Final project - Live Incident Response

Final Project – Live Incident Response

The organization 4Geeks Academy has detected anomalous behavior on one of its internal servers. The cybersecurity team has been activated to contain the threat, identify the scope of the incident, and restore the system's security.

You will assume the role of a Cybersecurity Analyst, responsible for:

• Inspecting the compromised system in real time.
• Detecting exploited vulnerabilities.
• Identifying malicious persistence mechanisms.
• Restoring the integrity and availability of the system.
• Preparing a professional report with recommendations.

🌱 How to start this project?

1. Download the virtual machine from this link:

1https://storage.googleapis.com/cybersecurity-machines/4geeks-server-lab.ova

1. Import the machine into your preferred virtualization manager (VirtualBox, VMware, etc.).
2. Once the machine is running, you can start the lab!
3. The credentials to access the machine are:

1usuario: sysadmin
2contraseña: Sys4dm1n2024

📝 Instructions

Since the affected server is part of a critical production system, it cannot be shut down or have its disk extracted for traditional forensic analysis. Therefore, your task will focus on a Live Incident Response approach, meaning direct inspection on an active system. This is because:

• Service availability is a priority.
• There is no time or capacity for a controlled shutdown.
• The goal is to quickly contain the threat, document findings, and restore operations.

Phase 1: Reconnaissance and evidence collection

• Analyze the compromised server in real time.
• Detect traces of the intrusion.
• Identify the attacker's actions: malicious processes, suspicious users, anomalous cronjobs, modified network rules, etc.
• Start documenting your findings with screenshots and justified descriptions.

📘 To guide you in this phase, you can consult the Incident Investigation Guide for Blue Team Analysts, which details key commands, technical reasoning, and best practices.

Phase 2: Remediation and system restoration

Remove any trace of the attacker, restore the server to a secure state, and strengthen its security configuration.

During this phase you should:

• Evaluate the findings from Phase 1 and decide which corrective actions are necessary.
• Apply remediation measures to ensure the elimination of any malicious persistence.
• Verify that the system has regained its integrity and that only legitimate configurations remain.
• Implement system hardening measures to prevent similar incidents in the future.

Justify every action you take. Your reasoning and evidence will be as important as your technical actions.

Phase 3: Final technical report

Prepare a single, comprehensive report that includes:

1. Review of the incident from the active server (Live Incident Response).
2. Detected and corrected vulnerabilities.
3. Containment, eradication, and recovery actions taken.
4. Recommendations to strengthen the system and prevent future intrusions.
5. Justified screenshots of key commands and technical findings.

This report should demonstrate your technical reasoning, clarity in documentation, and ability to respond to real incidents.