Standardized Reporting

From: H C (keydet89at_private)
Date: Thu Aug 15 2002 - 06:09:09 PDT

  • Next message: H C: "RE: Standardized Reporting"

    > Excellent point and a worthwhile objective HC. I
    > have an idea
    > (certainly not original) to achieve these results on
    > a sustained basis.
    Okay, let's see what we can get started.
    > I
    > picked up a book called Incident Response awhile ago
    > and they had some
    > rudimentary incident checklists which were a great
    > starting point and I went
    > on to develop my own template that was appropriate
    > to my specific situation.
    Which book?  The one by Prosise and Mandia, the one by
    Schultz, or the one by Forno?
    > What if we were to have a checklist for the
    > incidents list? 
    I think it's a good idea, and a while ago, I submitted
    something to the moderator.  
    For starters, I don't see problem with folks posting,
    "I've seen a lot of these scans, has anyone else seen
    them?"...but what I would like to see is maybe a
    separate list, or a site like where that
    information can be correlated.  Also, there needs to
    be some clarification...for example the recent thread
    on subseven scans.  I think we can all agree that
    while it's a strong possibility that a SYN packet
    bound for that particular port *may be* part of a
    subseven scan, there is also the possibility that it's
    part of a Ramen scan.  
    Additionally, rather than simply saying "I've been
    scanned", folks should make an effort to provide some
    logs (and identify the source of the logs), as well as
    some more conclusive information.  The follow-on to
    the subseven scan thread led to
    some...interesting...information in which the
    respondant admitted to accessing the remote systems. 
    However, anything beyond that was too vague to provide
    conclusive information...why go to the trouble of
    accessing the systems, but not provide any conclusive
    data, such as directory listings, etc?
    My point is that there needs to be an agreed upon
    method of providing data, as well as perhaps what data
    to provide...standardized reporting.  I think then we
    can move to the next level of tracking these types of
    incidents, identifying the most likely sources of
    infections and infected hosts.
    > When
    > submitting a 'Are you experiencing this too?' or
    > 'What is this?' message, it
    > would have to be done in a specific template. This
    > may make it easier for
    > both posters and readers of this list.
    Agreed.  I also think that it would provide a culling
    mechanism, in that anyone too lazy (or unwilling) to
    follow the template would simply not have their
    message accepted.  In fact, a web-based form may even
    be far easier.
    > When
    > composing a message I'm sure
    > people are thinking 'What information should be
    > included?', 'How much detail
    > should go into it?', 'Am I being to verbose?'.
    Agreed.  A lot of posts say, "I got attacked." w/o
    providing anything specific.  Also, another phenomenon
    of the lists is the "seagull poster"...he swoops in,
    drops off a vague post, and disappears, never to be
    heard from again.  At least with a standardized method
    of posting, these folks wouldn't have to be queried,
    b/c the form would show them what they need to
    > We will never stop people from making assumptions
    > based on limited
    > information (nor should we in some cases in can be a
    > critical skill) but
    > this may give us a metric for evaluating any of the
    > assumptions made.
    I think that as a community, this is something we need
    to move away from.  Perhaps an academic standard is
    too stringent, but the basis is cannot
    simply say in a master's thesis that "I heard this
    fact someplace" has to provide a reference.
    The same idea comes from Deming's Total Quality
    Management ideas.  The idea is that one should not
    make decisions based on emotion or feelings, but
    rather hard facts.  That way, we can actually get an
    improvement in quality.  
    The hard part, though, will be getting people to
    understand this.  Sometimes it may be far more
    beneficial to simply post some logs (or a link) and
    NOT a bunch of assumptions.  Windows folks are going
    to have a different set of experiences from Linux
    folks, and hence different assumptions.  However,
    multiple sets of log files correlated from different
    sources can paint a pretty clear picture.
    > I do not know if any generic incident response
    > checklists exist in
    > the public domain, do you? Anyone feel like getting
    > together and working on one?
    I'd be willing to work on one with you...feel free to
    contact me off list if you like.  
    Do You Yahoo!?
    HotJobs - Search Thousands of New Jobs
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Thu Aug 15 2002 - 11:38:47 PDT