Incident Handler's Journal

Posted on:January 31, 2024 at 02:32 AM

During our progression through the Google Cybersecurity Professional course, we consistently employed a structured template to meticulously document our insights following each activity completion or to jot down comprehensive notes elucidating our grasp of a particular tool or concept. This journal served as a pivotal resource for cataloging significant observations concerning various cybersecurity tools and concepts encountered throughout the course curriculum.

The importance of documentation cannot be overstated in numerous facets of cybersecurity, where an incident handler’s journal plays a pivotal role in meticulously recording pertinent information related to security incidents as they unfold. A proficient security practitioner may find themselves regularly updating their incident handler’s journal with multiple entries, leveraging it as an invaluable repository to recall critical concepts and tools at a moment’s notice.

Incident handler’s journal

Date: Entry: #1
Description Documenting a cybersecurity incident

This incident unfolded in two main stages:
  1. Detection and Analysis: Initially, the organization identified the ransomware incident through certain indicators. Seeking expert guidance, they reached out to various organizations for technical support and analysis.
  2. Containment, Eradication, and Recovery: Subsequently, the organization implemented measures to limit the incident's impact. As a precaution, they temporarily suspended their computer systems. Recognizing the complexity of fully resolving the situation, they sought collaborative assistance from multiple organizations to address the incident comprehensively.
Tool(s) used None.
The 5 W's
  • Who: An organized group of unethical hackers
  • What: A ransomware security incident
  • Where: At a health care company
  • When: Tuesday 9:00 a.m.
  • Why: The incident occurred due to unethical hackers successfully accessing the company's systems via a phishing attack. Subsequently, they initiated their ransomware on the company's systems, encrypting critical files. The attackers' motivation seems financial, as evidenced by their ransom note demanding a substantial sum in exchange for the decryption key.
Additional notes
  1. How could the health care company prevent an incident like this from occurring again?
  2. Should the company pay the ransom to retrieve the decryption key?
Date: Entry: #2
Description Analyzing a packet capture file
Tool(s) used During this task, I employed Wireshark, a network protocol analyzer renowned for its intuitive graphical user interface. Wireshark's significance in the realm of cybersecurity lies in its capability to capture and scrutinize network traffic, empowering security analysts to detect and probe into potentially malicious activities effectively.
The 5 W's
  • Who: N/A
  • What: N/A
  • Where: N/A
  • When: N/A
  • Why: N/A
Additional notes As someone with experience as an IT technician and web programmer, my interaction with Wireshark has been limited. However, diving into this exercise to analyze a packet capture file was a fresh and intriguing challenge for me. Initially, I found the interface to be quite daunting, but I quickly recognized its potential as a robust tool for gaining insight into network traffic dynamics.
Date: Entry: #3
Description Packet capture
Tool(s) used During this task, I utilized tcpdump to capture and inspect network traffic.

Tcpdump serves as a command-line accessible network protocol analyzer. Much like Wireshark, tcpdump holds significance in cybersecurity as it enables security analysts to capture, filter, and scrutinize network traffic, aiding in threat detection and analysis.
The 5 W's
  • Who: N/A
  • What: N/A
  • Where: N/A
  • When: N/A
  • Why: N/A
Additional notes Although I'm familiar with the command-line interface from my experience as an IT technician and web programmer, capturing and filtering network traffic presented a new challenge for me. I encountered some difficulties along the way, particularly due to using incorrect commands, which led to getting stuck a couple of times. However, by diligently following the instructions and retracing my steps when necessary, I successfully navigated through this activity and effectively captured network traffic.

Date: Entry: #4
Description Investigate a suspicious file hash
Tool(s) used In this task, I utilized VirusTotal, a versatile tool designed for investigating files and URLs to uncover potential malicious content like viruses, worms, and trojans. It's particularly beneficial for swiftly verifying if a given indicator, such as a website or file, has been flagged as malicious within the cybersecurity community. During this exercise, I employed VirusTotal to scrutinize a file hash, which had been flagged as malicious.

This incident unfolded during the Detection and Analysis phase, wherein I assumed the role of a security analyst at a Security Operations Center (SOC) tasked with investigating a suspicious file hash. Following the detection of the suspicious file by our security systems, I conducted thorough analysis and investigation to ascertain the legitimacy of the alert and determine whether it posed a genuine threat.

The 5 W's
  • Who: An unknown malicious actor
  • What: The incident involves an email containing a harmful file attachment, identified by its SHA-256 file hash: 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b
  • Where: An employee's computer at a financial services company
  • When: At 1:20 p.m., an alert was sent to the organization's SOC after the intrusion detection system detected the file
  • Why: An employee was able to download and execute a malicious file attachment via e-mail.
Additional notes What measures can we implement to prevent such incidents from occurring again? Is it worth exploring enhancements to our security awareness training to encourage employees to exercise caution when interacting with online content?
Reflections / Notes
  1. Were there any specific activities that were challenging for you? Why or why not?
    Engaging in the tcpdump activity proved to be quite challenging for me. While I'm familiar with the command line from my experience as an IT technician and programmer, delving into the syntax of a tool like tcpdump presented a significant learning curve. Initially, I encountered frustration as I struggled to achieve the desired output. However, by revisiting the activity and pinpointing my errors, I was able to identify where I went wrong. This experience reinforced the importance of attentively reading instructions and methodically working through tasks step by step.
  2. Has your understanding of incident detection and response changed after taking this course?
    Upon completing this course, my comprehension of incident detection and response has significantly evolved. Initially, I possessed a rudimentary understanding of these concepts, stemming from my background as an IT technician and web developer. However, as I delved deeper into the course material, I gained a newfound appreciation for the intricacies involved in incident detection and response. Through studying the lifecycle of an incident, understanding the significance of comprehensive plans, streamlined processes, and the pivotal role of personnel, I have broadened my knowledge base. Overall, I am now equipped with a deeper understanding and enhanced expertise in incident detection and response strategies.
  3. Was there a specific tool or concept that you enjoyed the most? Why?
    Exploring network traffic analysis and utilizing network protocol analyzer tools was a fascinating journey for me, especially considering my background in IT. While it wasn't my first exposure to network traffic analysis, I found the experience both challenging and exhilarating. The ability to capture and analyze network traffic in real-time using specialized tools was particularly intriguing. This has sparked a desire to delve deeper into this topic, with aspirations of enhancing my proficiency in utilizing network protocol analyzer tools in the future.