[ Team LiB ] |
Recipe 9.42 Filing an Incident Report9.42.1 ProblemYou want to report a security incident to appropriate authorities, such as a computer security incident response team (CSIRT). 9.42.2 SolutionIn advance of any security incident, develop and document a security policy that includes reporting guidelines. Store CSIRT contact information offline, in advance. When an incident occurs:
9.42.3 DiscussionIf your system has been hacked [Recipe 9.41], or you have detected suspicious activity that might indicate an impending break-in, report the incident. A wide range of computer security incident response teams (CSIRTs) are available to help. CSIRTs act as clearinghouses for security information. They collect and distribute news about ongoing security threats, analyze statistics gathered from incident reports, and coordinate defensive efforts. Collaboration with CSIRTs is an important part of being a responsible network citizen: any contribution, however small, to improving the security of the Internet will help you, too. Develop a security policy, including procedures and contact information for applicable CSIRTs, before a break-in occurs. Most CSIRTs accept incident reports in a variety of formats, including Web forms, encrypted email, phone, FAX, etc. Since your network access might be disrupted by break-ins or denial of service attacks, store some or all of this information offline. The Computer Emergency Response Team (CERT) serves the entire Internet, and is one of the most important CSIRTs: this is a good starting point. The Forum of Incident Response and Security Teams (FIRST) is a consortium of CSIRTs (including CERT) that serve more specialized constituencies. See their list of members to determine if any apply to your organization. Government agencies are increasingly acting as CSIRTs, with an emphasis on law enforcement and prevention. Contact them to report activities that fall within their jurisdiction. An example in the United States is the National Infrastructure Protection Center (NIPC). What activities qualify as bona fide security incidents? Clearly, malicious activities that destroy data or disrupt operations are included, but every Snort alert [Recipe 9.20] does not merit an incident report. Consider the impact and potential effect of the activities, but if you are in doubt, report what you have noticed. Even reports of well-known security threats are useful to CSIRTs, as they attempt to correlate activities to detect widespread patterns and determine longer-term trends. Before filing a report, gather the relevant information, including:
Start by contacting system administrators at other sites. If you are (or were) under attack, note the source, but be aware that IP addresses might have been spoofed. If your system has been compromised and used to attack other sites, notify them as well. ISPs might be interested in activities that involve large amounts of network traffic. The whois command can obtain technical and administrative contact information based on domain names: $ whois example.com Save all of your correspondence—you might need it later. CSIRTs will want copies, and the communication might have legal implications if you are reporting potentially criminal activity. Next, contact the appropriate CSIRTs according to your security policy. Follow each CSIRT's reporting guidelines, and note the incident tracking numbers assigned to your case, for future reference. Provide good contact information, and try your best to respond in a timely manner to requests for more details. Don't be disappointed or surprised if you don't receive a reply, though. CSIRTs receive many reports, and if yours is a well-known threat, they might use it primarily for statistical analysis, with no need for a thorough, individual investigation. In many cases, however, you will at least receive the latest available information about recognized activities. If you have discovered a new threat, you may even receive important technical assistance. CSIRTs often possess information that has not been publicly released. 9.42.4 See AlsoThe Computer Emergency Response Team (CERT) home page is http://www.cert.org. For incident reporting guidelines, see http://www.cert.org/tech_tips/incident_reporting.html. The CERT Coordination Center (CERT/CC) incident reporting form is available at the secure web site https://irf.cc.cert.org. The Forum of Incident Response and Security Teams (FIRST) home page is http://www.first.org. Their member list, with applicable constituencies, is available at http://www.first.org/team-info. The National Infrastructure Protection Center (NIPC) home page is http://www.nipc.gov. |
[ Team LiB ] |