Considering reporting an incident? Have you just received an incident report? My, oh my... what are you to do? Since I am unquestionably the arbiter of all that is good and right on the highways and byways we lovingly call the Internet, I put together a handy little guide to help you through these trying times. Just think of me as the "Miss Manners" of Incident Handling. Only I don't wear a dress... Very often... Anymore... What *NOT* To Do When Reporting An Incident
What *NOT* To Do When Someone Reports An Incident
Tom Liston - Handler - SANS Internet Storm Center |
Tom 160 Posts Aug 4th 2010 |
Thread locked Subscribe |
Aug 4th 2010 1 decade ago |
This is right on so many fronts.
|
Ken 40 Posts |
Quote |
Aug 4th 2010 1 decade ago |
Thanks for the humorous take...very much enjoyed it. :)
|
Anonymous |
Quote |
Aug 4th 2010 1 decade ago |
I think I might need to include this as the footer of any notifications I make... pure awesome :)
|
Steven 42 Posts |
Quote |
Aug 4th 2010 1 decade ago |
I do give a flying crap about this. Maybe even several flying craps. But even if I didn't, this would have been a good read. The applications of this article to general "situation handling" are pretty transparent. Bravo.
|
Steven 1 Posts |
Quote |
Aug 4th 2010 1 decade ago |
I admit I'm guilty of #6. I've never gotten *any* response at all to reporting infected machines, many of which are on dynamic IPs anyhow, so I can no longer work up any enthusiasm for reporting the dozens of machines that have SSH scanned my boxes this week. It would seem there are much more effective uses of my time, so I just blackhole the IP and move on.
|
Anonymous |
Quote |
Aug 4th 2010 1 decade ago |
#7 for what not to do when responding to an incident: attack back, then you did the hack and need to report it cuz you will feel bad!
|
Adrien de Beaupre 353 Posts ISC Handler |
Quote |
Aug 4th 2010 1 decade ago |
Extremely Valuable Info + Well Delivered Humor = The Win!
|
Adrien de Beaupre 10 Posts |
Quote |
Aug 5th 2010 1 decade ago |
Instead of "Man Up" I prefer the term "Walk it Off, Crybaby!" We use "Cowboy/Cowgirl Up" too.
Actually what I am seeing is a lot of dumb messages from what appear to be automated IDS's. "We have detected a Brute Force attacks from XX.XX.XX.XX. Please stop this! We are black holing you!" followed by a Whois of my own Netblock is not very helpful. Details, please. And if you black hole my IP adresses of your servers, hey, it's not my problem. |
Adrien de Beaupre 4 Posts |
Quote |
Aug 5th 2010 1 decade ago |
David, I feel your frustration: I spent two hours trying to explain "No, this is not IP spoofing" to a foolish "IT Director" yesterday. I gave up: the Illinois State Bar Association can keep their compromised server... OTOH, I called a local school district today with the exact same "your machine has been compromised via ssh and is now being used to attack others". He didn't ask for logs, he understood, but I sent him logs anyway because the botnet is interesting to watch. He called the school responsible and called me back 5 minutes later to say they were working on it... so my one insane person yesterday may be a loss, but the win today for the good guys makes me happy. Keep up the good fight... so few are, your efforts make a difference.
|
Adrien de Beaupre 1 Posts |
Quote |
Aug 6th 2010 1 decade ago |
Good points, Brian.
I find in general that educational institutions are more responsive to incident reports than other businesses. I think ISPs are mostly a lost cause because they see their obligation as being to the customer, not to other netizens. If they cut off an infected host, that gets their customer angry and threatens their bottom line. Leaving the infected machine alone costs them nothing. |
Anonymous |
Quote |
Aug 9th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!