Standardized Reporting

[H C <keydet89 () yahoo com>]

O'neil,

> Excellent point and a worthwhile objective HC. I
> have an idea
> (certainly not original) to achieve these results on
> a sustained basis.

Okay, let's see what we can get started.

> I
> picked up a book called Incident Response awhile ago
> and they had some
> rudimentary incident checklists which were a great
> starting point and I went
> on to develop my own template that was appropriate
> to my specific situation.

Which book?  The one by Prosise and Mandia, the one by
Schultz, or the one by Forno?

> What if we were to have a checklist for the
> incidents list? 

I think it's a good idea, and a while ago, I submitted
something to the moderator.  

For starters, I don't see problem with folks posting,
"I've seen a lot of these scans, has anyone else seen
them?"...but what I would like to see is maybe a
separate list, or a site like Incidents.org where that
information can be correlated.  Also, there needs to
be some clarification...for example the recent thread
on subseven scans.  I think we can all agree that
while it's a strong possibility that a SYN packet
bound for that particular port *may be* part of a
subseven scan, there is also the possibility that it's
part of a Ramen scan.  

Additionally, rather than simply saying "I've been
scanned", folks should make an effort to provide some
logs (and identify the source of the logs), as well as
some more conclusive information.  The follow-on to
the subseven scan thread led to
some...interesting...information in which the
respondant admitted to accessing the remote systems. 
However, anything beyond that was too vague to provide
conclusive information...why go to the trouble of
accessing the systems, but not provide any conclusive
data, such as directory listings, etc?

My point is that there needs to be an agreed upon
method of providing data, as well as perhaps what data
to provide...standardized reporting.  I think then we
can move to the next level of tracking these types of
incidents, identifying the most likely sources of
infections and infected hosts.

> When
> submitting a 'Are you experiencing this too?' or
> 'What is this?' message, it
> would have to be done in a specific template. This
> may make it easier for
> both posters and readers of this list.

Agreed.  I also think that it would provide a culling
mechanism, in that anyone too lazy (or unwilling) to
follow the template would simply not have their
message accepted.  In fact, a web-based form may even
be far easier.

> When
> composing a message I'm sure
> people are thinking 'What information should be
> included?', 'How much detail
> should go into it?', 'Am I being to verbose?'.

Agreed.  A lot of posts say, "I got attacked." w/o
providing anything specific.  Also, another phenomenon
of the lists is the "seagull poster"...he swoops in,
drops off a vague post, and disappears, never to be
heard from again.  At least with a standardized method
of posting, these folks wouldn't have to be queried,
b/c the form would show them what they need to
provide.
 
> We will never stop people from making assumptions
> based on limited
> information (nor should we in some cases in can be a
> critical skill) but
> this may give us a metric for evaluating any of the
> assumptions made.

I think that as a community, this is something we need
to move away from.  Perhaps an academic standard is
too stringent, but the basis is sound...one cannot
simply say in a master's thesis that "I heard this
fact someplace"...one has to provide a reference.

The same idea comes from Deming's Total Quality
Management ideas.  The idea is that one should not
make decisions based on emotion or feelings, but
rather hard facts.  That way, we can actually get an
improvement in quality.  

The hard part, though, will be getting people to
understand this.  Sometimes it may be far more
beneficial to simply post some logs (or a link) and
NOT a bunch of assumptions.  Windows folks are going
to have a different set of experiences from Linux
folks, and hence different assumptions.  However,
multiple sets of log files correlated from different
sources can paint a pretty clear picture.
 
> I do not know if any generic incident response
> checklists exist in
> the public domain, do you? Anyone feel like getting
> together and working on one?

I'd be willing to work on one with you...feel free to
contact me off list if you like.  

Carv



__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com