Design by Paradigm experienced a security incident related to the engineering application server, resulting in latency issues for engineers. The incident was initially reported through helpdesk tickets, indicating slow performance of the application. The server underwent a reboot by the operations team, but the latency issues persisted, prompting escalation to the security team.

Upon investigation, it was discovered that updates were recently installed on the engineering application server. The administrator responsible for the updates admitted to downloading the updates from an email that appeared to be from the expected vendor contact but was sent from a spoofed email address. Additionally, high GPU and CPU usage was observed on the server, along with unauthorized remote network connections.

The root cause of the incident is attributed to the installation of unauthorized updates on the engineering application server. The administrator downloaded the updates from a spoofed email address, leading to potential compromise of the server. The high GPU and CPU usage, along with unauthorized network connections, indicate possible malicious activity targeting the server.

SECTION D: REMEDIATE

Summary of actions taken to restore functionality of impacted system$($s$)$: Quarantined and terminated high$-$resource processes.

Restored antivirus functionality by re$-$enabling Windows Defender.

Performed a quick scan and took action on detected threats.

Summary of actions taken to restore network security:

Blocked unauthorized outgoing traffic by adding a new firewall rule.

Additional notes & observations: Ensure continuous monitoring of the system and network for any unusual activities.

Regularly update antivirus definitions and firewall policies to prevent future incidents.

SECTION E: LESSONS LEARNED

Recommendation for preventative actions:

ACTION $|$ NEGATIVE IMPACT ADDRESSED $|$ PREVENTION METHOD

$1.$

$2.$

$3.$

$4.$