On a Saturday afternoon, external users start having problems accessing the organizations public websites. Over the next hour, the problem worsens to the point where nearly every access attempt fails. Meanwhile, a member of the organizations networking staff responds to alerts from an Internet border router and determines that the organizations Internet bandwidth is being consumed by an unusually large volume of User Datagram Protocol (UDP) packets to and from both the organizations public DNS servers. Analysis of the traffic shows that the DNS servers are receiving high volumes of requests from a single external IP address. Also, all the DNS requests from that address come from the same source port.

Answer the following questions about the scenario:

Preparation:

1. Would the organization consider this activity to be an incident? If so, which of the organizations policies does this activity violate? (Section 2.1)

2. What measures are in place to attempt to prevent this type of incident from occurring or to limit its impact? (Section 3.1.2)

Detection and Analysis:

1. What precursors of the incident, if any, might the organization detect? Would any precursors cause the organization to take action before the incident occurred? (Sections 3.2.2, 3.2.3)

2. What indicators of the incident might the organization detect? Which indicators would cause someone to think that an incident might have occurred? (Sections 3.2.2, 3.2.3)

3. What additional tools might be needed to detect this particular incident? (Section 3.2.3)

4. How would the incident response team analyze and validate this incident? What personnel would be involved in the analysis and validation process? (Section 3.2.4)

5. To which people and groups within the organization would the team report the incident? (Section 3.2.7)

6. How would the team prioritize the handling of this incident? (Section 3.2.6)

Containment, Eradication, and Recovery:

1. What strategy should the organization take to contain the incident? Why is this strategy preferable to others? (Section 3.3.1)

2. What could happen if the incident were not contained? (Section 3.3.1)

3. What additional tools might be needed to respond to this particular incident? (Sections 3.3.1,

3.3.4)

4. Which personnel would be involved in the containment, eradication, and/or recovery processes? (Sections 3.3.1, 3.3.4)

5. What sources of evidence, if any, should the organization acquire? How would the evidence be acquired? Where would it be stored? How long should it be retained? (Sections 3.2.5, 3.3.2, 3.4.3)

Post-Incident Activity:

Who would attend the lessons learned meeting regarding this incident? (Section 3.4.1) ?

What could be done to prevent similar incidents from occurring in the future? (Section 3.1.2) ?

What could be done to improve detection of similar incidents? (Section 3.1.2) ?

General Questions:

How many incident response team members would participate in handling this incident? (Section 2.4.3) ?

Besides the incident response team, what groups within the organization would be involved in handling this incident? (Section 2.4.4) ?

To which external parties would the team report the incident? When would each report occur? How would each report be made? What information would you report or not report, and why? (Section 2.3.2) ?

What other communications with external parties may occur? (Section 2.3.2) ?

What tools and resources would the team use in handling this incident? (Section 3.1.1) ?

What aspects of the handling would have been different if the incident had occurred at a different day and time (on-hours versus off-hours)? (Section 2.4.2) ?

What aspects of the handling would have been different if the incident had occurred at a different physical location (onsite versus offsite)? (Section 2.4.2) ?