2. Reporting Methods
Intrusion Detection Systems (IDS)
Log Processing
IT Reports / System Problems
User Reports / Help Desk
Public Relations / Media
Call Tree
3. Business Units should have some uniform way to
report incidents
The implementation of such will depend on the
Business Unit size
Examples include:
General IT Helpdesk: Attendants must know who to
contact for incidents
Incident Hotline: Dedicated staff that only take incident
reports, usually tied directly to the Response Team
Head of IT Security: The least formal approach, not ideal
for large organizations
4. IDS systems attempt to identify an attack on
a network or host as it is occurring
Events are issued when attacks are detected
A policy should exist for how to report &
handle events
We will look at these in more technical detail
tomorrow.
5. Unless specifically configured, auditing systems will
not pro-actively warn a system administrator. Logs
must be checked !
Preparation is vital
Most systems are capable of producing logs of activity.
Many systems do not log by default, or do not log security
events by default.
Good system logs are more useful than anything
else for incident response.
6. IT commonly detects incidents while
troubleshooting other problems (crashed
server or application problems)
What to Report:
Identification
Contact information
Observations
Evidence of observations
IP Addresses or network ranges
7. Users may issue reports to a Help Desk related to
security incidents:
Virus or worms
Downed server
Slow or no Internet access
What to Report:
Full name, user name, and location
System type
Observations
Evidence of observations
8. An attacker may alert the media that he has broken into a
network
The media will likely contact PR for a comment
This could be the first report of an incident, so PR must be
ready to ask the right questions
What to ask:
How did the attacker notify the media (email, IRC)
Is the email or nickname of the attacker known
What are the hostnames of the systems that were compromised
How did the attacker gain access
Did they steal sensitive information
What do they want (publicity, money ..)
Does the reporter trust the attacker is telling the truth
9. A single method of reporting incidents will make
responding easier
Awareness is needed to educate employees on how
and when to report incidents
There are several types of IDS sensors
IDS and logs require people to process the data for
potential incidents
PR could be the first point of contact and they
typically are the least technical, awareness is
needed so all information is collected
10. After the incident has been detected, the proper
people must be notified
If a Call Tree has been created, it will now be used
As a review, we may want to contact:
Response Team
Legal
Public Relations
Other IT groups
For internal incidents, the number of people that are
contacted should be limited
11. Other security groups may need to know about the
incident so they can be on alert
Examples include:
Firewall Team: Watch logs more closely and maybe restrict
access
IDS Team: Watch logs more closely and increase logging
levels
Remote Access Team: Watch logs more closely and
increase logging levels
Physical Security: Be on alert if an insider is suspected