Scenario $4$: Compromised Database Server

On a Tuesday night, a database administrator performs some off$-$hours maintenance on several

production database servers. The administrator notices some unfamiliar and unusual directory names

on one of the servers. After reviewing the directory listings and viewing some of the files, the

administrator concludes that the server has been attacked and calls the incident response team for

assistance. The team$$s investigation determines that the attacker successfully gained root access to the

server six weeks ago.

The following are additional questions for this scenario:

$4\mathrm{.}1.$ What sources might the team use to determine when the compromise had occurred?

Response: $($e$.$g$.,$ SIEM logs$,$ MSSP logs$,$ Change Management tickets$)$

$4\mathrm{.}2.$ How would the handling of this incident change if the team found that the database server had

been running a packet sniffer and capturing passwords from the network?

Response: $($e$.$g$.,$ Administrative$/$Privileged and non$-$administrative account passwords would be

changed for all employees.$)$

$4\mathrm{.}3.$ How would the handling of this incident change if the team found that the server was running a

process that would copy a database containing sensitive customer information $($including personally

identifiable information$)$ each night and transfer it to an external address?

Response: $($e$.$g$.,$ Notify appropriate authorities, i$.$e$.$ local PD of potential PII exposure, notify impacted

employees of potential exposure$)$

$4\mathrm{.}4.$ How would the handling of this incident change if the team discovered a rootkit on the server?

Response: $($e$.$g$.,$ Server would be removed from production environment for forensic evidence

collection. All servers would be scanned for identified rootkit. BCP process would be executed for

impacted server.$)$