O'neil, > Excellent point and a worthwhile objective HC. I > have an idea > (certainly not original) to achieve these results on > a sustained basis. Okay, let's see what we can get started. > I > picked up a book called Incident Response awhile ago > and they had some > rudimentary incident checklists which were a great > starting point and I went > on to develop my own template that was appropriate > to my specific situation. Which book? The one by Prosise and Mandia, the one by Schultz, or the one by Forno? > What if we were to have a checklist for the > incidents list? I think it's a good idea, and a while ago, I submitted something to the moderator. For starters, I don't see problem with folks posting, "I've seen a lot of these scans, has anyone else seen them?"...but what I would like to see is maybe a separate list, or a site like Incidents.org where that information can be correlated. Also, there needs to be some clarification...for example the recent thread on subseven scans. I think we can all agree that while it's a strong possibility that a SYN packet bound for that particular port *may be* part of a subseven scan, there is also the possibility that it's part of a Ramen scan. Additionally, rather than simply saying "I've been scanned", folks should make an effort to provide some logs (and identify the source of the logs), as well as some more conclusive information. The follow-on to the subseven scan thread led to some...interesting...information in which the respondant admitted to accessing the remote systems. However, anything beyond that was too vague to provide conclusive information...why go to the trouble of accessing the systems, but not provide any conclusive data, such as directory listings, etc? My point is that there needs to be an agreed upon method of providing data, as well as perhaps what data to provide...standardized reporting. I think then we can move to the next level of tracking these types of incidents, identifying the most likely sources of infections and infected hosts. > When > submitting a 'Are you experiencing this too?' or > 'What is this?' message, it > would have to be done in a specific template. This > may make it easier for > both posters and readers of this list. Agreed. I also think that it would provide a culling mechanism, in that anyone too lazy (or unwilling) to follow the template would simply not have their message accepted. In fact, a web-based form may even be far easier. > When > composing a message I'm sure > people are thinking 'What information should be > included?', 'How much detail > should go into it?', 'Am I being to verbose?'. Agreed. A lot of posts say, "I got attacked." w/o providing anything specific. Also, another phenomenon of the lists is the "seagull poster"...he swoops in, drops off a vague post, and disappears, never to be heard from again. At least with a standardized method of posting, these folks wouldn't have to be queried, b/c the form would show them what they need to provide. > We will never stop people from making assumptions > based on limited > information (nor should we in some cases in can be a > critical skill) but > this may give us a metric for evaluating any of the > assumptions made. I think that as a community, this is something we need to move away from. Perhaps an academic standard is too stringent, but the basis is sound...one cannot simply say in a master's thesis that "I heard this fact someplace"...one has to provide a reference. The same idea comes from Deming's Total Quality Management ideas. The idea is that one should not make decisions based on emotion or feelings, but rather hard facts. That way, we can actually get an improvement in quality. The hard part, though, will be getting people to understand this. Sometimes it may be far more beneficial to simply post some logs (or a link) and NOT a bunch of assumptions. Windows folks are going to have a different set of experiences from Linux folks, and hence different assumptions. However, multiple sets of log files correlated from different sources can paint a pretty clear picture. > I do not know if any generic incident response > checklists exist in > the public domain, do you? Anyone feel like getting > together and working on one? I'd be willing to work on one with you...feel free to contact me off list if you like. Carv __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 15 2002 - 11:38:47 PDT