CIS4124 INFORMATION SECURITY MANAGEMENT 2022
Problem Statement: Incident Response
Introduction
You are the understaffed security team for EdgeCoin PLC, a web based financial
organisation located in the North West England.
EdgeCoin PLC offers an “EdgeWallet” account based in its own proprietary Crypto
Currency. Services include UK based account transfer, exchange with other crypto
currencies and acceptance of international wires from the established banking industry.
The board of directors for EdgeCoin PLC have stated that they aim to offer maximum
security for their customers and aim to minimise and disrupt the facilitation of fraudulent
payments or currency trading through their systems. As such there has recently been an
announcement that EdgeCoin PLC will start to use a customer’s mobile telephone as an
authentication second factor (2FA).
Network Topology
The following diagram shows the logical distribution of services for the company. The
company employs approximately 100 staff in all functions, located at its head office in
West Lancashire. This location has a small data centre to support development and head
office functions. The head office network has a perimeter firewall.
Development work is conducted remotely (by employees) who connect to the head office
through the company VPN. Developers have admin rights to their computers for their
work. Developer PCs have AntiVirus (AV) and Host Intrusion Detection System (HIDS)
installed.
The production system is hosted remotely in a data centre. Clients access their accounts
at this data centre through a browser interface or mobile app. Edgecoin’s in-house team
are responsible for overall security, though some aspects are sub-contracted to specialist
3rd party suppliers.
Functions managed by a 3rd party are:

DDoS Mitigation Service (e.g. Prolexic) which blocks attack traffic and allows
through legitimate traffic

Cloud Email Service

External Network Connections (Internet, WAN)

Firewalls

Remote Access

IDS/IPS
Functions managed within the team:

Email Security Gateway

Internet Browsing Proxy

DNS Firewall (Infoblox)

Desktop AV with HIPs
1

Remote forensics capability including ability to pull processes from filesystem/memory

Malware Sandboxing

Central logging in a Big Data solution
You also participate in CiSP and a number of Threat Intelligence sharing communities
where network and host Indicators of Compromise (IOC) are shared and questions can be
asked anonymously to the community.
2
Background
Most incidents to date are for:

Malware spam emails being sent to customers that use EdgeCoin PLC branding.

Members of staff highlighting fake malware parcel delivery emails.

One instance of a very low level DoS type attempt, however the DDoS mitigation
service was not enacted due to changes being made for the 2FA solution.

Standard daily noise of port scanning.
Scenario
The scenario for this case consists of a series of events, to which you need to respond.
There is a company incident response procedure, which you need to be aware of before
the first event. At the end your team will need to perform a post-mortem to discuss the
effectiveness of your actions.
Resources
There are a number of resources available to you:
Edgecoin Incident Response Procedure (Notes): (found in Week 7 in module area)
CYFOR Secure Cyber Security 2022 (Incident Response)
https://cyforsecure.co.uk/services/our-detection-response-services/cyber-incidentresponse/?gclid=EAIaIQobChMItprGr7SU-gIVUO7tCh3PiQR2EAAYASAAEgKpBvD_BwE
Ahmed, Y., Taufiq, A., & Md Arafatur, R. (2021). A Cyber Kill Chain Approach for
Detecting Advanced Persistent Threats. Computers, Materials and Continua, 67(2), 24972513. http://www.open-access.bcu.ac.uk/12795/
NIST Computer security Resource Center:
https://csrc.nist.gov/glossary/term/incident_response_plan
NCSC: Incident management, How to effectively detect, respond to and resolve cyber
incidents 2022:
https://www.ncsc.gov.uk/collection/incident-management/cyber-incident-responseprocesses
ISACA JOURNAL: Cybersecurity Incident Response Exercise Guidance: Author: Larry G.
Wlosinski, CISA, CRISC, CISM, CDPSE, CAP, CBCP, CCSP, CDP, CIPM, CISSP, ITIL v3, PMP.
Date Published: 18 January 2022:
https://www.isaca.org/resources/isaca-journal/issues/2022/volume-1/cybersecurityincident-response-exercise-guidance
British Standards ISO 27001 Overview: http://emea.bsiglobal.com/InformationSecurity/index.xalter [ Last accessed 09-Sep-2022]
3
Stage 1
There is a high volume of alerts for a Backdoor Trojan traffic block from the HIDS on
the computer of a remote developer, reported through the SIEM system.
The Trojan is attempting to contact its command and control (C2) parent and exfiltrate
data.
You have been asked to investigate this as the Incident response team. Prepare a brief
report for the Chief Information Security Officer (CISO) which explains the following:
1. Is this classified as a security incident?
2. What information do you need from an investigation?
3. What damage is likely to have occurred
4. What further damage could occur if no action was taken?
5. What action should be taken?
Stage 2
Fraud staff report multiple accounts being debited to mule accounts only just created.
Network monitoring shows that bandwidth is utilised to full capacity.
Within a few minutes firewall provider calls to say they’ve detected UDP attack traffic
and suggest going into mitigation.
What attacks are taking place?
How might this be related to stage 1?
What would you do?
What do you need to research before you decide?
Business demands to know what’s happening and when operations will be restored
since customers are calling in to complain as the website was unavailable, but now it is
extremely slow and often keeps failing.
How do you respond?
Prepare a brief report for the Chief Information Security Officer (CISO) which explains:
1. What has occurred
2. What impact this could have
3. Action taken to mitigate the attack.
4
Stage 3
Discussions with network 3rd party show that there are multiple SSL encrypted
tunnels consuming large amounts of traffic. This is a layer 7 attack as well, with
attackers constantly pulling large documents.
Prepare a brief report for the Chief Information Security Officer (CISO) which
explains:
1. What has occurred
2. What impact this could have
3. Action taken to mitigate the attack.
4. Once the attack is over, what actions should be taken?
5. What can the company do to reduce the future risk of this type of attack?
6. What documentation should be produced?
5