– The alarms, scans and scenario is all the information you need.
Logs in the instructions is referring to the SIEM alarm.
A – Summary
B – submit the OSSIM vulnerability report. (attach complete report) as appendix.
c – Submit the systems and data compromised and answer the basic assessment questions in the incident response plan
I) A brief summary of the Vulnerability scan report, SIEM report and the nmap report.
II) Copy, paste and Answer the basic security assessment questions from page 11 of the IR in this format.:
Basic Assessment Questions: There are some things you will not have answer because most are fake attacks run around server with vulnerable web app.
• Has the information been confirmed to be correct and accurate?
• Who, what, when, where, why, and how?
• What information is available from the firewall, router, server, system, intrusion detection system (IDS), system logs, etc.?
• What type of data is involved, and what is its classification? Note that it is unknown or doesn’t exit
• Are there obscenities, child pornography, or confrontational data?
• Is there criminal activity? • Is the data protected by an encryption solution?
• What is the magnitude of the systems being impacted? • Is the event still in progress?
• Has preliminary containment been performed (i.e., disable account, reset password, remove remote access, isolate device in segregated segment)?
• What is the estimated value of the impacted data and systems?
D – Detail analysis of the two-scan reports and why it matters. The attacker may be listed as Allen vault which is the vulnerability scanner. Treat this as a real attack nonetheless
E – there are some reporting timeline on pages 13 -14 of the incident response plan that is important.
F – How do you fix this situation or remediate based on the industry standards e. g NIST or ISO. Specify what the standard
G – Recommendation – How do you avoid this scenario in the future based on industries best practice. (Please note that examples like social engineering and awareness and training has nothing to do with this scenario even though they are part of industries best practice).