cyberprecious/cybersecurity-incident-response

# Cybersecurity Incident Response Simulation — MediCare Clinic **UTIVA Cybersecurity Internship 2026 | Task 6** ## Overview Simulated a full incident response for a ransomware attack on MediCare Clinic, applying the 6-phase incident response framework across detection, containment, eradication, recovery, and lessons learned. ## Incident Scenario | Field | Details | |-------|---------| | Incident Type | Ransomware Attack | | Affected Systems | EMR Server (192.168.1.10) + 8 clinical workstations | | Discovery | Nurse unable to access patient records — ransom demand on screen | | Entry Point | Phishing email with malicious attachment opened by admin staff | | Impact | Complete loss of patient records — clinical operations halted | ## Response Phases ### Phase 1 — Preparation - Incident response plan activated - IT team alerted immediately - Backup server status verified - Communication channels established ### Phase 2 — Identification - Confirmed ransomware on EMR server and 8 workstations - Identified ransom note demanding cryptocurrency payment - Traced entry point to phishing email via email server logs - Confirmed files encrypted with `.locked` extension ### Phase 3 — Containment - Disabled infected switch ports to isolate affected devices - Blocked VLAN 20 → VLAN 10 traffic via firewall ACL - Disabled staff email to prevent further phishing spread - VLAN segmentation prevented ransomware reaching backup server ✅ ### Phase 4 — Eradication - Removed ransomware using EDR tools - Reimaged all 8 infected workstations - Reset all staff credentials as precaution - Patched exploited vulnerability ### Phase 5 — Recovery - Restored EMR server and patient data from clean backup - Reconnected systems one by one after verification - Monitored network traffic for 72 hours post-recovery - Verified all clinical systems operational before resuming patient care ### Phase 6 — Lessons Learned - Post-incident review conducted with all staff - Identified gaps: email filtering, staff training, backup frequency - Updated incident response plan - Scheduled mandatory phishing awareness training within 2 weeks ## Key Outcome ## Detection Methods Applied - IDS alerts on unusual file encryption activity - SIEM logs showing mass file modifications - EDR tool flagging ransomware behavior patterns - Staff reports of inability to access files - Network monitoring showing unusual outbound traffic ## Files in this Repository - `incident_response_report.pdf` — Full incident response documentation - `timeline.md` — Detailed incident timeline - `lessons_learned.md` — Post-incident review findings