Scribd
Upload
9 views

SafeMax_Security_Assignment.

The document outlines a cybersecurity incident response plan for a mid-sized e-commerce company, detailing potential attack scenarios and strategies for containment, log analysis, and tool selection. It emphasizes the importance of understanding attacker behavior, assessing the impact of incidents, and communicating with customers. Recommendations include enabling automatic updates, implementing two-factor authentication, and conducting routine security tests.

Uploaded by

fekano8808
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
9 views

SafeMax_Security_Assignment.

The document outlines a cybersecurity incident response plan for a mid-sized e-commerce company, detailing potential attack scenarios and strategies for containment, log analysis, and tool selection. It emphasizes the importance of understanding attacker behavior, assessing the impact of incidents, and communicating with customers. Recommendations include enabling automatic updates, implementing two-factor authentication, and conducting routine security tests.

Uploaded by

fekano8808
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

SafeMax Security Assignment.

Hello Team,
If i was to be a cybersecurity analyst at a mid-sized e-commerce company and
faced the respective scenarios as mentioned in the assignment , before
implementing the incident response plain it is also important to think in the same
way the attacker might think . This includes re-imagining how he would have
carried out the attack as well.

As per our scenario I think that the attacker may have carried out the attack as
follows:

1. While performing the recon the attacker could have discovered outdated
software versions running on a server(Using Wappalyzer or builtwith.com).
Further research about the outdated software versions he came to know about
the vulnerabilities associated with these software.

2. If there's a exploit available of that vulnerability he might have used which


would have given him for information about the target or initial access also.

3. Also as mentioned “Multiple failed login attempts from a single IP address”


confirms that he has used brute force attack to get the access of the server.

4. Later he waits for non-business hours when no one will be monitoring or will
be in the offices to exfiltrate the sensitive data.

5. Using this sensitive data which might be credentials of the credit cards of the
customers of the organization he later carries out transactions or also known
as CARDING.

SafeMax Security Assignment. 1


Incident Response Plan.
Containment Strategy:
This phase deals with limiting the spread and impact of the incident by preventing
further damage.

Removing the Payment Gateway Server from the network and isolating it.
Ensuring that this Payment Gateway Server is not in the same network of other
Payment Gateway Servers which might allow the attacker to pivot to other servers.
Using firewalls to block the malicious IP from the whole network .
Rate-Limiting the authentication attempts to overcome brute-force attempts.
Patching the identified outdated software versions from the logs.

Monitoring network and process activity on the server to verify if any backdoor is
still active using tools like wireshark ,etc.
Multiple Payment Gateway Server ensures that if one Payment Gateway Server
goes down the availability is not compromised.

Log Analysis:
Analyzing log entries help to track the movements of the attacker and to
understand how he might have carried out the attack.

Important log entries to prioritize analysing is :


1. Deployed Web Server Logs:

/var/log/apache2/access.log
/var/log/nginx/access.log

SafeMax Security Assignment. 2


2. Authentication Logs:

/var/log/auth.log

3. Analyzing the history command output.

4. Analyzing the w command output in Linux which provides current active


sessions.

5. Analyzing the last command output in Linux which provides historical data of
sessions .

Three critical patterns or indicators to search for in the logs are:

Checking for unusual


401 Unauthorized or 403 Forbidden entries.
Using timestamps to filter login requests outside typical business hours.

Searching for malicious payloads in request parameters such as SQL injection OS


injection payloads.

Tool Selection:
1.EDR and XDRs:

EDR (Endpoint Detection and Response) and XDR (Extended Detection and
Response) tools give a in-depth analysis of the endpoints and servers.

They use AI and ML to identify malicious patterns before hand.


Some EDRs and XDRs are capable to safeguard endpoints and servers from
ransomware attacks as well.

These tools also provide important functions such as:

1. Remote Shell: Remote connection to infected endpoint.

2. Isolate: Isolate the endpoint from the network to reduce the spread of
attack.

SafeMax Security Assignment. 3


2. WAFs (Web Application Firewalls):

WAFs allows to analyze and protect the web endpoints from attackers .

3. SIEM Tools:

SIEM tools provide a centralized console to view and analyze logs of the
endpoints and servers.
Example: Splunk, Wazuh.

Impact Assessment:
This phase involves assessing the impact of the incident such as financial,
operational and reputational.

Financial Impact : Financial Impact address the financial cost or losses incurred by
the incident. In our case as unauthorized transactions were carried out by the
attacker the financial impact is huge.

Operational Impact: Operational Impact addresses if the availability is


compromised or regular business operations are hindered due to security
incidents such as ransomware attacks ,etc.

Reputational Impact: Reputational impact involves loss of customers or bad image


in the market.

Customer Communication:
Customer communication is important as it helps conveying the message that
organization is responsible.

Informing customers helps in changing their credentials as current credentials are


compromised.

SafeMax Security Assignment. 4


Post-Incident Recommendations:

Ensure automatic updates enabled:

Automatic updates helps to update the software and components to the latest
available version .
Two-Factor Authentication:

Implement Two-Factor Authentication mechanisms which helps in reducing


brute force attempts and verify the authenticity of the user trying to login .

Continuous Monitoring and Threat Hunting:


Implementing EDRs and XDRs if not implemented which helps in detecting
malicious behaviour in real-time.

Security Tests:
Conduct routine penetration testing to simulate attack vectors and patch
identified vulnerabilities proactively.

Documentation:
Document the entire process in detail and store it for increasing the knowledge
base.

SafeMax Security Assignment. 5

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy