In the first scenario, Sharon receives booking requests on a daily basis via a Hotmail account. However, her laptop lacks a firewall and an Avast virus scanner, while her virus diagnostics and system updates are now out of the current. Having received an official-looking mail, she opened the embedded attachment and, as a result, her computer has been infected. It seems that Sharon’s computer suffered a security attack, which led to the breach. Specifically, Sharon has been provoked by a phishing attack, a social manipulation security exploit that seeks to deceive victims into disclosing confidential or valuable information (Rapid7, n.d.). Attacks targeting users’ login passwords, financial details (such as bank accounts and payment data), business emails, and anything else that might possibly be profitable. A phishing assault is frequently used to describe a broad attack aiming at a large group of individuals. To phish their victims, attackers employ various methods, including email, which probably contained malware in the file that Sharon had opened. The particular malware in the case is Locky ransomware infection (BleepingComputer, 2018). Locky has encrypted Sharon’s files and now will demand payment from her for renewal access.
Rebyc Systems’ IT Manager is Bruce, who believes the company has a safety system in place, including the usage of a VPN, up-to-date virus software, and a private firewall. A website, DNS server, database system, and storage services are all hosted by the system. Presently, it appears that the system has been corrupted (due to Error 503 Service Unavailable) and is functioning incredibly slowly. Although Bruce supposes it to be a denial-of-service attack, the breach might be caused by a lack of compatibility among the components of the system. Namely, it is most likely to be a DNS failure. When clients cannot register to an IP address using a web domain, this is referred to as a DNS failure. A notification that indicates “DNS server not available” or “Server DNS Address could not be located” usually appear (Hennigan, 2021). There could be multiple potential causes of DNS failure, but Bruce’s issue demonstrates signs of VPN leading to the errors. The VPN connection seems to be established with the local DNS server instead of the VPN server. Thus, the hostname of the remote VPN network cannot be determined with this setup.
The investigation of the situations supposes human involvement that frequently entails reviewing logs generated by different protection, communication, and infrastructure devices, contacting the person who reported the occurrence, and doing a general assessment of the issue. In Sharon’s case, several pointers can be used to identify possibly infected computers in an automated manner. According to Infosec Resources (2022), the registry key shown below has been implemented and could be detected:
“HKEY_CURRENT_USERSoftwareLocky
“id” = < Personal Identification ID>
“pubkey” =
“paytext” =
“completed” = “0x1” [This value will be added after completion of encryption]” (para. 25).
Moreover, one could investigate registry entry for the presence of Trojan. This operation can be done by checking the Windows registry through Win+R, Regedit, Registry Editor, HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion. As for the containment, the first step should be to disable infected PCs from any internet connections, whether cable or wireless, as soon as possible. Next, one must reset usernames and passwords (particularly for administrator and other platform credentials), but make sure they are available for recovery. After that, it is necessary to clean the infected machine safely and reset the operating system. Moreover, one must verify that malware is wiped by checking the registry log and then restoring the files from backup if it is possible. However, it might be unavailable if the files are synced in the cloud and encrypted before the system is unplugged. Finally, one can connect Sharon’s computer to a secure connection to obtain, download, and renew the operating system and all other applications.
Furthermore, Bruce’s situation could be investigated in a similar way. Although it is likely that the problem is caused by VPN running over DNS, there is still a possibility that malware contaminated the server. The very first thing one should check is whether there is a server-side issue. To determine the state of the website users are attempting to access, one can employ site up or down checker applications from other devices than the company’s computers.
Pipeline logs are a valuable resource for investigating the reason for pipeline breakdowns. Reviewing the logs in the finished production or launch is a good start. Then, one should navigate the network run breakdown and choose the task and process to examine logs. After that, the analyst might examine fails the operation logs if it. In addition to reading logs with the pipeline output summary, users may download entire logs, including more diagnostics and set more robust logs to aid in debugging (Microsoft, 2022). One can check if an online VPN operates at the same base as the IP stack and if the DNS server information is configured individually. It can be determined if there are any DNS leaks caused by the VPN service by opening the DNS leak detection website and running the test. Finally, the containment process is the same as Sharon’s situation if malware is detected. To contain the leak, if it was detected, one should change the VPN provider, wipe DNS cash and use the VPN’s DNS servers, setting the settings to Default.
After the investigation and containment phase of the analysis, one can begin to assess the impact of the breach. The situation that occurred to Sharon’s computer is a frequent cause, and general assumptions about the effect of malware can be made. Namely, Locky has generated a Windows registry entry to hold configuration information. Next, it has checked the computer’s native, external, mapped, and unmapped connection resources for encrypted file types. When a file is encoded, it introduces random AES private keys and uses them to encrypt the data (BleepingComputer, 2018). This AES access code is then protected further by the RSA key obtained from the Command & Control system.
The private key will then include the RSA encoded AES key. When the malware has completed scanning the computer, it will try to destroy all shadow volume copies on the afflicted PC. This prevents users from using shadow volume backups to recover their encrypted files. However, it is yet possible to restore some lost information without paying the ransom demanding individual. To retrieve Locky encrypted files, one can use remote backup, data recovery tools, or shadow volume copies if containment has been done in time.
In case Bruce’s company’s server experiences a malware attack, the impact is determined by the ability to recover the access. It is possible that the files kept in the server’s storage are encrypted, although, as was mentioned before, they can be recovered. If there is an incompatibility between VPN and DNS, it is doubtful that the VPN connection is linked to the ISP’s network to answer any query, thus, every request is likely to be rejected. However, this problem can be quickly addressed, and the impact of DNS failure is minimal.
The worst situation might be a DNS leak: attackers may trace the device’s IP address, see what pages users access, and observe all online activity. DNS entries can be used for surveillance, monitoring, restricting internet access, and even legal prosecution. Since Rebyc Systems provides data removal services, its activity can be compromised if the customers’ files are leaked. Other privacy risks might arise as a result of DNS breaches. The ISP, for instance, may sell personal surfing data to advertisers or, even worse, phishers. Unfortunately, it is not possible to encrypt the files and data that the intruders have already obtained, but one can stop further leaking.
Recovery of the files in Sharon’s device is possible only after the containment of malware has been done. After that and installing the operating system and other software, one can try several methods to access the encrypted files. The first and most effective solution is to retrieve the files from a recent backup. Yet, it is not likely that Sharon has been performing backups. Next, if the files were not wiped successfully, one should try retrieving them using shadow volumes. Locky encodes a file by making copies of it, encrypting the duplicate, and deleting the source. As a result, users may be able to restore some of their original data using file recovery tools, including R-Studio or Photorec (BleepingComputer, 2018). If Sharon enabled System Restoration on the computer, Windows produces shadow copy shots that comprise copies of data from the moment the platform restore snap was produced. These backups may enable one to convert an initial version of our data before being encrypted.
For Bruce, the recovery process depends on the type of problem revealed during the investigation. First, one should check DNS settings, namely, require the necessary DNS settings from a system administrator or ISP. When one has the settings, it is necessary to compare them to the ones on the machine to ensure they are right. If the issue is the VPN error, one must update the VPN, ascertain that the network adapter settings are accurate, and make sure that DNS storage is cleaned. After the internet connection is examined, the VPN protocol must be modified. Finally, if the DNS leak is found, it can be recommended to run anti-malware software and use a reliable VPN that can prevent access to harmful web domains. It is preferable to utilize a licensed VPN service. As a result, the program will automatically handle any VPN DNS difficulties. It is critical to keep the domain name operational and a trustworthy ISP in accordance with all applicable demands of the company.
The practice of informing consumers when a service is suffering an outage or poor performance is known as incident communication and notification. Since both Sharon and Bruce have customers whose satisfaction with the benefits of the providers depends on the work of the digital system of the individuals, it is vital to notify them in case of trouble. If one keeps their consumers informed of what is going on and one is doing to resolve the issue, they will appreciate and have a far less negative response to the entire scenario. For example, Sharon might share information about the inactivity of her Hotmail due to malware infection through social media, communicating to her clients that the issue is to be solved. Since Bruce’s company probably serves more clients, he can offer the audience the opportunity to subscribe to email updates about the situation after notifying them, for example, by SMS. It is necessary that Bruce and his team communicate the leak (if this is the problem) to the customers in simple terms and guarantee that the data of the clients are safe.
Finally, after all the phases of incidence response have been completed, it is necessary to do an evaluation and improvement measures. Before all, this process includes the installment of the software that detects and prevents the breaches and leaks that damaged the system in the first place. In the case of Sharon, installing anti-virus software is one of the essential strategies to guard against malware. Anti-virus software helps safeguard any device from dangerous malware that might compromise the system. It will check the computer for malware and clean it up, as well as provide automatic updates to protect users from newly generated infections. In order to configure anti-virus programs, it is critical to keep the software up to date in order to prevent attackers from obtaining access to the computer through weaknesses in older and obsolete systems. The security software will guarantee the correct evaluation of Sharon’s computer recovery.
A firewall is another approach to safeguard a device from infection. A firewall protects a private computer system from harmful assaults by preventing unauthorized access into or out of the network. In conjunction with anti-virus software, a firewall acts as an additional barrier against malware, lowering the likelihood of an attack. Backing up on a regular basis ensures that one can still recover all of their precious files and documents if their computer becomes infected with ransomware or other viruses. This will assist in limiting any harm and prevent one from being a victim of a ransomware assault. Firewall and backup software will make Sharon’s device more sustainable and improved in terms of data storage.
Bruce’s issue with DNS can be addressed by similar suggestions regarding security but different software choices. The best option to disguise the actual IP address and protect the connection between the website and DNS servers is to use a secure and dependable VPN. Not every VPN service has the technological infrastructure to successfully prevent DNS difficulties. When purchasing a VPN, one should always check whether it includes a DNS leak protection option. One should make use of VPN monitoring software to evaluate the effectiveness of these measures. VPN monitoring software analyses crucial parameters to maintain the security of the VPN tunnel. They ensure that all DNS requests are routed through a VPN connection and that the user’s actual IP address is not accessed. Finally, it is recommended to employ cloud DNS servers, use private browsers, and use a firewall to deactivate DNS for improvement.
Reference List
BleepingComputer. (2016) Locky ransomware information, help guide, and FAQ.
Hennigan, L. (2021) What is DNS failure? Forbes Advisor.
Infosec Resources. (2022) Case study of phishing for data theft/ransom: Locky ransomware.
Rapid7. What is phishing? Phishing attacks explained.
Microsoft. (2022) Review logs to diagnose pipeline issues. Azure Pipelines.