Security Incident Report

As an essential element of the Google Cybersecurity Professional program, I assumed the role of a cybersecurity analyst tasked with addressing a security concern on the website hosted by the company, yummyrecipesforme.com. Visitors to the website encountered a security issue upon loading the main webpage. My responsibility entailed conducting a thorough investigation, identifying, documenting, and proposing a resolution for the identified security problem.

During the investigation of the security event, I meticulously examined the tcpdump log and analyzed the DNS and HTTP traffic logs to ascertain the network protocol used in establishing the connection between the user and the website. Subsequently, I documented the sequence of events during the security incident. Finally, I recommended a security measure that our organization could implement to mitigate potential brute-force attacks in the future. Implementing this process will, in turn, contribute to enhancing our organization’s overall security posture.

Security Incident Report

Part 1: The network protocol involved in the incident
The network protocol implicated in the incident is the Hypertext Transfer Protocol (HTTP). Through the utilization of tcpdump, coupled with an investigation into the yummyrecipesforme.com website to pinpoint and capture the problematic elements, the protocol, and traffic activities were meticulously logged in a dedicated DNS & HTTP traffic file. This comprehensive analysis yielded the conclusive evidence necessary to determine that the malevolent file was being conveyed to users’ computers via the HTTP protocol at the application layer.

Part 1: The network protocol involved in the incident

The network protocol implicated in the incident is the Hypertext Transfer Protocol (HTTP). Through the utilization of tcpdump, coupled with an investigation into the yummyrecipesforme.com website to pinpoint and capture the problematic elements, the protocol, and traffic activities were meticulously logged in a dedicated DNS & HTTP traffic file. This comprehensive analysis yielded the conclusive evidence necessary to determine that the malevolent file was being conveyed to users’ computers via the HTTP protocol at the application layer.

Part 2: Documentation of the incident
Numerous clients reported to the website owner that upon visiting the site, they encountered a prompt to download and execute a file, ostensibly for updating their browsers. Subsequently, their personal computers exhibited a noticeable slowdown in performance. Alarmed by this, the website owner attempted to log into the web server, only to discover they were locked out of their account. To investigate and address this issue, the cybersecurity analyst employed a sandbox environment, ensuring a secure testing space isolated from the company network. Employing tcpdump, the analyst captured network and protocol traffic packets generated during interactions with the website. Initiating the download of a file purportedly for browser updating, the analyst executed it, leading to a redirection within the browser to a counterfeit website (greatrecipesforme.com) mirroring the original (yummyrecipesforme.com). Upon scrutinizing the tcpdump log, it became evident that the browser initially sought the IP address for the yummyrecipesforme.com site. Following the establishment of the connection over the HTTP protocol, the analyst recalled downloading and executing the file, leading to a distinct shift in network traffic. The browser then requested a new IP resolution for the greatrecipesforme.com URL, redirecting the traffic to the new IP address associated with the counterfeit website. The senior cybersecurity professional conducted a comprehensive analysis of the source code for both websites and the downloaded file. The investigation revealed that an attacker had manipulated the website, introducing code that coerced users into downloading a malicious file disguised as a browser update. Given the website owner’s account lockout, it is suspected that the attacker employed a brute force attack to gain unauthorized access and alter the admin password. The execution of the malicious file, in turn, compromised the end users’ computers.

Part 2: Documentation of the incident

Numerous clients reported to the website owner that upon visiting the site, they encountered a prompt to download and execute a file, ostensibly for updating their browsers. Subsequently, their personal computers exhibited a noticeable slowdown in performance. Alarmed by this, the website owner attempted to log into the web server, only to discover they were locked out of their account.

To investigate and address this issue, the cybersecurity analyst employed a sandbox environment, ensuring a secure testing space isolated from the company network. Employing tcpdump, the analyst captured network and protocol traffic packets generated during interactions with the website. Initiating the download of a file purportedly for browser updating, the analyst executed it, leading to a redirection within the browser to a counterfeit website (greatrecipesforme.com) mirroring the original (yummyrecipesforme.com).

Upon scrutinizing the tcpdump log, it became evident that the browser initially sought the IP address for the yummyrecipesforme.com site. Following the establishment of the connection over the HTTP protocol, the analyst recalled downloading and executing the file, leading to a distinct shift in network traffic. The browser then requested a new IP resolution for the greatrecipesforme.com URL, redirecting the traffic to the new IP address associated with the counterfeit website.

The senior cybersecurity professional conducted a comprehensive analysis of the source code for both websites and the downloaded file. The investigation revealed that an attacker had manipulated the website, introducing code that coerced users into downloading a malicious file disguised as a browser update. Given the website owner’s account lockout, it is suspected that the attacker employed a brute force attack to gain unauthorized access and alter the admin password. The execution of the malicious file, in turn, compromised the end users’ computers.

Part 2: Recommended remediation for brute force attacks
As a robust countermeasure against potential brute force attacks, the proposed security enhancement involves the implementation of a Multi-Factor Authentication (MFA) framework. This MFA strategy encompasses an augmented authentication process, wherein users are mandated to verify their identity by validating a one-time password (OTP) dispatched to either their registered email address or mobile phone. The user’s access to the system will only be granted upon successful confirmation of both their login credentials and the OTP. This fortified authentication protocol ensures that malicious actors attempting a brute force attack are significantly thwarted, as they would be compelled to bypass an additional layer of authorization beyond traditional login credentials. The integration of Multi-Factor Authentication not only fortifies the security posture of the system but also bolsters its resilience against unauthorized access attempts.

Part 2: Recommended remediation for brute force attacks

As a robust countermeasure against potential brute force attacks, the proposed security enhancement involves the implementation of a Multi-Factor Authentication (MFA) framework. This MFA strategy encompasses an augmented authentication process, wherein users are mandated to verify their identity by validating a one-time password (OTP) dispatched to either their registered email address or mobile phone. The user’s access to the system will only be granted upon successful confirmation of both their login credentials and the OTP.

This fortified authentication protocol ensures that malicious actors attempting a brute force attack are significantly thwarted, as they would be compelled to bypass an additional layer of authorization beyond traditional login credentials. The integration of Multi-Factor Authentication not only fortifies the security posture of the system but also bolsters its resilience against unauthorized access attempts.