Incident Reporting - Liston's "How-To" Guide

Incident Reporting - Liston's "How-To" Guide
Considering reporting an incident? Have you just received an incident report? My, oh my... what are you to do? Since I am unquestionably the arbiter of all that is good and right on the highways and byways we lovingly call the Internet, I put together a handy little guide to help you through these trying times. Just think of me as the "Miss Manners" of Incident Handling. Only I don't wear a dress... Very often... Anymore... *What NOT* To Do When Reporting An Incident** Cop a 'tude: Ok, I can certainly understand that you're feeling a little miffed 'bout the fact that someone took a whack at one of your machines, but really, in my experience, most (i.e. ~99%) of the time the responsible party is many steps removed from the people you'll be contacting-- so venting your spleen on the dude at the receiving end of your email or phone call is just bad form. Save that stuff for telemarketers. (Note: Yes, I understand that telemarketers are often good, wholesome, hardworking folks trying to make ends meet. I just don't care.) If you're all wound up and ready to take names and kick butt, then you're clearly an amateur at incident response. More than likely, that evil Eastern-block hacker with the slicked back hair and bad teeth that you're imagining kicking over your webserver is actually just an unpatched WinXP machine owned by someone's Great Aunt Margaret that got whacked by the latest version of SDBot. Keep the vent-plug locked down tight on your spleen... no one wants you gettin' Great Aunt Maggie all spleeny. Get All Litigious: This is a subgroup of #1. In this case, instead of questioning whether the 'leet hax0r's parents were married at the time of his/her conception, you whip out the big guns, 'splainin' that you'll rain down all manner o'lawsuits, IRS investigations, and Papal excommunication on the responsible party. Trust me, if the FBI was interested in investigating your incident, you wouldn't be writing about it in an email to abuse@. Doing this just makes you look silly. Stop it. Look Stupid: A good incident report tells a story: it tells exactly what happened and exactly when it happened. "Stop hacking me!" is not an incident report -- it's an exclamatory sentence that reeks of idiocy. Include IP addresses (and, if they resolve, machine names) in your report. Include port numbers. Include times (synchronized to something besides your best stab at clicking "Ok" while staring at Mickey's hands...). Include (or offer to provide) packet captures. You need to do the work so that the people on the receiving end of your report don't have to... or you'll be ignored. Notice: All of these things imply that you actually have a dang clue, have done your homework, and are monitoring your network at some sort of reasonable level. Wow. Who would have thought that you actually needed to know what you're talking about to report an incident? Plant Your Flag: The Internet sucks when it comes to attribution. WHOIS tells you little and is often wrong about what it does tell you, IP addresses rarely reverse resolve, abuse@ email often appears to black-hole, and most ISP support staff gave up caring when they realized that "I work in IT" isn't really the chick-magnet phrase they thought it would be. With those kinds of odds against you, you're not gonna win many of these... I know it's frustrating when you have someone dead-to-rights and they simply dismiss you, saying, "It's not us." Let it go. You've taken the time to try to warn someone about an incident, and sometimes, that's the very best you can do. Persistence isn't a virtue here, and if you cross the line and get abusive about an incident yourself, it can get you in really deep, really fast. Blame The Victim: Not everyone is as 'leet as you... nor are they as good looking, suave, sophisticated and debonair. (Very few of us are...) But, because you're also as intelligent as you are attractive, you know that you shouldn't look down on someone who got 0wned. It's bad karma, and as these things always happen, you'll undoubtedly be next. Offer help if the situation warrants it. Explain what they need to do if they seem clueless. But why am I telling you this? You're also kindhearted and generous to a fault. Aren't you? Give up: We've all been there-- you look at the stream of evil stuff constantly raining down on your network, and you despair. All I can say is "don't give up." You've reported incident after incident, and it appears to go nowhere. Trust me, I know. I run a honeypot system... I get attacked on purpose, and I've probably sent thousands of emails reporting incidents. It never fails: just when I get to the point where I'm feeling like I'm trying to sop up the ocean with a paper towel (and I'm ready to "throw in" said towel), someone will actually reply and say "thank you." They come in all kinds of ways: I had a guy call me back about an hour after I originally talked to him when he was... well... a bit rude. He explained that he was very suspicious when I initially called, but when he actually checked out what I had told him and found out that he did have an infected machine on his network, he just had to call back and say "thanks." Years ago, I actually got a very nice Harry and David gift basket from a company I contacted when they had a server compromised. While I wouldn't sit by the front door waiting for the UPS guy to bring you largess, trust me, someone out there does appreciate what you're doing. *What NOT* To Do When Someone Reports An Incident** Cop a 'tude: While I fully support you being skeptical/wary when someone calls you out of the blue to report an incident, "skeptical" and "rude" are two different things. If the person reporting an incident seems to be asking "intrusive" questions, feel free to say "I really don't feel comfortable answering that" and ask them politely to provide whatever information they can. If it's someone trying to scam you, well... you've been polite to a scammer... certainly not the end of the world. But if the incident turns out to be real, you're gonna feel really, REALLY bad if you were rude and demeaning to someone who was just trying to help you out. (And, if you don't feel bad, then you should seriously start looking around for your soul... 'cause it must've fallen out of you recently. Look over in the corner, behind the filing cabinet.) Get All Litigious: I once called up the "Superior Court" of an unnamed California county to report that their website had been whacked and was currently advertising both erectile dysfunction medications and "hot teens" (i.e. they had the sex and the drugs... all they needed was some rock n'roll...). After the normal shuffling back and forth to various people who assured me that this "issue" wasn't their responsibility, somehow I ended up being palmed off on some County attorney who proceeded to explain all of the legal hell he was going to rain down on me for "hacking" their website. My opinion of Mr. Lawyer wasn't improved by the fact that he was clearly in negative-clue territory in his understanding of how the Intertubes worked. I finally silenced him when he asked me "How could you possibly know that this existed on our site if you didn't do it?" by giving him a very simple string of text to type into the mythical oracle of all knowledge known as "Google." Don't even think of accusing someone who contacts you of being the bad guy. Doing this just makes you look silly. Stop it. Look Stupid: If I had a nickel for everyone who told me they couldn't be the source of an attack because they run a) a firewall or b) antivirus, I would have... well... a lot of nickels. (Probably not enough to buy me another nice Harry and David gift basket, but still... a lot of nickels.) Come on... antivirus? A firewall? Really? If you're in IT and you truly believe that the fact that you're running a firewall or AV has any bearing on whether one of your machines could be infected and attacking others on the 'Net, then I have a bridge for sale. Really. I do. It's very pretty. Trust me. Plant Your Flag: Liston's Law of 'Net Karma: If you're stupid enough that, without checking, you would actually tell someone that an attack couldn't possibly be sourcing from your network, then the attack is* sourcing from your network.* Don't get cocky, 'cause you never know. If someone tells you that you have an issue, ESPECIALLY if that someone provides you with detailed information, check it out -- do NOT just dismiss it. Look at it this way: if your network is reasonably well-monitored, its not going to take you that long to confirm or deny... if it does, well then, your network isn't as well-monitored as you thought, now is it? Someone out there in Internet-land took the time to tell you that they think your network may be spewing badness -- the very least you can do is to look at some logs. Play The Victim: You got 0wned. Something, somewhere went wrong. Man up (or "woman up," but that just sounds weird...) and take 0wnership of the 0wning. It happened. Learn a lesson, fix something, and move on. Yes, you are a victim, just don't act like one. Forget To Say "Thank You": What? When your momma 'splained about manners were you spending your time pickin' your nose? (If so, you should've picked a better one... have you seen that thing between your eyes? Eeeesh!) Someone just did something nice for you. You may not like the news, but they didn't write it; they just took the time to deliver it to you, and the least (the VERY least) you can do is acknowledge them for it. No one likes to learn that their network has been 0wned, but would you really rather NOT know? And for those of you in the "if-I-don't-acknowledge-it,-it-didn't-happen" camp, come on! (And yes, I know that this is actually POLICY in some organizations...) Remember: THEY KNOW! They told YOU! Do you really think that the mind on the other end of that email or phone call you received will fall prey to the Jedi mind game you THINK you're perpetrating by not responding? "Oh, I guess since they never replied, those 5000 SSH login attempts never really happened..." No! They're just sitting back and thinking that you're a pretty big jerk for not even acknowledging their effort to let you know 'bout the problems you have. Seriously folks, tell your corporate counsel to go play with their briefs and send out a "thank you"... you don't need to admit to anything: just say "thank you for telling about this issue, we're looking into it." A little common courtesy goes a long way, and for those of us in the trenches who actually take the time to let people know about these things, a "thank you" email is a lifeline. Harry and David gift baskets are nice too. Tom Liston - Handler - SANS Internet Storm Center Senior Security Analyst - InGuardians, Inc. Director, InGuardians Labs Chairman, SANS Virtualization and Cloud Computing Summit Twitter: @tliston My honeypot tweets: @netmenaces	Tom 160 Posts Aug 4th 2010
Thread locked Subscribe	Aug 4th 2010 1 decade ago
This is right on so many fronts.	Ken 40 Posts
Quote	Aug 4th 2010 1 decade ago
Thanks for the humorous take...very much enjoyed it. :)	Anonymous
Quote	Aug 4th 2010 1 decade ago
I think I might need to include this as the footer of any notifications I make... pure awesome :)	Steven 42 Posts
Quote	Aug 4th 2010 1 decade ago
I do give a flying crap about this. Maybe even several flying craps. But even if I didn't, this would have been a good read. The applications of this article to general "situation handling" are pretty transparent. Bravo.	Steven 1 Posts
Quote	Aug 4th 2010 1 decade ago
I admit I'm guilty of #6. I've never gotten any response at all to reporting infected machines, many of which are on dynamic IPs anyhow, so I can no longer work up any enthusiasm for reporting the dozens of machines that have SSH scanned my boxes this week. It would seem there are much more effective uses of my time, so I just blackhole the IP and move on.	Anonymous
Quote	Aug 4th 2010 1 decade ago
#7 for what not to do when responding to an incident: attack back, then you did the hack and need to report it cuz you will feel bad!	Adrien de Beaupre 353 Posts ISC Handler
Quote	Aug 4th 2010 1 decade ago
Extremely Valuable Info + Well Delivered Humor = The Win!	Adrien de Beaupre 10 Posts
Quote	Aug 5th 2010 1 decade ago
Instead of "Man Up" I prefer the term "Walk it Off, Crybaby!" We use "Cowboy/Cowgirl Up" too. Actually what I am seeing is a lot of dumb messages from what appear to be automated IDS's. "We have detected a Brute Force attacks from XX.XX.XX.XX. Please stop this! We are black holing you!" followed by a Whois of my own Netblock is not very helpful. Details, please. And if you black hole my IP adresses of your servers, hey, it's not my problem.	Adrien de Beaupre 4 Posts
Quote	Aug 5th 2010 1 decade ago
David, I feel your frustration: I spent two hours trying to explain "No, this is not IP spoofing" to a foolish "IT Director" yesterday. I gave up: the Illinois State Bar Association can keep their compromised server... OTOH, I called a local school district today with the exact same "your machine has been compromised via ssh and is now being used to attack others". He didn't ask for logs, he understood, but I sent him logs anyway because the botnet is interesting to watch. He called the school responsible and called me back 5 minutes later to say they were working on it... so my one insane person yesterday may be a loss, but the win today for the good guys makes me happy. Keep up the good fight... so few are, your efforts make a difference.	Adrien de Beaupre 1 Posts
Quote	Aug 6th 2010 1 decade ago
Good points, Brian. I find in general that educational institutions are more responsive to incident reports than other businesses. I think ISPs are mostly a lost cause because they see their obligation as being to the customer, not to other netizens. If they cut off an infected host, that gets their customer angry and threatens their bottom line. Leaving the infected machine alone costs them nothing.	Anonymous
Quote	Aug 9th 2010 1 decade ago

Considering reporting an incident?

Have you just received an incident report?

My, oh my... what are you to do?

Since I am unquestionably the arbiter of all that is good and right on the highways and byways we lovingly call the Internet, I put together a handy little guide to help you through these trying times. Just think of me as the "Miss Manners" of Incident Handling. Only I don't wear a dress...

Very often...

Anymore...

What *NOT* To Do When Reporting An Incident

Cop a 'tude: Ok, I can certainly understand that you're feeling a little miffed 'bout the fact that someone took a whack at one of your machines, but really, in my experience, most (i.e. ~99%) of the time the responsible party is many steps removed from the people you'll be contacting-- so venting your spleen on the dude at the receiving end of your email or phone call is just bad form. Save that stuff for telemarketers. (Note: Yes, I understand that telemarketers are often good, wholesome, hardworking folks trying to make ends meet. I just don't care.) If you're all wound up and ready to take names and kick butt, then you're clearly an amateur at incident response. More than likely, that evil Eastern-block hacker with the slicked back hair and bad teeth that you're imagining kicking over your webserver is actually just an unpatched WinXP machine owned by someone's Great Aunt Margaret that got whacked by the latest version of SDBot. Keep the vent-plug locked down tight on your spleen... no one wants you gettin' Great Aunt Maggie all spleeny.
Get All Litigious: This is a subgroup of #1. In this case, instead of questioning whether the 'leet hax0r's parents were married at the time of his/her conception, you whip out the big guns, 'splainin' that you'll rain down all manner o'lawsuits, IRS investigations, and Papal excommunication on the responsible party. Trust me, if the FBI was interested in investigating your incident, you wouldn't be writing about it in an email to abuse@. Doing this just makes you look silly. Stop it.
Look Stupid: A good incident report tells a story: it tells exactly *what* happened and exactly *when* it happened. "Stop hacking me!" is not an incident report -- it's an exclamatory sentence that reeks of idiocy. Include IP addresses (and, if they resolve, machine names) in your report. Include port numbers. Include times (synchronized to something besides your best stab at clicking "Ok" while staring at Mickey's hands...). Include (or offer to provide) packet captures. You need to do the work so that the people on the receiving end of your report don't have to... or you'll be ignored. Notice: All of these things imply that *you* actually have a dang clue, have done your homework, and are monitoring your network at some sort of reasonable level. Wow. Who would have thought that you actually needed to know what you're talking about to report an incident?
Plant Your Flag: The Internet sucks when it comes to attribution. WHOIS tells you little and is often wrong about what it *does* tell you, IP addresses rarely reverse resolve, abuse@ email often appears to black-hole, and most ISP support staff gave up caring when they realized that "I work in IT" isn't really the chick-magnet phrase they thought it would be. With those kinds of odds against you, you're not gonna win many of these... I know it's frustrating when you have someone dead-to-rights and they simply dismiss you, saying, "It's not us." Let it go. You've taken the time to try to warn someone about an incident, and sometimes, that's the very best you can do. Persistence isn't a virtue here, and if you cross the line and get abusive about an incident yourself, it can get you in really deep, really fast.
Blame The Victim: Not everyone is as 'leet as you... nor are they as good looking, suave, sophisticated and debonair. (Very few of us are...) But, because you're also as intelligent as you are attractive, you know that you shouldn't look down on someone who got 0wned. It's bad karma, and as these things always happen, you'll undoubtedly be next. Offer help if the situation warrants it. Explain what they need to do if they seem clueless. But why am I telling you this? You're also kindhearted and generous to a fault. Aren't you?
Give up: We've all been there-- you look at the stream of evil stuff constantly raining down on your network, and you despair. All I can say is "don't give up." You've reported incident after incident, and it appears to go nowhere. Trust me, I know. I run a honeypot system... I get attacked on purpose, and I've probably sent thousands of emails reporting incidents. It never fails: just when I get to the point where I'm feeling like I'm trying to sop up the ocean with a paper towel (and I'm ready to "throw in" said towel), someone will actually reply and say "thank you." They come in all kinds of ways: I had a guy call me back about an hour after I originally talked to him when he was... well... a bit rude. He explained that he was very suspicious when I initially called, but when he actually checked out what I had told him and found out that he *did* have an infected machine on his network, he just had to call back and say "thanks." Years ago, I actually got a very nice Harry and David gift basket from a company I contacted when they had a server compromised. While I wouldn't sit by the front door waiting for the UPS guy to bring you largess, trust me, someone out there does appreciate what you're doing.

What *NOT* To Do When Someone Reports An Incident

Cop a 'tude: While I fully support you being skeptical/wary when someone calls you out of the blue to report an incident, "skeptical" and "rude" are two different things. If the person reporting an incident seems to be asking "intrusive" questions, feel free to say "I really don't feel comfortable answering that" and ask them politely to provide whatever information they can. If it's someone trying to scam you, well... you've been polite to a scammer... certainly not the end of the world. But if the incident turns out to be real, you're gonna feel really, REALLY bad if you were rude and demeaning to someone who was just trying to help you out. (And, if you don't feel bad, then you should seriously start looking around for your soul... 'cause it must've fallen out of you recently. Look over in the corner, behind the filing cabinet.)
Get All Litigious: I once called up the "Superior Court" of an unnamed California county to report that their website had been whacked and was currently advertising both erectile dysfunction medications and "hot teens" (i.e. they had the sex and the drugs... all they needed was some rock n'roll...). After the normal shuffling back and forth to various people who assured me that this "issue" wasn't their responsibility, somehow I ended up being palmed off on some County attorney who proceeded to explain all of the legal hell he was going to rain down on me for "hacking" their website. My opinion of Mr. Lawyer wasn't improved by the fact that he was clearly in negative-clue territory in his understanding of how the Intertubes worked. I finally silenced him when he asked me "How could you possibly know that this existed on our site if you didn't do it?" by giving him a very simple string of text to type into the mythical oracle of all knowledge known as "Google." Don't even think of accusing someone who *contacts you* of being the bad guy. Doing this just makes you look silly. Stop it.
Look Stupid: If I had a nickel for everyone who told me they couldn't be the source of an attack because they run a) a firewall or b) antivirus, I would have... well... a lot of nickels. (Probably not enough to buy me another nice Harry and David gift basket, but still... a lot of nickels.) Come on... antivirus? A firewall? Really? If you're in IT and you truly believe that the fact that you're running a firewall or AV has any bearing on whether one of your machines could be infected and attacking others on the 'Net, then I have a bridge for sale. Really. I do. It's very pretty. Trust me.
Plant Your Flag: Liston's Law of 'Net Karma: If you're stupid enough that, without checking, you would actually tell someone that an attack couldn't possibly be sourcing from your network, then the attack *is* sourcing from your network. Don't get cocky, 'cause you never know. If someone tells you that you have an issue, ESPECIALLY if that someone provides you with detailed information, check it out -- do NOT just dismiss it. Look at it this way: if your network is reasonably well-monitored, its not going to take you *that* long to confirm or deny... if it does, well then, your network isn't as well-monitored as you thought, now is it? Someone out there in Internet-land took the time to tell you that they think your network may be spewing badness -- the very *least* you can do is to look at some logs.
Play The Victim: You got 0wned. Something, somewhere went wrong. Man up (or "woman up," but that just sounds weird...) and take 0wnership of the 0wning. It happened. Learn a lesson, fix something, and move on. Yes, you are a victim, just don't act like one.
Forget To Say "Thank You": What? When your momma 'splained about manners were you spending your time pickin' your nose? (If so, you should've picked a better one... have you seen that thing between your eyes? Eeeesh!) Someone just did something nice for you. You may not like the news, but they didn't write it; they just took the time to deliver it to you, and the least (the VERY least) you can do is acknowledge them for it. No one likes to learn that their network has been 0wned, but would you really rather NOT know? And for those of you in the "if-I-don't-acknowledge-it,-it-didn't-happen" camp, come on! (And yes, I know that this is actually POLICY in some organizations...) Remember: THEY KNOW! They told YOU! Do you really think that the mind on the other end of that email or phone call you received will fall prey to the Jedi mind game you THINK you're perpetrating by not responding? "Oh, I guess since they never replied, those 5000 SSH login attempts never really happened..." No! They're just sitting back and thinking that you're a pretty big jerk for not even acknowledging their effort to let you know 'bout the problems you have. Seriously folks, tell your corporate counsel to go play with their briefs and send out a "thank you"... you don't need to admit to anything: just say "thank you for telling about this issue, we're looking into it." A little common courtesy goes a long way, and for those of us in the trenches who actually take the time to let people know about these things, a "thank you" email is a lifeline. Harry and David gift baskets are nice too.

Tom Liston - Handler - SANS Internet Storm Center
Senior Security Analyst - InGuardians, Inc.
Director, InGuardians Labs
Chairman, SANS Virtualization and Cloud Computing Summit
Twitter: @tliston
My honeypot tweets: @netmenaces

Tom

160 Posts

Aug 4th 2010

This is right on so many fronts.

Ken

40 Posts

Thanks for the humorous take...very much enjoyed it. :)

Anonymous

I think I might need to include this as the footer of any notifications I make... pure awesome :)

Steven

42 Posts

I do give a flying crap about this. Maybe even several flying craps. But even if I didn't, this would have been a good read. The applications of this article to general "situation handling" are pretty transparent. Bravo.

Steven
1 Posts

I admit I'm guilty of #6. I've never gotten *any* response at all to reporting infected machines, many of which are on dynamic IPs anyhow, so I can no longer work up any enthusiasm for reporting the dozens of machines that have SSH scanned my boxes this week. It would seem there are much more effective uses of my time, so I just blackhole the IP and move on.

Anonymous

#7 for what not to do when responding to an incident: attack back, then you did the hack and need to report it cuz you will feel bad!

Adrien de Beaupre

353 Posts
ISC Handler

Extremely Valuable Info + Well Delivered Humor = The Win!

Adrien de Beaupre
10 Posts

Instead of "Man Up" I prefer the term "Walk it Off, Crybaby!" We use "Cowboy/Cowgirl Up" too.

Actually what I am seeing is a lot of dumb messages from what appear to be automated IDS's. "We have detected a Brute Force attacks from XX.XX.XX.XX. Please stop this! We are black holing you!" followed by a Whois of my own Netblock is not very helpful. Details, please. And if you black hole my IP adresses of your servers, hey, it's not my problem.

Adrien de Beaupre
4 Posts

David, I feel your frustration: I spent two hours trying to explain "No, this is not IP spoofing" to a foolish "IT Director" yesterday. I gave up: the Illinois State Bar Association can keep their compromised server... OTOH, I called a local school district today with the exact same "your machine has been compromised via ssh and is now being used to attack others". He didn't ask for logs, he understood, but I sent him logs anyway because the botnet is interesting to watch. He called the school responsible and called me back 5 minutes later to say they were working on it... so my one insane person yesterday may be a loss, but the win today for the good guys makes me happy. Keep up the good fight... so few are, your efforts make a difference.

Adrien de Beaupre
1 Posts

Good points, Brian.

I find in general that educational institutions are more responsive to incident reports than other businesses.

I think ISPs are mostly a lost cause because they see their obligation as being to the customer, not to other netizens. If they cut off an infected host, that gets their customer angry and threatens their bottom line. Leaving the infected machine alone costs them nothing.

Anonymous