Critical Awareness of Legal, Ethical and Professional Issues in Incident Response Investigation

1. Critical awareness of the legal, ethical and professional issues involved in incident response investigation.

2. Evaluate and apply appropriate technological solutions and processes in the detection, management and investigation of information and system security incidents.
3. Critically evaluate and apply digital forensic methodology to cyber security incidents and commercial investigation; establish an audit trail, documenting a digital investigation from a legal and professional perspective.
4. Ensure all actions undertaken are Association of Chief Police Officers (ACPO) Principles of Digital Evidence compliant.

Coursework Motivation
This coursework is designed to assess your research and analytical abilities. Often, in the course of your career, you will find that you are faced with new technologies and concepts. Such situations will require you to conduct research and investigation to evaluate new tools and techniques. This requires a degree of independence of thought, and building confidence in new approaches based on technical design. Your analytical abilities will be called into question almost daily and you will often be faced with challenges under economic, social, legal and
ethical constraints.

For the sake of consistency, in your answers, specific locations should be referred to by the labels used above. It would be wise to label and help clarify particular locations that you refer to including particular interfaces on the firewall, routers (as there are multiple), links between routers and switches and so on.

Question 1 (Detecting reconnaissance)
The client is particularly vulnerable to insider attacks including sabotage (disruption and destruction) and espionage (stealing sensitive information). To detect any such attacks, it is important that the client has effective measures in place. You are asked to evaluate the level of exposure for servers from insiders. Of particular interest here is network reconnaissance (scanning) activity that originates internally.
Describe what data would you prefer to collect and at what points on the network? You are expected to adopt a systematic approach where you justify why are you collecting the various types of data and where? Also explain how potential intruders (insider of the network) can collect and use reconnaissance data for malicious purposes?
To support the above activity, what tools would you use and what type of activity would you configure to detect? Your answer is expected to prescribe tools that the client may wish to use and adopt in the future. Your client would appreciate suggestions for configuration of such tools to assist in efficient collection, logging and analysis of data collected.
This is a high volume network and parts of it get very busy at peak times. Any activity of collecting traffic from the network would be a challenge. In the context of above activity, discuss relevant strategies to help overcome the problem of scale.
Question 2 (Statistical Data collection)
Session data and statistical data are two types of data of standard form that is collected over networks. Discuss both forms of data briefly and present a justification for the collection of each. How could each type help you understand whether potential intrusion is taking place? In Figure 1 identify three locations of strategic interest for collecting statistical data. What statistics are you proposing to collect? Justify your choice. Describe what tools and configuration you will use for collection. 
Question 3 (Snort or Zeek?)
A senior network administrator on the client site is considering deploying various IPSs across the network to  This document is for Coventry University students for their own use in completing their assessed work for this module and should not be passed to third parties or posted on any website. Any infringements of this rule should be reported to  Use your research skills to help the colleague make an informed decision. Find out more about Zeek (Bro). What protocol analysis and content searching/matching features does it offer? Snort comes with high recommendations from the security community. What makes it a popular choice? Your answer should facilitate a clear decision.
Question 4 (Responding to an Incident)
The SOC team has detected and confirmed in incident with the following events been initially correlated: a suspicious out-of-office-hours activity (incl. external flash drive attached) on a workstation connected to gateway 15; opening of a large number of files on a file server connected to gateway 11; and a large volume of traffic between the workstation and a DB server connected to gateway 5.
Based on the advise you provided in Question 1, which of the data that has been collected will be relevant to this case, and what evidence do you expect to derive from there?

This is an ongoing incident and as part of the Incident Response you have been asked to provide advice on whether they need to start collecting any additional data, if so what type and from where (both network-based as well as from end-points) – this is in addition to the advice you provided in Question 1. The approach you advise should be forensically sound so that any evidence collected can be used in court.
Question 5 (Advanced persistent threats (APTs))
After devising your monitoring solution, you are asked to demonstrate how effective it is. Consider the following three issues:
What kind of penetration testing would you recommend in order to determine if the system is working accordingly to specifications and goal? Explain types of tests to be performed, who should conduct them, where, and when.
Are there any concerns that the company should think of with respect to the qualifications of the testers? Review through the kind of certification, knowledge base and toolset experience you would look for to ensure that the testers are up to the job.

APT attacks are an increasing threat. What mechanisms of your proposed monitoring system would address these particular threats? Give some description of the kind of APT behaviour you may observe and how your monitoring deployment could detect or prevent it.
Question 6 (Cost effectiveness)
Security, be it in terms of equipment, human effort or inconvenience, has a cost. Fact! Security, therefore, involves trade-offs. Another fact!
Your recommendations, in your answers for questions 1, 2, 3 and 5, entail significant costs in terms of: This document is for Coventry University students for their own use in completing their assessed work for this module and should not be passed to third parties or posted on any
website. Any infringements of this rule should be reported to
a) Equipment, including hardware, software and training resources,
b) Human, including manual configuration and steering of monitoring operations, and training, and
c) Inconvenience, in terms of disruption to normal operations.