By @rosinni and other contributors at 4Geeks Academy
Estas instrucciones estan disponibles en español
We need you! These exercises are built and maintained in collaboration with contributors such as yourself. If you find any bugs or misspellings please contribute and/or report them.
For this final project, you will assume the role of a cybersecurity analyst responsible for restoring and protecting a critical server that has been compromised at 4Geeks Academy. You will be provided with a hacked machine that simulates a key company server, and your task will be to re-establish its security, fix the exploited vulnerabilities, and ensure its optimal functionality. The exercise is divided into three phases that will test your skills in forensic analysis, vulnerability detection and remediation, and incident response.
-
Phase 1 - Hack Correction
In the first phase, you will conduct a forensic analysis of the incident, identify the vulnerabilities exploited by the attacker, and block the exploit to prevent further escalation of the attack. -
Phase 2 - Detection and Correction of a New Vulnerability
In the second phase, you will scan the system for an additional vulnerability, different from the one previously exploited. Once detected, you will exploit the vulnerability in a controlled manner to understand its impact, escalate its privileges, fix it, and create a report that explains the entire process. -
Phase 3 - Incident Response Plan and Certification
The final phase involves designing an incident response plan based on industry best practices, such as the NIST recommendations. As part of this exercise, you will develop an Information Security Management System (ISMS) in accordance with the ISO 27001 standard, which will include measures to prevent data leaks through Data Loss Prevention (DLP) policies.
Objective: Conduct a forensic analysis to block the exploit, fix the vulnerability, and prevent the attacker from escalating.
- Identify which services were compromised and how the attacker accessed the server. You can use tools like
grepto review system logs (for example,/var/log/auth.logfor SSH connections). - Identify suspicious files, running processes, and any unusual modifications in the system.
- Perform a scan of the server to detect rootkits or malware.
- Block the exploit and prevent escalation. Temporarily stop compromised services (
systemctl stop service) if necessary. - Revert changes made by the attacker (remove unauthorized users, eliminate backdoors, close unnecessary ports).
- Update and correct security configurations (update packages, change passwords, improve firewall settings if necessary).
- Prepare a detailed report that includes the measures taken to mitigate the attack and prevent escalation. Additionally, include recommendations on how to prevent future attacks of a similar nature.
Objective: Scan, detect, and exploit a vulnerability different from the one previously exploited and create a report that explains the entire process.
- Perform a complete scan of the system using tools like
Nmap. - Detect a vulnerability unrelated to the previous hack, such as a misconfiguration in Apache, unnecessary open ports, or an exposed service, and exploit this detected vulnerability.
- Document the exploitation process and the steps taken to compromise the service or escalate privileges.
- Apply measures to fix the found vulnerability, such as closing ports, changing security configurations, or restricting access.
- Prepare a detailed report that includes the detected vulnerability, the exploitation process, and the measures applied to correct it.
Objective: Design an incident response plan based on best practices and develop an Information Security Management System (ISMS) in accordance with the ISO 27001 standard.
- Develop a response plan based on the NIST SP 800-61 guidelines, which includes how to identify, contain, eradicate, and recover from future security incidents.
- Detail how the organization would respond to an attack similar to the one that occurred and how to prevent recurrence.
- Identify and document data protection mechanisms, such as the use of regular backups, encryption of sensitive data, and the implementation of strict access controls.
- Implement an ISMS (ISO 27001). Develop an Information Security Management System (ISMS) that complies with ISO 27001 standards, including risk analysis, definition of security policies, and action plans to protect the company’s critical information.
- Create a network diagram using tools like Packet Tracer that reflects the current network topology and recommended changes.
- Present the Debian virtual machine with services correctly configured and issues resolved.
- Prepare a penetration testing report.
- Prepare a security incident report detailing the forensic analysis, corrective actions, and preventive measures taken.
- Develop a recovery plan to ensure the continuity of the company’s critical services in case of an incident.
- Create an executive presentation for management, explaining what happened, the actions taken, and future recommendations.
Below are the key reviews that the instructor should consider in the student's deliverable:
-
Verification of MySQL Configuration:
- Confirm that the student has correctly identified the user with a weak password.
- Review if a concrete solution is suggested (use of strong passwords, access restrictions, etc.).
-
FTP Server Configuration:
- Validate that the student has analyzed permissions and anonymous access.
- Confirm if it is recommended to disable insecure access or strengthen the configuration.
-
Insecure SSH Access:
- Review if weak authentication methods have been detected.
- Confirm if solutions such as disabling root login or using public key authentication are proposed.
-
Unnecessary Open Ports:
- Check if the student has performed a port scan with nmap or similar tools.
- Validate that unnecessary services have been identified and proposed to close the corresponding ports.
-
Permissions on wp-config.php:
- Confirm if the current permissions have been reviewed and a correction is proposed (e.g., chmod 600 wp-config.php).
-
Listable Web Directory:
- Review if the configuration on the web server (Apache/Nginx) has been identified.
- Check if the student has applied the correct solution (modify .htaccess or Options -Indexes).
- Review if the Debian machine has correctly configured services with enhanced security.
- Check that the proposed solutions have been applied and tests have been conducted to validate their effectiveness.
-
Pentesting Report: Confirm that it includes details of each vulnerability, tests performed, and solutions applied.
-
Security Incident Report: Validate if a forensic analysis of the findings is described and review that corrective and preventive measures implemented are explained.
-
Incident Recovery Plan: Check if the plan covers critical services and details recovery procedures.
-
Executive Presentation for Management: Evaluate if it is structured clearly and professionally. Verify if it includes a summary of detected issues, implemented solutions, and future recommendations.
The instructor must ensure that the deliverable not only documents the findings but also proposes applicable solutions and shows evidence of their implementation. The presentation should be aligned with a professional and management-oriented approach.
Thanks goes to these wonderful people (emoji key):
-
Rosinni Rodríguez (rosinni) contribution: (build-tutorial) ✅, (documentation) 📖
-
Alejandro Sanchez (alesanchezr), contribution: (bug reports) 🐛
This project follows the all-contributors specification. Contributions of any kind are welcome!
This and many other exercises are built by students as part of the 4Geeks Academy Coding Bootcamp by Alejandro Sánchez and many other contributors. Find out more about our Full Stack Developer Course, and Data Science Bootcamp. You can alse deepdive in the world of cybersecurity with our Cybersecurity Bootcamp