On a Saturday night, network intrusion detection software records an inbound connection originating
from a watchlist IP address. The intrusion detection analyst determines that the connection is being made
to the organization’s VPN server and contacts the incident response team. The team reviews the intrusion
detection, firewall, and VPN server logs and identifies the user ID that was authenticated for the session
and the name of the user associated with the user ID.
The following are additional questions for this scenario:
1. What should the team’s next step be (e.g., calling the user at home, disabling the user ID,
disconnecting the VPN session)? Why should this step be performed first? What step should be
2. How would the handling of this incident differ if the external IP address belonged to an open
3. How would the handling of this incident differ if the ID had been used to initiate VPN
connections from several external IP addresses without the knowledge of the user?
4. Suppose that the identified user’s computer had become compromised by a game containing a
Trojan horse that was downloaded by a family member. How would this affect the team’s
analysis of the incident? How would this affect evidence gathering and handling? What should
the team do in terms of eradicating the incident from the user’s computer?
5. Suppose that the user installed antivirus software and determined that the Trojan horse had
included a keystroke logger. How would this affect the handling of the incident? How would this
affect the handling of the incident if the user were a system administrator? How would this affect
the handling of the incident if the user were a high-ranking executive in the organization?
This the format I want
Table of Contents
incident response: 4
Incident response plan: 5
Incident Notification: 5
Detection and Analysis: 7