Pass-down for a Successful Incident Response - Internet Security

Pass-down for a Successful Incident Response
A mandatory management tool for incident response is called the "pass down". It is the accurate and systematic passing along of detailed information from the current case handler to the next shift of incident handlers. As a newbie to security in 1998, I was working as a contractor attached to the Navy and Marine Corp Incident Response Team (NAVCIRT). This was my first introduction to the methodology of pass down in practice. The results of this mandatory information review and collaboration between shifts and managers is a successful tool, properly utilized to achieve legally obtained and verifiable evidence for use in court. Documenting what you accomplished during your shift in the case development is crucial. Write it down, all of it, hunches, wild guesses, everything. This creative flow of thought should assist in case development. This process flows so efficiently, and the successful interaction of the Incident Response Team will amaze you. Ultimately leading to a more effective, cohesive and educated team. Responding to an incident as quickly as possible, remediating the vulnerability and getting back to other handler duties. Let's say you have a new handler come on board. How would you advise this person? Really stop and think for a moment. Besides our site (of course :-), isc.sans.org) where would you recommend a newbie go to get the types of information you use daily to analyze your cases. Send us a couple of your tips. Let's work together to get us all up-to-date on where the latest and greatest minds are gathering good data. Where do you go to get a memory upload of current Internet activity, secrets, or help for any parameters? Send them to us here and we'll post some of the best hints posted here!. Mari Nichols, Handler on Duty UPDATE: Thanks to Stephan, Clara, Steve and Bill for submitting their favorite links. If you have anymore to add, please let us know! http://www.symantec.com/business/security_response/index.jsp https://www.cert-bund.de/overview/AdvisoryShort (Sometimes i'm too lazy for translating - use SOME Cert's of your choice) http://www.securityfocus.com/ http://www.malwareurl.com/index.php https://zeustracker.abuse.ch/ http://dnsbl.abuse.ch/ http://dnsbl.abuse.ch/links.php http://packetstormsecurity.org/ http://seclists.org/bugtraq/ http://www.owasp.org/index.php/ASVS http://www.honeynet.org http://secviz.org/ http://windowsir.blogspot.com/ http://securosis.com/ http://www.vupen.com http://www.secunia.com http://seclists.org	Mari Nichols 76 Posts
Subscribe	Jan 22nd 2010 9 years ago
I have a security tab on my Google IG homepage where I have 6 gadgets from: http://digg.com/security http://www.darknet.org.uk http://www.networkworld.com/topics/security.html http://www.securityfocus.com/vulnerabilities http://isc.sans.org/ http://www.securityfocus.com/news The above is just the beginning...I usually visit anything linked from above, searching for accuracy in the reported information I find.	HackDefendr 65 Posts
Quote	Jan 25th 2010 9 years ago
Ah, I guess I should mention I also spend an hour each day submitting spam from my gmail spam folder to Spamcop.net. Its amazing how much I submit still is not listed in any blacklists. Tools I frequently use with the information I gather from my links, and the new ones I found in the diary post (thanks!!): Metasploit - (duh) w3af - http://w3af.sourceforge.net Burp Suite - http://portswigger.net/suite/ Web Securify - http://www.websecurify.com/ glastopf - http://glastopf.org/project.php	HackDefendr 65 Posts
Quote	Jan 25th 2010 9 years ago

A mandatory management tool for incident response is called the "pass down". It is the accurate and systematic passing along of detailed information from the current case handler to the next shift of incident handlers. As a newbie to security in 1998, I was working as a contractor attached to the Navy and Marine Corp Incident Response Team (NAVCIRT). This was my first introduction to the methodology of pass down in practice. The results of this mandatory information review and collaboration between shifts and managers is a successful tool, properly utilized to achieve legally obtained and verifiable evidence for use in court.

Documenting what you accomplished during your shift in the case development is crucial. Write it down, all of it, hunches, wild guesses, everything. This creative flow of thought should assist in case development. This process flows so efficiently, and the successful interaction of the Incident Response Team will amaze you. Ultimately leading to a more effective, cohesive and educated team. Responding to an incident as quickly as possible, remediating the vulnerability and getting back to other handler duties.

Let's say you have a new handler come on board. How would you advise this person? Really stop and think for a moment. Besides our site (of course :-), isc.sans.org) where would you recommend a newbie go to get the types of information you use daily to analyze your cases.

Send us a couple of your tips. Let's work together to get us all up-to-date on where the latest and greatest minds are gathering good data. Where do you go to get a memory upload of current Internet activity, secrets, or help for any parameters? Send them to us here and we'll post some of the best hints posted here!.

Mari Nichols,

Handler on Duty

UPDATE: Thanks to Stephan, Clara, Steve and Bill for submitting their favorite links. If you have anymore to add, please let us know!

http://www.symantec.com/business/security_response/index.jsp
https://www.cert-bund.de/overview/AdvisoryShort (Sometimes i'm too lazy for translating - use SOME Cert's of your choice)
http://www.securityfocus.com/
http://www.malwareurl.com/index.php
https://zeustracker.abuse.ch/
http://dnsbl.abuse.ch/
http://dnsbl.abuse.ch/links.php
http://packetstormsecurity.org/
http://seclists.org/bugtraq/
http://www.owasp.org/index.php/ASVS
http://www.honeynet.org
http://secviz.org/
http://windowsir.blogspot.com/
http://securosis.com/
http://www.vupen.com
http://www.secunia.com
http://seclists.org

Mari Nichols

76 Posts

I have a security tab on my Google IG homepage where I have 6 gadgets from:

http://digg.com/security
http://www.darknet.org.uk
http://www.networkworld.com/topics/security.html
http://www.securityfocus.com/vulnerabilities
http://isc.sans.org/
http://www.securityfocus.com/news

The above is just the beginning...I usually visit anything linked from above, searching for accuracy in the reported information I find.

HackDefendr

65 Posts

Ah, I guess I should mention I also spend an hour each day submitting spam from my gmail spam folder to Spamcop.net. Its amazing how much I submit still is not listed in any blacklists.

Tools I frequently use with the information I gather from my links, and the new ones I found in the diary post (thanks!!):

Metasploit - (duh)
w3af - http://w3af.sourceforge.net
Burp Suite - http://portswigger.net/suite/
Web Securify - http://www.websecurify.com/
glastopf - http://glastopf.org/project.php

HackDefendr

65 Posts