Module 9/Chapter 9 (To answer following questions, read module 9): PART 1: Discussion/Ethical Decision-Making Questions 1. Was the CSIRT response appropriate, given the circumstances? On what do you base your position? 2. Can the team access Osberts personal devices to examine them? Under what constraints? How might the team accomplish this legally? 3. During the investigation and forensic effort in response to the worm outbreak, you are examining a hard drive and find love letters between two employees of the organization who are not married to each other. This activity is not illegal, and it is not related to the worm attack. Do you report it in the investigation?

Osbert Rimorr had released a potent malware attack into the wild. It was simple bad luck that Osbert's worm took over the primary HAL mail server. From there, it quickly infected every system in the company. As the worm copied itself over and over again, the servers at HAL quickly stopped doing their assigned tasks and spent all their resources copying the worm to every computer they could reach. It was nearing dawn when Susan Carter, the third-shift help-desk supervisor, was informed of the attack, first by the technicians in the network operations center and then by the application support team. Once she heard what was happening, Susan wasted no time. She directed the application support team to shut down the mail server, then she initiated the incident response plan by calling the help-desk supervisor to activate the call tree. Susan called Paul Alexander, the HAL incident commander on call, to advise him of the incident. Paul answered after taking a sip of his second cup of coffee. "Good morning. What's up, Susan?" Paul asked. "We're down," Susan replied. "All systems. All networks. It looks like a worm that just bogs everything down. No data exfiltration that we can see, just a massive denial of service through consumption of systems resources, and it's everywhere," Susan said, sounding worried. "Okay," Paul replied. He opened the cover on his tablet, tapped on the browser, and then on the tab for the dashboard that would show him every system and its current status. "Let me see..." The screen stayed frozen. "Oh, wait, all networks are down! Okay, start to assemble all the facts you can. I guess the containment options didn't pan out very well; it's time for recovery operations. Work the IR plan with the CSIRT. I'll be at the SOC as soon as I can." "Okay, we'll start getting what we know together," said Susan. The IR plan worked as expected and the CSIRT assembled quickly. While the worm was good, HAL's IR team was better. They quickly identified the threat, isolated the malware by severing the connections between infected systems, and disrupted its spread. System by system, the CSIRT brought each infected computer up-they isolated it in a controlled environment, wiped the system clean, and re-installed the applications and available data from backup. Fortunately for HAL, the CISO's insistence on near-real-time data backups paid off. Within two hours, every system had been scrubbed, reset, and was available for business, with only a few hours of lost data. Considering the fact that the worm hit almost every system in the company, the loss was negligible. "We were lucky this time," Susan said, handing Paul his fourth cup of coffee since he arrived. "What's next?" "l'd rather be lucky than good any day," Paul responded, "but in this case, the team was lucky and good. Next we formalize our recovery, try to figure out how this happened with the incident forensics team, start the after-action processes, and prepare to brief the bosses