Lab - Incident Handling

Objectives
Apply your knowledge of security incident handling procedures to formulate questions about given incident
scenarios.

Background / Scenario
Computer security incident response has become a vital part of any organization. The process for handling a
security incident can be complicated and involve many different groups. An organization must have standards
for responding to incidents in the form of policies, procedures, and checklists. To properly respond to a
security incident, the security analyst must be trained to understand what to do and must also follow all of the
guidelines outlined by the organization. There are many resources available to help organizations create and
maintain a computer incident response handling policy. The NIST Special Publication 800-61r2 is specifically
cited in the Understanding Cisco Cybersecurity Operations Fundamentals (200-201 CBROPS) exam topics.

Instructions

Scenario 1: Worm and Distributed Denial of Service (DDoS) Agent Infestation

Study the following scenario and discuss and determine the incident response handling questions that should
be asked at each stage of the incident response process. Consider the details of the organization and the
CSIRC when formulating your questions.
This scenario is about a small, family-owned investment firm. The organization has only one location and less
than 100 employees. On a Tuesday morning, a new worm is released; it spreads itself through removable
media, and it can copy itself to open Windows shares. When the worm infects a host, it installs a DDoS agent.
It was several hours after the worm started to spread before antivirus signatures became available. The
organization had already incurred widespread infections.
The investment firm has hired a small team of security experts who often use the diamond model of security
incident handling.
Preparation:
.

Detection and Analysis:

Type your answers here.

 2018 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 3 www.netacad.com
Lab - Incident Handling

Containment, Eradication, and Recovery:.

Type your answers here.

Post-Incident Activity: Unauthorized Access to Payroll Records

Study the following scenario. Discuss and determine the incident response handling questions that should be
asked at each stage of the incident response process. Consider the details of the organization and the CSIRC
when formulating your questions.
This scenario is about a mid-sized hospital with multiple satellite offices and medical services. The
organization has dozens of locations employing more than 5000 employees. Because of the size of the
organization, they have adopted a CSIRC model with distributed incident response teams. They also have a
coordinating team that watches over the security operations team and helps them to communicate with each
other.
On a Wednesday evening, the organization’s physical security team receives a call from a payroll
administrator who saw an unknown person leave her office, run down the hallway, and exit the building. The
administrator had left her workstation unlocked and unattended for only a few minutes. The payroll program is
still logged in and on the main menu, as it was when she left it, but the administrator notices that the mouse
appears to have been moved. The incident response team has been asked to acquire evidence related to the
incident and to determine what actions were performed.
The security teams practice the kill chain model and they understand how to use the VERIS database. For an
extra layer of protection, they have partially outsourced staffing to an MSSP for 24/7 monitoring.
Preparation:. As most security professionals will say, if you can take care of the incident at its source,
the process becomes much easier. The incident handlers practice the kill chain model and
understand how to use the VERIS database. For an extra layer of protection, they have partially
outsourced staffing to a managed service provider (MSSP) for 24/7 monitoring with CCTV
surveillance.
Every organization needs a security incident response team to protect its critical assets and data. The
first step in incident response is identifying the incident, which means retrieving critical information
about the event as quickly as possible. This can be a challenging task, especially when the
information originates from multiple sources, with different security protocols and methodologies.
VERIS provides a centralized infrastructure that can help organizations approach this challenge more
effectively.
Detection and Analysis: On a Wednesday evening, the organization’s physical security team receives
a call from a payroll administrator who saw an unknown person leave her office, run down the
hallway, and exit the building. She had left her workstation unlocked and unattended for only a few
minutes.
The physical security team has been asked to acquire evidence related to the incident and to
determine what actions were performed. These actions include attempting to log into the system,
viewing and modifying any potential suspicious files, executing commands in the background, and
collecting evidence from the mouse cursor locations where no activity was detected during normal
use. The attack must have taken place between 7:00 p.m. until 7:30 p.m., as the stolen device’s battery
was dead when it was discovered at 8:00 p.m. However, traces of activity were found only a few
minutes earlier on the system log at 6:55 p.m. At 6:55 p.m., a SSH connection from an IP address

 2018 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 3 www.netacad.com
Lab - Incident Handling

inside of company network made a request for an immediate shell onto our production server as far
as we can tell.
Type your answers here.

Containment, Eradication, and Recovery: The incident team should have already started doing the
reconnaissance. They’d have had someone in place to take pictures of the broken glass, track signals
on the ground, and keep an eye out for accelerometers. They would have been gathering information
before they received the call, name of the staff member who saw the incident happen, background
information about that staff member, and a discussion about the situation prior to when it happened.
The goal of an incident response team is to provide an incident response solution to the organization.
In this case, it would be much easier for them if they had an extra set of eyes looking at the problem
every day, but there simply isn’t enough money to outsource full-time staffing responsibilities this
way.
Type your answers here.

Post-Incident Activity: Incident handling is a proactive security measure designed to minimize the
damage caused by an attack, while also allowing you to learn from the incident. Learn how incident
handling can help your organization become more secure.

Type your answers here.

End of document6

 2018 - 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 3 www.netacad.com