The fifth session from a two day course for potential first responders I ran for a large financial services client.

1. Phil Huggins
February 2004

2.  Reporting Methods
 Intrusion Detection Systems (IDS)
 Log Processing
 IT Reports / System Problems
 User Reports / Help Desk
 Public Relations / Media
 Call Tree

3.  Business Units should have some uniform way to
report incidents
 The implementation of such will depend on the
Business Unit size
 Examples include:
 General IT Helpdesk: Attendants must know who to
contact for incidents
 Incident Hotline: Dedicated staff that only take incident
reports, usually tied directly to the Response Team
 Head of IT Security: The least formal approach, not ideal
for large organizations

4.  IDS systems attempt to identify an attack on
a network or host as it is occurring
 Events are issued when attacks are detected
 A policy should exist for how to report &
handle events
 We will look at these in more technical detail
tomorrow.

5.  Unless specifically configured, auditing systems will
not pro-actively warn a system administrator. Logs
must be checked !
 Preparation is vital
 Most systems are capable of producing logs of activity.
 Many systems do not log by default, or do not log security
events by default.
 Good system logs are more useful than anything
else for incident response.

6.  IT commonly detects incidents while
troubleshooting other problems (crashed
server or application problems)
 What to Report:
 Identification
 Contact information
 Observations
 Evidence of observations
 IP Addresses or network ranges

7.  Users may issue reports to a Help Desk related to
security incidents:
 Virus or worms
 Downed server
 Slow or no Internet access
 What to Report:
 Full name, user name, and location
 System type
 Observations
 Evidence of observations

8.  An attacker may alert the media that he has broken into a
network
 The media will likely contact PR for a comment
 This could be the first report of an incident, so PR must be
ready to ask the right questions
 What to ask:
 How did the attacker notify the media (email, IRC)
 Is the email or nickname of the attacker known
 What are the hostnames of the systems that were compromised
 How did the attacker gain access
 Did they steal sensitive information
 What do they want (publicity, money ..)
 Does the reporter trust the attacker is telling the truth

9.  A single method of reporting incidents will make
responding easier
 Awareness is needed to educate employees on how
and when to report incidents
 There are several types of IDS sensors
 IDS and logs require people to process the data for
potential incidents
 PR could be the first point of contact and they
typically are the least technical, awareness is
needed so all information is collected

10.  After the incident has been detected, the proper
people must be notified
 If a Call Tree has been created, it will now be used
 As a review, we may want to contact:
 Response Team
 Legal
 Public Relations
 Other IT groups
 For internal incidents, the number of people that are
contacted should be limited

11.  Other security groups may need to know about the
incident so they can be on alert
 Examples include:
 Firewall Team: Watch logs more closely and maybe restrict
access
 IDS Team: Watch logs more closely and increase logging
levels
 Remote Access Team: Watch logs more closely and
increase logging levels
 Physical Security: Be on alert if an insider is suspected