{"id":16,"date":"2026-05-03T18:19:01","date_gmt":"2026-05-03T18:19:01","guid":{"rendered":"https:\/\/student.wp.odu.edu\/pdamt001\/?p=16"},"modified":"2026-05-03T18:19:04","modified_gmt":"2026-05-03T18:19:04","slug":"skill-2-threat-analysis-incident-response","status":"publish","type":"post","link":"https:\/\/student.wp.odu.edu\/pdamt001\/2026\/05\/03\/skill-2-threat-analysis-incident-response\/","title":{"rendered":"SKILL 2: THREAT ANALYSIS & INCIDENT RESPONSE"},"content":{"rendered":"\n
\n\n\n\n

Artifact 4 \u2014 Threat Analysis Report: Phishing Campaign Targeting Corporate Email<\/h2>\n\n\n\n

Course Context:<\/strong> Cyber Threat Intelligence Date:<\/strong> Spring 2024<\/p>\n\n\n\n

Executive Summary<\/h3>\n\n\n\n

This report analyzes a spear-phishing campaign identified targeting employees of mid-sized financial services organizations. The campaign used carefully crafted emails impersonating internal IT departments to harvest employee credentials. This analysis covers the attack methodology, indicators of compromise, threat actor assessment, and recommended mitigations.<\/p>\n\n\n\n

Threat Overview<\/h3>\n\n\n\n

Threat Type:<\/strong> Spear-phishing \/ Credential harvesting Target Sector:<\/strong> Financial services Likely Motivation:<\/strong> Financial gain \/ Initial access for follow-on attack Sophistication Level:<\/strong> Moderate to high<\/p>\n\n\n\n

Attack Methodology<\/h3>\n\n\n\n

The campaign followed a structured attack chain:<\/p>\n\n\n\n

Phase 1 \u2014 Reconnaissance<\/strong> Attackers gathered employee information from LinkedIn and company websites to identify targets with access to financial systems. Job titles such as “Accounts Payable Specialist” and “Finance Manager” were specifically targeted.<\/p>\n\n\n\n

Phase 2 \u2014 Email Crafting<\/strong> Phishing emails were sent from domains that closely resembled legitimate company domains (e.g., company-it-support.com vs. company.com). Emails warned recipients that their passwords were expiring and directed them to click a link to update their credentials.<\/p>\n\n\n\n

Phase 3 \u2014 Credential Harvesting<\/strong> The link directed users to a convincing replica of the company’s login portal. Credentials entered on the page were captured and transmitted to attacker-controlled infrastructure.<\/p>\n\n\n\n

Phase 4 \u2014 Account Exploitation<\/strong> Harvested credentials were used to access email accounts, from which attackers sought financial information, wire transfer instructions, and contact lists for further targeting.<\/p>\n\n\n\n

Indicators of Compromise (IOCs)<\/h3>\n\n\n\n
    \n
  • Sending domains: company-it-helpdesk[.]com, it-support-portal[.]net<\/li>\n\n\n\n
  • Subject lines: “Action Required: Password Expiration Notice,” “Immediate Action: Account Security Alert”<\/li>\n\n\n\n
  • Phishing page IP: 185.234.xx.xx (hosted on bulletproof hosting provider)<\/li>\n\n\n\n
  • User-agent string associated with credential harvesting tool<\/li>\n<\/ul>\n\n\n\n

    Threat Actor Assessment<\/h3>\n\n\n\n

    Based on the targeting pattern, infrastructure characteristics, and techniques used, this campaign is consistent with financially motivated threat actors operating in Eastern Europe. The use of bulletproof hosting and the targeting of finance personnel is consistent with Business Email Compromise (BEC) groups documented by the FBI’s Internet Crime Complaint Center (IC3).<\/p>\n\n\n\n

    Recommended Mitigations<\/h3>\n\n\n\n
      \n
    1. Implement multi-factor authentication on all email accounts immediately<\/li>\n\n\n\n
    2. Deploy email filtering solutions with domain similarity detection<\/li>\n\n\n\n
    3. Conduct employee security awareness training with emphasis on phishing recognition<\/li>\n\n\n\n
    4. Implement DMARC, DKIM, and SPF email authentication protocols<\/li>\n\n\n\n
    5. Monitor for login attempts from unusual geographic locations or IP addresses<\/li>\n<\/ol>\n\n\n\n
      \n\n\n\n

      Artifact 5 \u2014 Incident Response Plan: Ransomware Incident<\/h2>\n\n\n\n

      Course Context:<\/strong> Incident Response and Digital Forensics Date:<\/strong> Spring 2024<\/p>\n\n\n\n

      Purpose<\/h3>\n\n\n\n

      This Incident Response Plan (IRP) provides structured guidance for responding to a ransomware incident affecting organizational systems. It is designed to minimize damage, preserve evidence, restore operations, and prevent recurrence.<\/p>\n\n\n\n

      Incident Response Team<\/h3>\n\n\n\n
      Role<\/th>Responsibility<\/th><\/tr><\/thead>
      Incident Response Lead<\/td>Overall coordination and decision-making<\/td><\/tr>
      Security Analyst<\/td>Technical investigation and containment<\/td><\/tr>
      IT Operations<\/td>System isolation and recovery<\/td><\/tr>
      Legal\/Compliance<\/td>Regulatory notification and documentation<\/td><\/tr>
      Communications Lead<\/td>Internal and external communications<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

      Phase 1 \u2014 Detection and Identification<\/h3>\n\n\n\n

      Triggers that may indicate ransomware:<\/strong><\/p>\n\n\n\n

        \n
      • Files with unfamiliar extensions appearing on shared drives<\/li>\n\n\n\n
      • Ransom note files appearing on desktops or shared folders<\/li>\n\n\n\n
      • Sudden inability to open files<\/li>\n\n\n\n
      • Unusual encryption activity detected by endpoint security tools<\/li>\n\n\n\n
      • Help desk calls from multiple users reporting the same issue<\/li>\n<\/ul>\n\n\n\n

        Immediate Actions:<\/strong><\/p>\n\n\n\n

          \n
        1. Document the time, date, and nature of the alert<\/li>\n\n\n\n
        2. Identify affected systems and users<\/li>\n\n\n\n
        3. Preserve logs from affected systems before any remediation<\/li>\n\n\n\n
        4. Notify the Incident Response Lead immediately<\/li>\n<\/ol>\n\n\n\n

          Phase 2 \u2014 Containment<\/h3>\n\n\n\n

          Short-term containment (within 1 hour):<\/strong><\/p>\n\n\n\n

            \n
          1. Isolate affected systems from the network by disabling network interfaces or physically disconnecting network cables<\/li>\n\n\n\n
          2. Do NOT power off affected systems \u2014 live memory may contain decryption keys or attacker artifacts<\/li>\n\n\n\n
          3. Block identified malicious IP addresses and domains at the firewall<\/li>\n\n\n\n
          4. Disable affected user accounts to prevent further spread via compromised credentials<\/li>\n<\/ol>\n\n\n\n

            Long-term containment:<\/strong><\/p>\n\n\n\n

              \n
            1. Identify the initial infection vector (phishing email, exposed RDP, vulnerable software)<\/li>\n\n\n\n
            2. Patch or remediate the identified vulnerability<\/li>\n\n\n\n
            3. Scan all systems for indicators of compromise<\/li>\n<\/ol>\n\n\n\n

              Phase 3 \u2014 Eradication<\/h3>\n\n\n\n
                \n
              1. Identify all systems affected by the ransomware<\/li>\n\n\n\n
              2. Remove malware using endpoint security tools and manual remediation<\/li>\n\n\n\n
              3. Rebuild systems from known-good images where full eradication cannot be confirmed<\/li>\n\n\n\n
              4. Reset all passwords, prioritizing accounts with elevated privileges<\/li>\n<\/ol>\n\n\n\n

                Phase 4 \u2014 Recovery<\/h3>\n\n\n\n
                  \n
                1. Restore data from clean backups verified to predate the infection<\/li>\n\n\n\n
                2. Bring systems back online in a staged manner, monitoring closely for signs of reinfection<\/li>\n\n\n\n
                3. Verify system integrity before restoring to production status<\/li>\n\n\n\n
                4. Document all actions taken during recovery<\/li>\n<\/ol>\n\n\n\n

                  Phase 5 \u2014 Post-Incident Review<\/h3>\n\n\n\n

                  Within two weeks of incident closure:<\/p>\n\n\n\n

                    \n
                  1. Conduct a lessons-learned meeting with all incident response team members<\/li>\n\n\n\n
                  2. Document a timeline of the incident from initial compromise to full recovery<\/li>\n\n\n\n
                  3. Identify security control gaps that enabled the incident<\/li>\n\n\n\n
                  4. Update this IRP based on findings<\/li>\n\n\n\n
                  5. Submit required regulatory notifications (if applicable under HIPAA, PCI-DSS, state breach notification laws, etc.)<\/li>\n<\/ol>\n\n\n\n
                    \n\n\n\n

                    Artifact 6 \u2014 Case Study: The WannaCry Ransomware Attack of 2017<\/h2>\n\n\n\n

                    Course Context:<\/strong> Cybersecurity Policy and Law Date:<\/strong> Fall 2023<\/p>\n\n\n\n

                    Introduction<\/h3>\n\n\n\n

                    The WannaCry ransomware attack of May 2017 infected more than 200,000 systems across 150 countries within a single day, causing an estimated $4\u20138 billion in damages. It remains one of the most consequential cyberattacks in history and offers critical lessons for security analysts and incident responders. This case study examines the attack’s technical mechanics, its organizational impact, and the policy implications it raised.<\/p>\n\n\n\n

                    Technical Analysis<\/h3>\n\n\n\n

                    WannaCry exploited EternalBlue, a vulnerability in Microsoft’s SMB (Server Message Block) protocol. EternalBlue had been developed by the NSA as a cyberweapon and was leaked by a hacking group called Shadow Brokers in April 2017 \u2014 just weeks before WannaCry emerged. Microsoft had released a patch (MS17-010) in March 2017, but millions of systems worldwide had not applied it.<\/p>\n\n\n\n

                    The ransomware spread autonomously through networks without requiring any user interaction \u2014 unlike phishing-based ransomware, WannaCry could self-propagate by scanning for vulnerable SMB ports (port 445) and exploiting them directly. Once a system was infected, files were encrypted and a ransom demand of $300\u2013600 in Bitcoin was displayed.<\/p>\n\n\n\n

                    Organizational Impact<\/h3>\n\n\n\n

                    The UK’s National Health Service (NHS) was among the hardest-hit organizations, with approximately 80 of 236 NHS trusts affected. Operations were disrupted, appointments cancelled, and some hospitals diverted emergency patients. The attack exposed how deeply healthcare organizations had come to rely on legacy systems \u2014 many NHS computers were running Windows XP, which Microsoft had ceased supporting in 2014.<\/p>\n\n\n\n

                    Why It Spread So Far<\/h3>\n\n\n\n

                    Several factors enabled WannaCry’s unprecedented spread:<\/p>\n\n\n\n

                      \n
                    1. Unpatched systems:<\/strong> Many organizations had not applied the available MS17-010 patch<\/li>\n\n\n\n
                    2. Legacy systems:<\/strong> Healthcare, utilities, and government agencies often run outdated systems that cannot be patched without disrupting operations<\/li>\n\n\n\n
                    3. Flat network architectures:<\/strong> Many organizations lacked internal network segmentation, allowing the worm to spread freely once inside the perimeter<\/li>\n\n\n\n
                    4. No kill switch awareness:<\/strong> A security researcher accidentally discovered a kill switch domain in the malware’s code and registered it, slowing the spread \u2014 but many organizations had already been infected<\/li>\n<\/ol>\n\n\n\n

                      Lessons for Incident Responders<\/h3>\n\n\n\n
                        \n
                      1. Patch management is a non-negotiable security control \u2014 the WannaCry patch was available weeks before the attack<\/li>\n\n\n\n
                      2. Network segmentation limits the blast radius of self-propagating malware<\/li>\n\n\n\n
                      3. Legacy systems represent a systemic vulnerability that requires dedicated risk management strategies<\/li>\n\n\n\n
                      4. Incident response plans must account for scenarios where normal communication channels (email, shared drives) may be compromised<\/li>\n<\/ol>\n\n\n\n

                        Conclusion<\/h3>\n\n\n\n

                        WannaCry was not a sophisticated attack. It succeeded because of accumulated organizational failures \u2014 outdated systems, poor patch management, and inadequate segmentation. Its lesson is not primarily technical: it is a lesson about the organizational commitment required to maintain a meaningful security posture.<\/p>\n","protected":false},"excerpt":{"rendered":"

                        Artifact 4 \u2014 Threat Analysis Report: Phishing Campaign Targeting Corporate Email Course Context: Cyber Threat Intelligence Date: Spring 2024 Executive Summary This report analyzes a spear-phishing campaign identified targeting employees of mid-sized financial services organizations. The campaign used carefully crafted emails impersonating internal IT departments to harvest employee credentials. This analysis covers the attack methodology, indicators of compromise, … Continue reading SKILL 2: THREAT ANALYSIS & INCIDENT RESPONSE<\/span><\/a><\/p>\n","protected":false},"author":26078,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","wds_primary_category":2},"categories":[2],"tags":[],"_links":{"self":[{"href":"https:\/\/student.wp.odu.edu\/pdamt001\/wp-json\/wp\/v2\/posts\/16"}],"collection":[{"href":"https:\/\/student.wp.odu.edu\/pdamt001\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/student.wp.odu.edu\/pdamt001\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/student.wp.odu.edu\/pdamt001\/wp-json\/wp\/v2\/users\/26078"}],"replies":[{"embeddable":true,"href":"https:\/\/student.wp.odu.edu\/pdamt001\/wp-json\/wp\/v2\/comments?post=16"}],"version-history":[{"count":1,"href":"https:\/\/student.wp.odu.edu\/pdamt001\/wp-json\/wp\/v2\/posts\/16\/revisions"}],"predecessor-version":[{"id":17,"href":"https:\/\/student.wp.odu.edu\/pdamt001\/wp-json\/wp\/v2\/posts\/16\/revisions\/17"}],"wp:attachment":[{"href":"https:\/\/student.wp.odu.edu\/pdamt001\/wp-json\/wp\/v2\/media?parent=16"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/student.wp.odu.edu\/pdamt001\/wp-json\/wp\/v2\/categories?post=16"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/student.wp.odu.edu\/pdamt001\/wp-json\/wp\/v2\/tags?post=16"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}