Worm and Distributed Denial of Service (DDoS) Agent Infestation

Study the following scenario and discuss and determine the incident response handling questions that
should be asked at each stage of the incident response process. Consider the details of the organization
and the CSIRC when formulating your questions.
This scenario is about a small, family-owned investment firm. The organization has only one location
and less than 100 employees. On a Tuesday morning, a new worm is released; it spreads itself through
removable media, and it can copy itself to open Windows shares. When the worm infects a host, it
installs a DDoS agent. It was several hours after the worm started to spread before antivirus signatures
became available. The organization had already incurred widespread infections.
The investment firm has hired a small team of security experts who often use the diamond model of
security incident handling.

Preparation:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary especially based upon the CSIRC details. Examples:
Would the organization consider this activity to be an incident? If so, which of the organization’s poli-
cies does this activity violate?

What measures are in place to attempt to prevent this type of incident from re-occurring, or to limit its
impact?
Detection and Analysis:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary especially based upon the CSIRC details. Examples:
What precursors of the incident, if any, might the organization detect? Would any precursors cause the
organization to take action before the incident occurred?
What indicators of the incident might the organization detect? Which indicators would cause someone
to think that an incident might have occurred?
What additional tools might be needed to detect this particular incident?
How would the team prioritize the handling of this incident?
Containment, Eradication, and Recovery:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary especially based upon the CSIRC details. Examples:
What strategy should the organization take to contain the incident? Why is this strategy preferable to
others?
What additional tools might be needed to respond to this particular incident?
Which personnel would be involved in the containment, eradication, and/or recovery processes?
What sources of evidence, if any, should the organization acquire? How would the evidence be
acquired? Where would it be stored? How long should it be retained?
Post-Incide nt Activity:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary based upon the CSIRC details. Examples:
What could be done to prevent similar incidents from occurring in the future?
What could be done to improve detection of similar incidents?

Computer Science & Information Technology

You might also like to view...

_____ defines how much of the colors below the surface of the current object show through to affect its appearance.

A. Clarity B. Saturation C. Lightness D. Opacity

View

Computer Science & Information Technology

An event is created anytime an application wants the CPU's attention

Indicate whether the statement is true or false

View

Computer Science & Information Technology

Which of the following is NOT a main object in an Access database?

A) table B) script C) query D) report

View

Computer Science & Information Technology

A ____ border appears around button artwork, to indicate that the graphic is now a button.

A. dotted B. dashed C. solid D. curved

View

Computer Science & Information Technology