Scribd
Upload
142 views5 pages

Incident Response Plan

1. An aviation maintenance school suffered a ransomware attack after a domain admin opened a malicious email, allowing the ransomware to encrypt the entire network. 2. The school's response plan was to pay the ransom to prevent sensitive student data from being leaked, then secure accounts, implement monitoring and updates, and deploy new firewalls and antivirus to prevent future attacks. 3. Lessons learned were to remove daily use of domain admin accounts, strengthen passwords, and be proactive about cybersecurity rather than relying on outdated practices.

Uploaded by

api-602730257
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
142 views5 pages

Incident Response Plan

1. An aviation maintenance school suffered a ransomware attack after a domain admin opened a malicious email, allowing the ransomware to encrypt the entire network. 2. The school's response plan was to pay the ransom to prevent sensitive student data from being leaked, then secure accounts, implement monitoring and updates, and deploy new firewalls and antivirus to prevent future attacks. 3. Lessons learned were to remove daily use of domain admin accounts, strengthen passwords, and be proactive about cybersecurity rather than relying on outdated practices.

Uploaded by

api-602730257
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

INCIDENT RESPONSE PLAN 1

Incident Response Plan.

Tyler Higgins

University of Advancing Technology

Author Note

This paper was prepared for NTS405 – Incident Response, taught by Greg Mile
FINAL PROJECT 2

Incident Response Plan

The Scenario
My company is an aviation maintenance school, this is my real company but will call it

Aero Mech to cover it, that has very relaxed IT staff that never follow cybersecurity best

practices. For example, there are multiple users on the network that use a domain admin account

for their daily duties. They also do not have any remote monitoring and management solutions in

place and improper update management solutions in place. Worst of all, they do not rotate or use

complex passwords to keep high privileged accounts secured. All this has led to a ransomware

attack on the network and the complete shutdown of their network.

The Events
In this scenario, one of the of the domain admis, who is not IT staff, has been tricked into

opening a malicious email that contained ransomware, this was a new type of ransomware, and it

was able to bypass the anti-virus solution used by the school. Because the victim had domain

admin permissions, this one attack was able to propagate through the entire network, encrypting

every system connected when the attack was launched, plus any new devices that may connect

latter.

Next, once all the data has been encrypted by the ransomware the company is faced with

a major challenge; pay the ransom or risk the data being leaked on the dark web. Since this is a

school, the data that has been encrypted is not just employee and company data; it is also student

date that is protected by federal laws, FERPA for example. The good news, Aero Mech has

decent data backup that are stored offsite and the systems they use are hosted at their corporate
FINAL PROJECT 3

offices. The only danger Aero Mech is facing is the release of protected student information and

employee files.

The Response
This is a multi-level response plan. The first part of the response is to pay the ransom,

since we cannot afford the damage to our reputation with a massive data leak of student

information. While it is not best to pay a ransom, since it will make you a larger target in the

future, it is the only option Aero Mech can pick to keep the student data safe.

Once the ransom has been paid and the decryption key has been received the data can be

fully recovered. Now that the data has been recovered, we must prevent this type of attack from

happening again. To do this the first step is to remove the standard process of running domain

admin accounts as a daily drive account and remove the number of people that have access to the

credentials to the domain admin account. Passwords will be changed, and a new password policy

will be put in place, not just for the domain admin account but for all accounts, that will set a

minimum length along with complexity requirements. To be extra safe, passwords will also be

changed every 90 days.

Now that all the accounts have been secured, it is time to move on to the rest of the

network. The update solution that is not working will be replaced with a simple PowerShell

script that will be run daily as a task to check for and install updates. A proper remote monitoring

and management solution will also be deployed, like PulseWay, to monitor our network for

patches and to help incase a user has an issue.

Lastly, as a final step to help keep our network safe, we will be deploying a more in-

depth firewall solution and anti-virus system. We will be using a complete endpoint defense and
FINAL PROJECT 4

recovery solution like the SentinelOne Singularity XDR system to prevent ransomware attacks to

allow a better look into our network.

Conclusion
In conclusion, now days we cannot be relaxed and just simple do what we have always

done when it comes to cybersecurity and defense. We must be proactive when it comes to

defending our systems and using old practices to keep a modern network safe is a recipe for

disaster. While I did use my real company for this paper, I truly hope this type of event never

happens to our campus or any campus tied to our corporation. I know that if this were to happen

it would most likely be the end of our company or at the very least it would cost of a lot to

recover this an attack like the one outlined in this paper. I also truly hope my corporate IT team

gets their heads out of their backsides and get with the times to keep our networks safer than they

currently are.
FINAL PROJECT 5

References

Pulseway. (n.d.). Pulseway RMM Software | Remote Monitoring and Manage-

ment. https://www.pulseway.com/

Singularity XDR. (2020, October 28). SentinelOne. https://www.sentinelone.com/platform/singular-

ity-xdr/

You might also like