Recipe 9.42 Filing an Incident Report
9.42.1 Problem
You want to report a security incident to
appropriate authorities, such as a computer
security incident response team (CSIRT).
9.42.2 Solution
In advance of any security incident, develop and document a security
policy that includes reporting guidelines. Store CSIRT contact
information offline, in advance.When an incident occurs:
- Decide if the incident merits an incident report. Consider the impact
of the incident. - Gather detailed information about the incident. Organize it, so you
can communicate effectively. - Contact system administrators at other sites that were involved in
the incident, either as attackers or victims. - Submit incident reports to appropriate CSIRTs. Be sure to respond to
any requests for additional information.
9.42.3 Discussion
If your system has been hacked [Recipe 9.41], or you
have detected suspicious activity that might indicate an impending
break-in, report the incident. A wide range of computer security
incident response teams (CSIRTs) are available to help.CSIRTs act as clearinghouses for security information. They collect
and distribute news about ongoing security threats, analyze
statistics gathered from incident reports, and coordinate defensive
efforts. Collaboration with CSIRTs is an important part of being a
responsible network citizen: any contribution, however small, to
improving the security of the Internet will help you, too.Develop a security policy, including procedures and contact
information for applicable CSIRTs, before a
break-in occurs. Most CSIRTs accept incident reports in a variety of
formats, including Web forms, encrypted email, phone, FAX, etc. Since
your network access might be disrupted by break-ins or denial of
service attacks, store some or all of this information offline.The Computer Emergency Response Team (CERT)
serves the entire Internet, and is one of the most important CSIRTs:
this is a good starting point. The Forum of Incident Response and Security
Teams (FIRST) is a consortium of CSIRTs (including CERT) that serve
more specialized constituencies. See their list of members to
determine if any apply to your organization.Government agencies are increasingly
acting as CSIRTs, with an emphasis on law enforcement and prevention.
Contact them to report activities that fall within their
jurisdiction. An example in the United States is the
National Infrastructure Protection Center
(NIPC).What activities qualify as bona fide security incidents? Clearly,
malicious activities that destroy data or disrupt operations are
included, but every Snort alert [Recipe 9.20] does not
merit an incident report. Consider the impact and potential effect of
the activities, but if you are in doubt, report what you have
noticed. Even reports of well-known security threats are useful to
CSIRTs, as they attempt to correlate activities to detect widespread
patterns and determine longer-term trends.Before filing a report, gather the
relevant information, including:
- A detailed description of activities that you noticed
- Monitoring techniques: how you noticed
- Hosts and networks involved: yours, apparent attackers, and other
victims - Supporting data such as log files and network traces
Start by contacting system administrators at other sites. If you are
(or were) under attack, note the source, but be aware that IP
addresses might have been spoofed. If your system has been
compromised and used to attack other sites, notify them as well. ISPs
might be interested in activities that involve large amounts of
network traffic.The whois command can obtain technical and
administrative contact information based on domain names:
$ whois example.com
Save all of your correspondenceyou might need it later. CSIRTs
will want copies, and the communication might have legal implications
if you are reporting potentially criminal activity.Next, contact the appropriate CSIRTs according to your security
policy. Follow each CSIRT's reporting guidelines,
and note the incident tracking numbers assigned to your case, for
future reference.Provide good contact information, and try your best to respond in a
timely manner to requests for more details. Don't be
disappointed or surprised if you don't receive a
reply, though. CSIRTs receive many reports, and if yours is a
well-known threat, they might use it primarily for statistical
analysis, with no need for a thorough, individual investigation.In many cases, however, you will at least receive the latest
available information about recognized activities. If you have
discovered a new threat, you may even receive important technical
assistance. CSIRTs often possess information that has not been
publicly released.
9.42.4 See Also
The Computer Emergency Response Team (CERT) home page is http://www.cert.org. For incident reporting
guidelines, see http://www.cert.org/tech_tips/incident_reportingl.The CERT Coordination Center
(CERT/CC) incident reporting form is available at the secure web site
https://irf.cc.cert.org.The Forum of
Incident Response and Security Teams (FIRST) home page is http://www.first.org. Their member list, with
applicable constituencies, is available at http://www.first.org/team-info.The National Infrastructure Protection Center
(NIPC) home page is http://www.nipc.gov.