Yber Incident Response for Blue Moon Financial

a senior security analyst for Blue Moon Financial (BMF), a large financial services firm that has detected a potential network intrusion during the middle of the night. A technician has called you at your home and woken you from a deep sleep to describe suspicious behavior. There has been a recent rash of network intrusion attacks at other financial services firms, and your organization has detected an elevated amount of port scanning and other types of reconnaissance activity.

Senior management at BMF has recognized the potential cyber threats that could seriously impact the sustainability of the company and has committed budgetary money for technical resources and training, although at a level that would be considered modest by most standards. The challenge that you have had as the senior security analyst is that once you get a technician trained to a sufficient level they get hired away to work for another organization. As such, your current security team is inexperienced and you are the only person with significant incident response experience. You have recently begun developing an incident response plan, but it is only in the early stages of development.

You quickly log into the network from your home to check the logs and your intrusion detection system and quickly determine that your organization is under an active attack.

1. Describe your plan for responding to the network intrusion incident. 3-4 pages. Some of the items you will want to cover include

a. What your first steps are now that you have confirmed the attack
b. Who should be involved in the response
c. How you will compensate for your teami??s inexperience
d. What type of resources are necessary
e. What protection measures need to be considered

2. Communication and Coordination Plan 3-4 pages
Who do you call and when
How do you identify priorities and assign resources
How will you communicate with incident responders during the response
How and when will you communicate with management during the response

3. Determine how you will determine further information about the source of the attack 2-3 pages

Type of attack
Where it may have originated from attribution
The extent of the attack
Whether there is a single attack or if this is part of a complex series of incidents
Other considerations.

4. Discuss how you will handle potential evidence. 2-3 pages

Chain of custody and preservation.
Analysis and reporting.
Other items.

also need a TOC and Abstract.

The description of the plan for responding to the network intrusion should be thoroughly developed and logically presented.

Communication and coordination plan with considerable detail with appropriate methods of communication and what information needs to be exchanged.

Description of investigative steps to determine who is involved and methods they employed are thoroughly developed and logically presented.

Description of evidence handling, analysis, and reporting is thoroughly developed and logically presented.