First Responders Course - Session 5 - First Response 
Phil HugginsFebruary 2004
Reporting Methods Intrusion Detection Systems (IDS) Log Processing IT Reports / System Problems User Reports / Help Desk Public Relations / Media Call Tree
Business Units should have some uniform way to report incidents The implementation of such will depend on the Business Unit size Examples include: General IT Helpdesk: Attendants must know who to contact for incidents Incident Hotline: Dedicated staff that only take incident reports, usually tied directly to the Response Team Head of IT Security: The least formal approach, not ideal for large organizations
IDS systems attempt to identify an attack on a network or host as it is occurring Events are issued when attacks are detected A policy should exist for how to report & handle events We will look at these in more technical detail tomorrow.
Unless specifically configured, auditing systems will not pro-actively warn a system administrator. Logs must be checked ! Preparation is vital Most systems are capable of producing logs of activity. Many systems do not log by default, or do not log security events by default. Good system logs are more useful than anything else for incident response.
IT commonly detects incidents while troubleshooting other problems (crashed server or application problems) What to Report: Identification Contact information Observations Evidence of observations IP Addresses or network ranges
Users may issue reports to a Help Desk related to security incidents: Virus or worms Downed server Slow or no Internet access What to Report: Full name, user name, and location System type Observations Evidence of observations
An attacker may alert the media that he has broken into a network The media will likely contact PR for a comment This could be the first report of an incident, so PR must be ready to ask the right questions What to ask: How did the attacker notify the media (email, IRC) Is the email or nickname of the attacker known What are the hostnames of the systems that were compromised How did the attacker gain access Did they steal sensitive information What do they want (publicity, money ..) Does the reporter trust the attacker is telling the truth
A single method of reporting incidents will make responding easier Awareness is needed to educate employees on how and when to report incidents There are several types of IDS sensors IDS and logs require people to process the data for potential incidents PR could be the first point of contact and they typically are the least technical, awareness is needed so all information is collected
After the incident has been detected, the proper people must be notified If a Call Tree has been created, it will now be used As a review, we may want to contact: Response Team Legal Public Relations Other IT groups For internal incidents, the number of people that are contacted should be limited
Other security groups may need to know about the incident so they can be on alert Examples include: Firewall Team: Watch logs more closely and maybe restrict access IDS Team: Watch logs more closely and increase logging levels Remote Access Team: Watch logs more closely and increase logging levels Physical Security: Be on alert if an insider is suspected