SKILL 2: THREAT ANALYSIS & INCIDENT RESPONSE

Artifact 4 — Threat Analysis Report: Phishing Campaign Targeting Corporate Email

Course Context: Cyber Threat Intelligence Date: Spring 2024

Executive Summary

This report analyzes a spear-phishing campaign identified targeting employees of mid-sized financial services organizations. The campaign used carefully crafted emails impersonating internal IT departments to harvest employee credentials. This analysis covers the attack methodology, indicators of compromise, threat actor assessment, and recommended mitigations.

Threat Overview

Threat Type: Spear-phishing / Credential harvesting Target Sector: Financial services Likely Motivation: Financial gain / Initial access for follow-on attack Sophistication Level: Moderate to high

Attack Methodology

The campaign followed a structured attack chain:

Phase 1 — Reconnaissance Attackers gathered employee information from LinkedIn and company websites to identify targets with access to financial systems. Job titles such as “Accounts Payable Specialist” and “Finance Manager” were specifically targeted.

Phase 2 — Email Crafting Phishing emails were sent from domains that closely resembled legitimate company domains (e.g., company-it-support.com vs. company.com). Emails warned recipients that their passwords were expiring and directed them to click a link to update their credentials.

Phase 3 — Credential Harvesting The link directed users to a convincing replica of the company’s login portal. Credentials entered on the page were captured and transmitted to attacker-controlled infrastructure.

Phase 4 — Account Exploitation Harvested credentials were used to access email accounts, from which attackers sought financial information, wire transfer instructions, and contact lists for further targeting.

Indicators of Compromise (IOCs)

  • Sending domains: company-it-helpdesk[.]com, it-support-portal[.]net
  • Subject lines: “Action Required: Password Expiration Notice,” “Immediate Action: Account Security Alert”
  • Phishing page IP: 185.234.xx.xx (hosted on bulletproof hosting provider)
  • User-agent string associated with credential harvesting tool

Threat Actor Assessment

Based on the targeting pattern, infrastructure characteristics, and techniques used, this campaign is consistent with financially motivated threat actors operating in Eastern Europe. The use of bulletproof hosting and the targeting of finance personnel is consistent with Business Email Compromise (BEC) groups documented by the FBI’s Internet Crime Complaint Center (IC3).

Recommended Mitigations

  1. Implement multi-factor authentication on all email accounts immediately
  2. Deploy email filtering solutions with domain similarity detection
  3. Conduct employee security awareness training with emphasis on phishing recognition
  4. Implement DMARC, DKIM, and SPF email authentication protocols
  5. Monitor for login attempts from unusual geographic locations or IP addresses

Artifact 5 — Incident Response Plan: Ransomware Incident

Course Context: Incident Response and Digital Forensics Date: Spring 2024

Purpose

This Incident Response Plan (IRP) provides structured guidance for responding to a ransomware incident affecting organizational systems. It is designed to minimize damage, preserve evidence, restore operations, and prevent recurrence.

Incident Response Team

RoleResponsibility
Incident Response LeadOverall coordination and decision-making
Security AnalystTechnical investigation and containment
IT OperationsSystem isolation and recovery
Legal/ComplianceRegulatory notification and documentation
Communications LeadInternal and external communications

Phase 1 — Detection and Identification

Triggers that may indicate ransomware:

  • Files with unfamiliar extensions appearing on shared drives
  • Ransom note files appearing on desktops or shared folders
  • Sudden inability to open files
  • Unusual encryption activity detected by endpoint security tools
  • Help desk calls from multiple users reporting the same issue

Immediate Actions:

  1. Document the time, date, and nature of the alert
  2. Identify affected systems and users
  3. Preserve logs from affected systems before any remediation
  4. Notify the Incident Response Lead immediately

Phase 2 — Containment

Short-term containment (within 1 hour):

  1. Isolate affected systems from the network by disabling network interfaces or physically disconnecting network cables
  2. Do NOT power off affected systems — live memory may contain decryption keys or attacker artifacts
  3. Block identified malicious IP addresses and domains at the firewall
  4. Disable affected user accounts to prevent further spread via compromised credentials

Long-term containment:

  1. Identify the initial infection vector (phishing email, exposed RDP, vulnerable software)
  2. Patch or remediate the identified vulnerability
  3. Scan all systems for indicators of compromise

Phase 3 — Eradication

  1. Identify all systems affected by the ransomware
  2. Remove malware using endpoint security tools and manual remediation
  3. Rebuild systems from known-good images where full eradication cannot be confirmed
  4. Reset all passwords, prioritizing accounts with elevated privileges

Phase 4 — Recovery

  1. Restore data from clean backups verified to predate the infection
  2. Bring systems back online in a staged manner, monitoring closely for signs of reinfection
  3. Verify system integrity before restoring to production status
  4. Document all actions taken during recovery

Phase 5 — Post-Incident Review

Within two weeks of incident closure:

  1. Conduct a lessons-learned meeting with all incident response team members
  2. Document a timeline of the incident from initial compromise to full recovery
  3. Identify security control gaps that enabled the incident
  4. Update this IRP based on findings
  5. Submit required regulatory notifications (if applicable under HIPAA, PCI-DSS, state breach notification laws, etc.)

Artifact 6 — Case Study: The WannaCry Ransomware Attack of 2017

Course Context: Cybersecurity Policy and Law Date: Fall 2023

Introduction

The WannaCry ransomware attack of May 2017 infected more than 200,000 systems across 150 countries within a single day, causing an estimated $4–8 billion in damages. It remains one of the most consequential cyberattacks in history and offers critical lessons for security analysts and incident responders. This case study examines the attack’s technical mechanics, its organizational impact, and the policy implications it raised.

Technical Analysis

WannaCry exploited EternalBlue, a vulnerability in Microsoft’s SMB (Server Message Block) protocol. EternalBlue had been developed by the NSA as a cyberweapon and was leaked by a hacking group called Shadow Brokers in April 2017 — just weeks before WannaCry emerged. Microsoft had released a patch (MS17-010) in March 2017, but millions of systems worldwide had not applied it.

The ransomware spread autonomously through networks without requiring any user interaction — unlike phishing-based ransomware, WannaCry could self-propagate by scanning for vulnerable SMB ports (port 445) and exploiting them directly. Once a system was infected, files were encrypted and a ransom demand of $300–600 in Bitcoin was displayed.

Organizational Impact

The UK’s National Health Service (NHS) was among the hardest-hit organizations, with approximately 80 of 236 NHS trusts affected. Operations were disrupted, appointments cancelled, and some hospitals diverted emergency patients. The attack exposed how deeply healthcare organizations had come to rely on legacy systems — many NHS computers were running Windows XP, which Microsoft had ceased supporting in 2014.

Why It Spread So Far

Several factors enabled WannaCry’s unprecedented spread:

  1. Unpatched systems: Many organizations had not applied the available MS17-010 patch
  2. Legacy systems: Healthcare, utilities, and government agencies often run outdated systems that cannot be patched without disrupting operations
  3. Flat network architectures: Many organizations lacked internal network segmentation, allowing the worm to spread freely once inside the perimeter
  4. No kill switch awareness: A security researcher accidentally discovered a kill switch domain in the malware’s code and registered it, slowing the spread — but many organizations had already been infected

Lessons for Incident Responders

  1. Patch management is a non-negotiable security control — the WannaCry patch was available weeks before the attack
  2. Network segmentation limits the blast radius of self-propagating malware
  3. Legacy systems represent a systemic vulnerability that requires dedicated risk management strategies
  4. Incident response plans must account for scenarios where normal communication channels (email, shared drives) may be compromised

Conclusion

WannaCry was not a sophisticated attack. It succeeded because of accumulated organizational failures — outdated systems, poor patch management, and inadequate segmentation. Its lesson is not primarily technical: it is a lesson about the organizational commitment required to maintain a meaningful security posture.

Leave a Reply

Your email address will not be published. Required fields are marked *