Capstone Project: Incident Investigation

Project Overview

This project documents a full incident investigation conducted for a simulated cloud services environment. The investigation analyzed a confirmed administrative account compromise that occurred on July 6, 2024.

The final report included technical log analysis, attacker behavior reconstruction, business impact assessment, and strategic security recommendations.

Problem Statement

The primary problem was to determine:

• How an attacker gained administrative access

• What systems and data were affected

• Whether persistence mechanisms were established

• The potential business impact of the compromise

• What remediation and prevention steps were necessary

Log evidence showed:

• 744 failed login attempts from a single IP address

• A successful administrative login

• Cron job modification attempts

• Deletion of system log files

Because the attacker gained admin-level access, the scope of potential damage was considered high risk.

Approach & Methodology

The investigation followed a structured incident response methodology.

1. Log Correlation

   • Reviewed auth.log for authentication anomalies

   • Identified brute-force patterns

   • Correlated IP activity across multiple log sources

2. Alert Analysis

   • Analyzed reconnaissance alerts targeting SSH and MySQL

   • Identified scanning behavior prior to compromise

3. Audit Log Forensics

   • Identified crontab modification attempts

   • Detected log deletion activity

   • Investigated defense evasion techniques

4. Timeline Reconstruction

   The full attack chain was rebuilt in chronological order:

   Reconnaissance → Brute Force → Successful Login → Persistence Attempts → Log Deletion

5. MITRE ATT&CK Mapping

   The attack techniques were mapped to the MITRE ATT&CK framework to classify:

   • Network Service Discovery

   • Brute Force

   • Valid Account Abuse

   • Scheduled Task Persistence

   • Indicator Removal

This structured methodology ensured that all conclusions were supported by forensic evidence.

Tools & Technologies Used

Analysis Tools

• Linux system log files (auth.log, audit.log, alerts.log)

• SSH authentication subsystem

• Cron scheduling subsystem

Security Controls Recommended

• SIEM solution (e.g., Splunk)

• Multi-Factor Authentication (MFA)

• Network segmentation

• Vulnerability scanning

• Penetration testing

• Adoption of the NIST Cybersecurity Framework (CSF)

What I Learned

Technical Skills Gained

• How brute-force attacks appear in authentication logs

• How attackers attempt persistence using cron jobs

• How log deletion is used as a defense evasion technique

• How to reconstruct an attack timeline from fragmented evidence

• How to correlate multiple log sources to validate compromise

Strategic & Business Insights

• Admin-level compromise dramatically increases risk exposure

• Log integrity is critical for forensic visibility

• Incident response must include both technical remediation and executive decision-making

• Security improvements must be prioritized by risk and business impact

• Regulatory and reputational impacts can exceed direct technical damage

Professional Growth

This project strengthened my ability to:

• Perform structured incident investigations

• Analyze attacker behavior

• Translate technical findings into executive-level communication

• Develop prioritized remediation roadmaps

• Think strategically about cybersecurity risk management

Project Outcome

The final deliverable included:

• Executive summary for leadership

• Technical forensic analysis

• MITRE ATT&CK technique mapping

• Business impact assessment

• Short-, medium-, and long-term remediation roadmap

This project demonstrates my ability to perform incident investigation, analyze security events, assess organizational risk, and recommend practical security improvements.

Project File