Danny Ghazal

8/15/20
NTS405
Final

Scenario: Barry Inc. has been experiencing a large number of customer inquiries from

customers stating that their accounts have been logged into from strange countries and

machines that do not belong to them. Barry Inc. launched an investigation into the

issue, after a week they realized their servers had been compromised and customers

personally identifiable information have been stolen and are now sitting in paste bins all

over the internet. The company doesn’t know anymore they are scared that more

servers have been compromised and are unsure as to what they should do. Barry Inc.

plans to speak out to the public once they consult a third-party incident response

company.

Strategy: The first step to solving this issue is to pick up the pieces and assess the

damage. Barry Inc. should use forensics tools such as Mandient Redline and autopsy

sleuth kit to try and see what has happened on the drives of the server. At the same

time, the logs should be checked to see if any fishy logins were made during the

timeline of the incidents. Most of the time when a company is compromised it’s because

a companies employee’s’ credentials were stolen either through social engineering, or

brute-forcing. By doing this the main goal is to see where the attack came from and

possibly by who. This will allow us to close any security loopholes and work on

mitigating the damages. Once this is done we will need to check the internet/dark web

for pastebins to see what was stolen and decide the scope of the theft. After these steps

are taken it’s crucial to notify the public and inform everyone so people are aware of

possible identity theft and don’t find out later from a leak within the company. Although it
won’t be good publicity it will save Barry Inc. from a disaster later on because people

will find out.

Recommended Tools:

Observation Tools- These tools are what will be used to log, manage logs, detect and

monitor the network traffic

● Splunk Enterprise- this tool will be used for log analysis and management, this

tool is great because it does a great job of organizing logs and analyzing trends

within logs.

● Suricata- this tool will be used as an IDS tool this will detect threats as they come

in and show alerts. The tools must be configured to show only the most important

pieces of information otherwise you will be overwhelmed with alerts most of

which could be false positives.

● NTOP- This is a network analyzer this tool is super important for analyzing the

things that go through the network. This tool is only a monitoring tool, but the tool

will give a conclusive overview of the network which is very valuable

● OpenVas- A vulnerability scanner tool that will give an overview of the attack

surface of a specific network

Evaluating What’s Important- These tools will be used to keep an inventory of the

system and evaluate which pieces in the network are the most important

● OCS Inventory- This tool takes an inventory of the system and evaluates which

pieces of inventory are the most important. This is super important because

when something happens it’s important to know how critical the issue is.
 ● AlienVault OTX/AlienVault Labs- this tool isn’t absolutely necessary but it could

be helpful. This tool looks for new threats and attacks on a global level, indicators

of IP addresses with bad reputations and command and control servers are all

flagged. After they are flagged context for the threat is provided

The Plan- This part of the process doesn’t require any tools in particular. This step in

the process requires detailed documentation on what to do during the event of an

incident. This is maybe the most important part of the whole process. This is the road

map the company will need to follow in the case of an incident.

Data Capture and Incident Response- these tools will be used to investigate the issue

after it has happened. These tools are for forensics purposes so the company knows

how to pick up the pieces after an online disaster.

● SANS SIFT/Autopsy Slueth Kit- these tools capture data and perform forensics

investigations on drives and within networks. These tools are capable of

checking the integrity of data, the registry, and create an audit trail throughout the

forensic process

Conclusion:

For Barry Inc. to solve their issue they must implement all the tools I mentioned above

even if it’s after the fact of the incident. After that, they must use the forensic

investigation tool, SANS SIFT, and Autopsy Slueth Kit to see what was compromised.

Then Barry Inc. must patch the holes and issue and send a notice to all the customers

of the company and the public. Many companies that go through this sometimes offer

identity theft protection services for free such as life lock to mitigate inconveniences to
customers. This is a great option if Barry Inc. can afford it, and will also show the

general public that they care.

 Source

https://cybersecurity.att.com/resource-center/ebook/insider-guide-to-incident-

response/incident-response-tools