the tools and procedures used for acquiring the media (ex., disk-to-disk, disk to image, sparse copy), thus creating the forensic image of the media for examination.
Provide a name for assignment: For example Pat_Jones_ITDI-372_Unit2.docx.