5-2 Discussion: Mindset: Incident Response Procedures, Forensics, and Forensic Analysis


 

In the lab activity for this discussion, you assumed different roles. After logging into the lab environment, you proceeded to “Launching an Attack” as a hacker. Once you completed that portion of the lab, you assumed the role of a defender and began the “Collecting Incident Response Data” portion of the lab. You then completed the lab as a defender by collecting log data and analyzing it. For this discussion, let’s add to the scenario as follows:

As part of your system audit, you realize that you have identified a successful remote login from a suspicious IP address located in North Korea. This is a suspicious address because your organization has no ties to North Korea, and no personnel are over there for vacation or business-related travel.

In your initial post, discuss what next steps you should take as a defender.