.. include:: global.rst ============================================== Capstone Project: Incident Investigation ============================================== Project Overview ================= This project documents a full incident investigation conducted for a simulated cloud services environment. The investigation analyzed a confirmed administrative account compromise that occurred on July 6, 2024. The final report included technical log analysis, attacker behavior reconstruction, business impact assessment, and strategic security recommendations. Problem Statement ================= The primary problem was to determine: - How an attacker gained administrative access - What systems and data were affected - Whether persistence mechanisms were established - The potential business impact of the compromise - What remediation and prevention steps were necessary Log evidence showed: - 744 failed login attempts from a single IP address - A successful administrative login - Cron job modification attempts - Deletion of system log files Because the attacker gained admin-level access, the scope of potential damage was considered high risk. Approach & Methodology ======================= The investigation followed a structured incident response methodology. 1. Log Correlation - Reviewed ``auth.log`` for authentication anomalies - Identified brute-force patterns - Correlated IP activity across multiple log sources 2. Alert Analysis - Analyzed reconnaissance alerts targeting SSH and MySQL - Identified scanning behavior prior to compromise 3. Audit Log Forensics - Identified crontab modification attempts - Detected log deletion activity - Investigated defense evasion techniques 4. Timeline Reconstruction The full attack chain was rebuilt in chronological order: Reconnaissance → Brute Force → Successful Login → Persistence Attempts → Log Deletion 5. MITRE ATT&CK Mapping The attack techniques were mapped to the MITRE ATT&CK framework to classify: - Network Service Discovery - Brute Force - Valid Account Abuse - Scheduled Task Persistence - Indicator Removal This structured methodology ensured that all conclusions were supported by forensic evidence. Tools & Technologies Used ========================== Analysis Tools -------------- - Linux system log files (``auth.log``, ``audit.log``, ``alerts.log``) - SSH authentication subsystem - Cron scheduling subsystem Security Controls Recommended ------------------------------ - SIEM solution (e.g., Splunk) - Multi-Factor Authentication (MFA) - Network segmentation - Vulnerability scanning - Penetration testing - Adoption of the NIST Cybersecurity Framework (CSF) What I Learned ============== Technical Skills Gained ----------------------- - How brute-force attacks appear in authentication logs - How attackers attempt persistence using cron jobs - How log deletion is used as a defense evasion technique - How to reconstruct an attack timeline from fragmented evidence - How to correlate multiple log sources to validate compromise Strategic & Business Insights ----------------------------- - Admin-level compromise dramatically increases risk exposure - Log integrity is critical for forensic visibility - Incident response must include both technical remediation and executive decision-making - Security improvements must be prioritized by risk and business impact - Regulatory and reputational impacts can exceed direct technical damage Professional Growth ------------------- This project strengthened my ability to: - Perform structured incident investigations - Analyze attacker behavior - Translate technical findings into executive-level communication - Develop prioritized remediation roadmaps - Think strategically about cybersecurity risk management Project Outcome ================ The final deliverable included: - Executive summary for leadership - Technical forensic analysis - MITRE ATT&CK technique mapping - Business impact assessment - Short-, medium-, and long-term remediation roadmap This project demonstrates my ability to perform incident investigation, analyze security events, assess organizational risk, and recommend practical security improvements. Project File ============ .. raw:: html