Phil HugginsFebruary 2004
   Reporting Methods   Intrusion Detection Systems (IDS)   Log Processing   IT Reports / System Problems   User Repor...
 Business Units should have some uniform way to  report incidents The implementation of such will depend on the  Busines...
   IDS systems attempt to identify an attack on    a network or host as it is occurring   Events are issued when attacks...
 Unless specifically configured, auditing systems will  not pro-actively warn a system administrator. Logs  must be check...
   IT commonly detects incidents while    troubleshooting other problems (crashed    server or application problems)   W...
   Users may issue reports to a Help Desk related to    security incidents:     Virus or worms     Downed server     S...
 An attacker may alert the media that he has broken into a  network The media will likely contact PR for a comment This...
   A single method of reporting incidents will make    responding easier   Awareness is needed to educate employees on h...
 After the incident has been detected, the proper  people must be notified If a Call Tree has been created, it will now ...
 Other security groups may need to know about the  incident so they can be on alert Examples include:     Firewall Team...
Upcoming SlideShare
Loading in …5
×

First Responders Course - Session 5 - First Response [2004]

117 views

Published on

The fifth session from a two day course for potential first responders I ran for a large financial services client.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
117
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

First Responders Course - Session 5 - First Response [2004]

  1. 1. Phil HugginsFebruary 2004
  2. 2.  Reporting Methods Intrusion Detection Systems (IDS) Log Processing IT Reports / System Problems User Reports / Help Desk Public Relations / Media Call Tree
  3. 3.  Business Units should have some uniform way to report incidents The implementation of such will depend on the Business Unit size Examples include:  General IT Helpdesk: Attendants must know who to contact for incidents  Incident Hotline: Dedicated staff that only take incident reports, usually tied directly to the Response Team  Head of IT Security: The least formal approach, not ideal for large organizations
  4. 4.  IDS systems attempt to identify an attack on a network or host as it is occurring Events are issued when attacks are detected A policy should exist for how to report & handle events We will look at these in more technical detail tomorrow.
  5. 5.  Unless specifically configured, auditing systems will not pro-actively warn a system administrator. Logs must be checked ! Preparation is vital  Most systems are capable of producing logs of activity.  Many systems do not log by default, or do not log security events by default. Good system logs are more useful than anything else for incident response.
  6. 6.  IT commonly detects incidents while troubleshooting other problems (crashed server or application problems) What to Report:  Identification  Contact information  Observations  Evidence of observations  IP Addresses or network ranges
  7. 7.  Users may issue reports to a Help Desk related to security incidents:  Virus or worms  Downed server  Slow or no Internet access What to Report:  Full name, user name, and location  System type  Observations  Evidence of observations
  8. 8.  An attacker may alert the media that he has broken into a network The media will likely contact PR for a comment This could be the first report of an incident, so PR must be ready to ask the right questions What to ask:  How did the attacker notify the media (email, IRC)  Is the email or nickname of the attacker known  What are the hostnames of the systems that were compromised  How did the attacker gain access  Did they steal sensitive information  What do they want (publicity, money ..)  Does the reporter trust the attacker is telling the truth
  9. 9.  A single method of reporting incidents will make responding easier Awareness is needed to educate employees on how and when to report incidents There are several types of IDS sensors IDS and logs require people to process the data for potential incidents PR could be the first point of contact and they typically are the least technical, awareness is needed so all information is collected
  10. 10.  After the incident has been detected, the proper people must be notified If a Call Tree has been created, it will now be used As a review, we may want to contact:  Response Team  Legal  Public Relations  Other IT groups For internal incidents, the number of people that are contacted should be limited
  11. 11.  Other security groups may need to know about the incident so they can be on alert Examples include:  Firewall Team: Watch logs more closely and maybe restrict access  IDS Team: Watch logs more closely and increase logging levels  Remote Access Team: Watch logs more closely and increase logging levels  Physical Security: Be on alert if an insider is suspected

×