Cybersecurity Journal Description

The Cybersecurity Journal is an academic exercise designed to inform and educate both the journaler and the reader. It’s a carefully curated record, capturing a series of simulated cybersecurity incidents and exercises. This journal is particularly valuable for professionals and students in the cybersecurity field, serving as both an educational resource and a demonstration of practical skills.

Each entry within the journal is structured to provide a detailed account of various hypothetical cybersecurity scenarios. These entries encompass:

1. Date and Description: Marking the date and providing a detailed narrative of the incident or exercise.
2. Tools Used: Enumerating the cybersecurity tools utilised in the hypothetical response to the incident or exercise.
3. The 5 W’s: Elaborating on the ‘Who’, ‘What’, ‘When’, ‘Where’, and ‘Why’ of each scenario, offering an organised approach to incident analysis.
4. Reflections/Notes: Supplying insights, reflections, and strategies for future enhancements based on the learnings from each exercise.

The primary aim of this journal is educational. It assists in building a deeper understanding of the complexities and nuances of cybersecurity. The hypothetical scenarios are crafted to mirror real-world situations, thereby equipping the journaler with the knowledge and analytical skills necessary in the dynamic and challenging field of cybersecurity. This journal stands as a testament to the practitioner’s growing expertise and serves as a valuable resource for ongoing learning and professional development.

Entry: 1

Description: This entry chronicles a ransomware attack on a small U.S. healthcare clinic, leading to significant operational disruptions due to encrypted files and a ransom demand from unethical hackers.

Tool(s) used: Not applicable for this scenario. However, future investigations may involve cybersecurity tools such as malware analysis tools, network traffic analysis tools, and forensic software.

The 5 W’s:

• Who caused the incident?
  • The incident was orchestrated by an organised group of unethical hackers targeting healthcare and transportation industries.
• What happened?
  • The clinic’s files were encrypted by ransomware following the opening of a malicious attachment in a phishing email. A ransom note demanded a large sum of money for the decryption key.
• When did the incident occur?
  • The attack occurred on a Tuesday morning at approximately 9:00 a.m.
• Where did the incident happen?
  • The incident took place at a small U.S. healthcare clinic providing primary-care services.
• Why did the incident happen?
  • The attack was successful due to the effective deployment of a phishing email strategy, leading to the downloading of a malicious attachment by clinic employees.

Additional Notes:

• Reflection on how the clinic could improve its email security and employee training to prevent similar incidents in the future.
• Consideration of the necessity for robust backup systems to ensure continuity of operations in the event of such attacks.
• Questions about whether the clinic had any previous security assessments or if there were any signs of the impending attack.

Reflections/Notes:

• This scenario highlights the importance of cybersecurity awareness amongst staff in sensitive sectors like healthcare.
• It also underscores the need for proactive measures in cybersecurity, including regular security audits and emergency response planning.

Entry 2

Phishing Playbook – Version 1.0

Purpose To assist level-one SOC analysts in delivering an appropriate and prompt response to a phishing incident.

Using this playbook Follow the steps in this playbook in the specified order. Be aware that some steps may overlap.

Step 1: Receive phishing alert The process initiates when you receive an alert ticket indicating the detection of a phishing attempt.

Step 2: Evaluate the alert Upon receiving the alert, examine the alert details and any pertinent log information. Here is a checklist of the information you should assess:

1. Alert Severity
   • Low: Does not necessitate escalation
   • Medium: May warrant escalation
   • High: Requires immediate escalation to the relevant security personnel
2. Receiver Details
   • The receiver’s email address
   • The receiver’s IP address
3. Sender Details
   • The sender’s email address
   • The sender’s IP address
4. Subject Line
5. Message Body
6. Attachments or Links

Note: Do not open any links or attachments on your device unless you are in an authorized and isolated environment.

Step 3.0: Does the email contain any links or attachments? Phishing emails often include malicious attachments or links aimed at compromising systems. After analyzing the alert details, ascertain whether the email contains any links or attachments. If it does, refrain from opening them and proceed to Step 3.1. If the email lacks links or attachments, move on to Step 4.

Step 3.1: Are the links or attachments malicious? Once you’ve established that the email includes attachments or links, determine if these elements are malicious. Assess the reputation of the link or file attachment by examining their hash values through threat intelligence tools like VirusTotal. If you confirm that the link or attachment is not malicious, proceed to Step 4.

Step 3.2: Update the alert ticket and escalate If you verify that the link or attachment is indeed malicious, provide a concise summary of your findings and explain the reason for escalating the ticket. Update the ticket status to “Escalated” and notify a level-two SOC analyst about the escalated ticket.

Step 4: Close the alert ticket Update the ticket status to “Closed” if:

• You’ve confirmed that the email lacks links or attachments, or
• You’ve ascertained that the link or attachment is not malicious.

Include a brief summary of your investigative findings and provide the rationale for closing the ticket.

Ticket ID: A-2703

Alert Message: SERVER-MAIL Phishing attempt possible download of malware

Severity: Medium

Details: The user may have opened a malicious email and opened attachments or clicked links.

Ticket Status: Open

Ticket Comments: Insert your comments here.

Additional Information:

• Known Malicious File Hash: 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b
• Email:
  • From: Def Communications <76tguyhh6tgftrt7tg.su> <114.114.114.114>
  • Sent: Wednesday, July 20, 2022, 09:30:14 AM
  • To: hr@inergy.com <176.157.125.93>
  • Subject: Re: Infrastructure Engineer Role
  • Message:vbnetCopy codeDear HR at Inergy, I am writing to express my interest in the engineer role posted on the website. Attached is my resume and cover letter. For privacy reasons, the file is password-protected. Please use the password "paradise10789" to open it. Thank you, Clyde West Attachment: filename="bfsvc.exe"

Model Answer:

An alert has been sent to me as SOC analyst

Ticket ID: A-2703

Alert Message: SERVER-MAIL Phishing attempt possible download of malware

Severity: Medium

Details: The user may have opened a malicious email and opened attachments or clicked links.

Ticket Status: Open

Ticket Comments: Upon initial assessment, it appears that the user may have fallen victim to a phishing attempt. The email, originating from an unverified source, raises suspicions. The attached file “bfsvc.exe” is of concern, as it may contain malware. We should proceed with caution and investigate further.

Additional Information:

• Known Malicious File Hash: 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b
• Email:
  • From: Def Communications <76tguyhh6tgftrt7tg.su> <114.114.114.114>
  • Sent: Wednesday, July 20, 2022, 09:30:14 AM
  • To: hr@inergy.com <176.157.125.93>
  • Subject: Re: Infrastructure Engineer Role
  • Message:vbnetCopy codeDear HR at Inergy, I am writing to express my interest in the engineer role posted on the website. Attached is my resume and cover letter. For privacy reasons, the file is password-protected. Please use the password "paradise10789" to open it. Thank you, Clyde West Attachment: filename="bfsvc.exe"

Based on the provided information, it is crucial to treat this as a potential security incident. The email’s origin is suspicious, and the attached file may contain malware. We should advise the user not to interact with the email further and initiate a thorough investigation into the attached file to determine its nature and any potential threats it may pose. Additionally, communication with the user should include security awareness reminders to prevent such incidents in the future.

Exercise 3 – Incident report

Goal 1: Clarify Exactly What Transpired The security breach involved an unauthorised individual exploiting a vulnerability in the e-commerce web application. This allowed the attacker to conduct a forced browsing attack, accessing and exfiltrating customer personal identifiable information (PII) and financial details from the purchase confirmation pages.

Goal 2: Ascertain the Timing of the Incident The initial indication of the incident was on 22nd December 2022, when an employee received a phishing email. The security team was alerted on 28th December 2022, the same day the employee received another email with a sample of the stolen data and a heightened ransom demand. The investigation unfolded between 28th and 31st December 2022.

Goal 3: Detail the Company’s Response Actions Following the alert, the security team commenced an investigation, pinpointing the root cause as a vulnerability in the web application. The company then worked alongside the public relations department to inform customers about the breach and offered complimentary identity protection services. The investigation included scrutinising web application access logs, which highlighted the attack methodology.

Goal 4: Outline Future Recommendations To avert similar incidents in the future, the company is implementing several measures:

• Conduct regular vulnerability scans and penetration testing to detect and rectify security weaknesses.
• Implement specific access control mechanisms, including allowlisting to limit access to a predetermined set of URLs and ensuring that only authenticated users can access confidential content.

These model answers offer a structured understanding of the incident’s lifecycle, the organisation’s response, and strategies for future prevention. These insights are crucial for passing the practice quiz and comprehensively grasping incident response and business continuity within the realm of cybersecurity.

Cybersecurity Journal Entries

Entry 1: Ransomware Attack on Healthcare Clinic

• Date: [Insert Date]
• Description: A ransomware attack targeted a small U.S. healthcare clinic, leading to major disruptions due to file encryption and a ransom demand.
• The 5 W’s:
  • Who: Organised group of unethical hackers.
  • What: Files encrypted by ransomware following a phishing email.
  • When: Tuesday morning, around 9:00 a.m.
  • Where: Small U.S. healthcare clinic.
  • Why: Successful phishing email leading to malware download.
• Reflections/Notes: Emphasis on the need for enhanced email security training and robust data backup systems.

Entry 2: Phishing Incident Response

• Date: [Insert Date]
• Description: Response to a phishing alert as per the Phishing Playbook – Version 1.0.
• Tool(s) used: Threat intelligence tools like VirusTotal for assessing file hashes.
• The 5 W’s:
  • Who: Unknown sender.
  • What: Phishing email with potentially malicious attachment.
  • When: [Insert Date and Time].
  • Where: Email received by an employee.
  • Why: Attempt to compromise systems via phishing.
• Reflections/Notes: Importance of vigilance in identifying and responding to phishing attempts.

Entry 3: Incident Report: Security Breach of Customer Data

• Executive Summary: Security breach on December 28, 2022, resulting in unauthorised access to 50,000 customer records.
• Timeline:
  • Initial Contact: December 22, 2022 – Phishing email received.
  • Second Contact and Alert: December 28, 2022 – Sample of stolen data received and security team notified.
  • Investigation Period: December 28-31, 2022.
• Investigation: Vulnerability in e-commerce web application identified as the root cause.
• Response and Remediation: Disclosure to customers, free identity protection services offered, and log analysis conducted.
• Recommendations: Regular vulnerability scans, penetration testing, and implementation of robust access control mechanisms.

Entry 4

Cybersecurity Journal Entries

Entry 4: Unauthorised Network Access and Data Exfiltration

• Date:
• Description: This entry details an incident where an unknown external party gained unauthorized access to the company’s internal network, leading to potential data exfiltration.
• Tool(s) used:
  • Network Monitoring Tools (e.g., Wireshark) for traffic analysis.
  • Endpoint Detection and Response (EDR) solutions to track suspicious activities on endpoints.
• The 5 W’s:
  • Who: Unknown external attacker(s), potentially part of a cybercrime syndicate.
  • What: Unauthorised access to the internal network was detected, with signs of data being extracted from sensitive servers.
  • When: The intrusion was first detected late Friday evening, with unusual network traffic patterns.
  • Where: The breach occurred in the company’s primary data center, affecting multiple servers containing sensitive client data.
  • Why: The motive appears to be corporate espionage – stealing sensitive data for competitive advantage or sale on dark web markets.
• Reflections/Notes:
  • The incident underscores the need for continuous network monitoring and timely anomaly detection.
  • It highlights the importance of having an effective incident response plan that includes immediate isolation of affected systems to prevent further data loss.
  • The need for regular penetration testing and vulnerability assessments to identify and mitigate potential security gaps is evident.
  • Reflections on improving employee awareness regarding security best practices to prevent similar breaches in the future.
  • Considering the implementation of more robust data encryption methods to secure sensitive information.

This scenario is a stark reminder of the ever-present threat of cyber intrusions and the importance of a multi-layered security approach. As cyber threats evolve, so must our strategies to protect sensitive data and maintain robust cybersecurity defences.