Q-CERT Incident Reporting Guidelines

Size: px

Start display at page:

Download "Q-CERT Incident Reporting Guidelines"

Tiffany Fields
6 years ago
Views:

Classificatin : Public Q-CERT Incident Reprting Guidelines Q-CERT prvides limited incident handling services t its cnstituents, which include Qatar's gvernment, business, and educatinal institutins

1 Classificatin : Public Q-CERT Incident Reprting Guidelines Q-CERT prvides limited incident handling services t its cnstituents, which include Qatar's gvernment, business, and educatinal institutins as well as the general ppulatin f Qatar. This dcument utlines suggested steps fr reprting incidents t Q-CERT. System administratrs can use this infrmatin t reprt incidents effectively t Q-CERT, ther cmputer security incident respnse teams (CSIRTs), r ther sites. I. What type f activity shuld I reprt? A. Q-CERT's incident definitin B. Q-CERT's incident pririties II. Why shuld I reprt an incident? A. Yu may receive technical assistance. B. We may be able t assciate activity with ther incidents. C. Yur reprt will allw us t prvide better incident statistics. D. Cntacting thers raises security awareness. E. Yur reprt helps us t prvide yu with better dcuments. F. Yur rganizatin's plicies may require yu t reprt the activity. G. Reprting incidents is part f being a respnsible site n the Internet. III. Wh shuld I reprt an incident t? A. Yur site security crdinatr B. Yur representative CSIRT C. Q-CERT D. Other sites invlved in the incident E. Law enfrcement IV. What shuld I include in my incident reprt? A. When reprting an incident t Q-CERT B. When reprting t ther sites and CSIRTs 1. Incident reference numbers 2. Infrmatin abut hw t cntact yu 3. Disclsure infrmatin 4. A summary f hsts invlved 5. A descriptin f the activity 6. Lg extracts shwing the activity 7. Yur time zne and the accuracy f yur clck

2 8. Clarificatin abut what yu wuld like frm the recipient V. Hw shuld I reprt an incident t Q-CERT? A. B. Telephne htline C. Fax D. Encrypting reprts t Q-CERT VI. When shuld I reprt an incident? I. What type f activity shuld I reprt? The type f activity yu shuld reprt, and the level f detail included in yur reprt, depends n t whm yu are reprting. Yur lcal plicies and prcedures may have detailed infrmatin abut what types f activity shuld be reprted and the apprpriate persn t whm yu shuld reprt. A. Q-CERT's incident definitin Q-CERT is interested in receiving reprts f security incidents invlving the Internet. A gd but fairly general definitin f an incident is "The act f vilating an explicit r implied security plicy." Unfrtunately, this definitin relies n the existence f a security plicy that, while generally understd, varies between rganizatins. We have attempted t characterize belw the types f activity we believe are widely recgnized as being in vilatin f a typical security plicy. These activities include but are nt limited t attempts (either failed r successful) t gain unauthrized access t a system r its data unwanted disruptin r denial f service the unauthrized use f a system fr the prcessing r strage f data changes t system hardware, firmware, r sftware characteristics withut the wner's knwledge, instructin, r cnsent We encurage yu t reprt any activities that yu feel meet these criteria fr being an incident. Nte that ur plicy is t keep any infrmatin specific t yur site cnfidential unless we receive yur permissin t release that infrmatin. B. Q-CERT's incident pririties Due t limited resurces and the grwing number f incident reprts, we may nt be able t respnd t every incident reprted t us. We must

3 priritize ur respnses t have the greatest impact t the Qatar cmmunity. The fllwing type f reprts receive the highest pririty and are cnsidered emergencies: pssible life-threatening activity attacks n the Internet infrastructure, such as rt name servers dmain name servers majr archive sites netwrk access pints (NAPs) widespread autmated attacks against Internet sites new types f attacks r new vulnerabilities II. Why shuld I reprt an incident? There are several reasns t reprt an incident t Q-CERT: A. Yu may receive technical assistance. A primary part f ur missin is t prvide a reliable, trusted, 24-hur, single pint f cntact fr security emergencies invlving the Internet. We facilitate cmmunicatin amng experts wrking t slve security prblems and serve as a central pint fr identifying and crrecting vulnerabilities in cmputer systems. When yu reprt an incident t us, we can prvide pinters t technical dcuments, ffer suggestins n recvering the security f yur systems, and share infrmatin abut recent intruder activity. In ur rle as a crdinatin center, we may have access t infrmatin that is nt yet widely available t assist in respnding t yur incident. Unfrtunately, ur limited resurces and the increasing number f incidents reprted t us may prevent us frm respnding t each reprt individually. We must priritize ur respnses t have the greatest impact n the Internet cmmunity. B. We may be able t assciate activity with ther incidents. Q-CERT receives reprts f security incidents frm all ver the wrld. In many cases, these incidents have similar characteristics r invlve the same intruders. By reprting yur incident, yu allw us t cllect infrmatin abut recent activity in the intruder cmmunity as it relates t yur incident. We may als be able t put yu in tuch with ther sites wh are pursuing legal actins against the intruder. C. Yur reprt will allw us t prvide better incident statistics.

4 Q-CERT cllects statistics n the incidents reprted t us. Yur reprts help identify vulnerabilities that are being actively explited in the intruder cmmunity, prvide infrmatin abut the frequency f these attacks, and identify areas where greater cmmunity awareness is needed. D. Cntacting thers raises security awareness. When yu reprt an incident t Q-CERT, we suggest that yu cntact the ther sites invlved in the activity, and that yu include us in thse messages. This benefits the ther sites by alerting them t pssible intruder activity n their systems. In many cases, unsuccessful prbes yu reprt may identify mre serius security issues at the riginating site. Additinally, cntacting ther sites may help yu respnd t yur security cncerns by prviding mre infrmatin, a different perspective, r even by identifying the intruder. E. Yur reprt helps us t prvide yu with better dcuments. The cmments and suggestins that yu prvide while invlved in the handling f an incident allws us t imprve ur cmputer security publicatins. Yur questins help us t understand what subjects require greater attentin in future dcuments. And taken as a whle, yur reprts allw us t understand the current state f the cmputer security practice. F. Yur rganizatin's plicies may require yu t reprt the activity. Yur rganizatin's plicies may require that yu reprt this activity t Q- CERT r anther CSIRT. On the ther hand, yur plicy may require that yu nt reprt r discuss this activity with anyne ther than yur site security crdinatr. Befre reprting activity t Q-CERT r anyne else, check yur lcal plicies and prcedures n hw t prceed. G. Reprting incidents is part f being a respnsible site n the Internet. There is a strng histrical precedent fr cmmunicating with ther sites abut security incidents. The Request fr Cmments dcument "Guidelines fr the Secure Operatin f the Internet" (RFC1281) reads: The Internet is a cperative venture. The culture and practice in the Internet is t render assistance in security matters t ther sites and netwrks. Each site is expected t ntify ther sites if it detects a penetratin in prgress at the ther sites, and all sites are expected t help ne anther respnd t security vilatins. This assistance may include tracing cnnectins, tracking vilatrs and assisting law enfrcement effrts.

5 III. Wh shuld I reprt an incident t? T determine wh yu shuld reprt a security incident t, first cnsult yur lcal security plicies and prcedures. If the prcedures d nt explicitly identify wh yu shuld reprt an activity t, yu shuld discuss the incident with yur management and legal cunsel befre prceeding. A. Yur site security crdinatr Many security prcedures identify a site security crdinatr wh serves as a central resurce fr handling vilatins f yur security plicies. This persn may crdinate and handle all cmmunicatins with ther CSIRTs, law enfrcement and ther sites. B. Yur representative CSIRT Many cmpanies, universities, and cuntries have a cmputer security incident respnse team (CSIRT) dedicated t handling incidents invlving their cnstituency. The Frum f Incident Respnse and Security Teams (FIRST) is a calitin f such CSIRTs. FIRST aims t fster cperatin and crdinatin in incident preventin, t prmpt rapid reactin t incidents, and t prmte infrmatin sharing amng members and the cmmunity at large. Mre infrmatin abut FIRST can be fund n their web page: T determine if yur site is represented by a member f FIRST, yu may want t review the list f FIRST teams, which includes addresses, telephne numbers, and brief descriptins f each team's cnstituency. C. Q-CERT Q-CERT welcmes reprts frm any site in Qatar r the regin experiencing a cmputer security prblem invlving the Internet. We encurage yu t include Q-CERT n any messages yu send t ther sites r CSIRTs (within the limits f yur site's security plicies and prcedures). This infrmatin will enable us t better meet ur incident crdinatin bjectives. Infrmatin abut hw t cntact Q-CERT is available in sectin V f this dcument. D. Other sites invlved in the incident Since intruders frequently use cmprmised hsts r accunts t attack ther systems, we encurage yu t reprt any intruder activity directly t the registered pint f cntact(s) f the riginating hst. They may be unaware f the activity invlving their systems, and yur nte will prvide the incentive t check fr signs f intrusin.

6 We wuld appreciate being included n the "cc:" line f any messages yu may send t ther sites regarding intruder activity. Infrmatin abut finding cntact infrmatin fr sites invlved in incidents is available at E. Law Enfrcement Q-CERT is nt an investigative r law enfrcement agency. We d nt investigate (r maintain r disclse infrmatin abut) individual intruders, and we d nt cnduct criminal investigatins. Our activities fcus n prviding technical assistance and facilitating cmmunicatins in respnse t cmputer security incidents invlving hsts n the Internet. If yu are interested in cntacting law enfrcement t cnduct a legal investigatin, we encurage yu review yur lcal plicies and prcedures fr guidance n hw t prceed. We als encurage yu t discuss the intruder's activity with yur management and legal cunsel befre cntacting law enfrcement. Yur legal cunsel can prvide yu with legal ptins and curses f actin based n yur r yur rganizatin's needs. We d nt have legal expertise and cannt ffer legal advice r pinins. IV. What shuld I include in my incident reprt? When reprting intruder activity, it is imprtant t ensure that yu prvide enugh infrmatin fr the ther site r CSIRT t be able t understand and respnd t yur reprt. A. When reprting an incident t Q-CERT: Q-CERT has adapted an Incident Reprting Frm (IRF) designed t assist yu in reprting an incident. This frm is available at This frm prmpts fr all f the infrmatin discussed belw in an rganized manner. Cmpleting the frm may help yu have a mre cmplete understanding f the intruder's activity, even if yu d nt send it t Q-CERT. Many f the questins are ptinal, but having the answers t all the questins enables us t prvide the best assistance. Cmpleting the frm can als help avid delays intrduced when we request the additinal infrmatin needed t assist yu. The Q-CERT IRF is nt intended fr reprting activity t ther sites r CSIRTs. Sme f the infrmatin requested n the frm may be sensitive in nature and is requested fr Q-CERT's internal use nly. Nte that ur plicy is t keep any infrmatin specific t yur site cnfidential unless we receive yur permissin t release that infrmatin.

7 B. When reprting t ther sites and CSIRTs: 1. Incident reference numbers Q-CERT and many ther CSIRTs assign incident reference numbers t reprted activity. These numbers help us t track crrespndence and identify related activity. Please be sure t include all incident reference numbers that have been assigned t the incident, either by Q-CERT r ther CSIRTs. Each CSIRT has its wn prcedures regarding the assignment f incident tracking numbers. Q-CERT attempts t assign a single number t all activity invlving ne intruder. We encurage yu t reference this number when crrespnding with ther sites r CSIRTs that are invlved in the incident. When reprting activity that may be the wrk f multiple intruders, we request that yu reprt each incident separately. (A cmmn example wuld be tw prbes riginating frm different sites, with n ther indicatins that the prbes are related.) Mst CSIRTs, including Q-CERT, request that the incident reference number be clearly displayed in the "Subject:" line f any mail messages regarding the incident. 2. Infrmatin abut hw t cntact yu When cntacting ther sites, remember that they may nt be able t cntact yu as easily as yu might think. Perhaps they discnnected frm the Internet immediately after yu alerted them t the intruder's activity and are nw unable t respnd t yur message. Als, sme cmpanies limit lng distance r internatinal dialing frm cmpany telephnes. T ensure that ther are able t respnd, prvide as much cntact infrmatin as yu are willing t disclse. In mst cases, this shuld include at least an address and a telephne number. Yu may als wish t include a pager number, a fax number, r even a cellular telephne number. A traditinal mail address may help the ther site understand where yu are lcated gegraphically. It is als a gd idea t specify an alternate cntact at yur site in case yu are unavailable. Similar cntact infrmatin shuld be prvided fr the alternate cntact. 3. Disclsure infrmatin Q-CERT's plicy is t nt release any infrmatin abut a site's invlvement in an incident, withut the site's explicit permissin t

8 d s. While this plicy ensures that yu can reprt intruder activity t us in cnfidence, it als hinders ur ability t put yu in cntact with ther sites invlved in the incident. If we are authrized t ffer infrmatin abut yur invlvement in an incident t the ther sites invlved, ther CSIRTs, r law enfrcement, please state this clearly in the incident reprt. Mst CSIRTs have nn-disclsure plicies, and many sites will respect yur nn-disclsure requests as well. In general, a shrt statement describing yur cncerns (r lack theref) shuld be included in any incident reprt t help the recipient understand and respect yur wishes. Keep in mind, hwever, that there is n way t ensure that ther sites invlved in the activity will cmply with yur request. 4. A summary f hsts invlved In many incidents, the mst bvius indicatin f related activity is the hsts invlved. Fr example, several f the hsts used t attack yur site may have been used t attack anther cmprmised hst last week. Fr this reasn, it is a gd idea t include a brief summary f the hstnames and IP addresses knwn t be invlved and their relatinship t the incident. Hwever, yu may want t exercise cautin in identifying cmprmised hsts at yur site, particularly befre recvering the security f these systems. Yur plicies and prcedures fr handling cmputer security incidents may specify hw much infrmatin yu are able t release abut the hsts invlved at yur site. 5. A descriptin f the activity One f the mst imprtant parts f any incident reprt is a descriptin f the intruder's activity. Mentin any vulnerabilities which were explited, mdificatins that were made t the system, r sftware that was installed. When reprting t a CSIRT, this infrmatin will allw the incident handler t prvide assistance specific t the activity at yur site. When reprting t anther site, it helps the recipient understand what kind f intruder activity t lk fr n their systems. When describing intruder activity, it is imprtant t remember that ther administratrs may have mre r less experience with cmputer security. Yu may want t include references t advisries r ther dcuments which describe the activity in mre detail.

9 6. Lg extracts shwing the activity Whenever pssible, yu shuld include lg entries shwing the activity with yur reprt, particularly when the lgs prvide significantly mre detail than yur descriptin. Lg entries may als be mre easily understd by sites that d nt speak yur language fluently. Lg entries that are nt related t the intruder activity shuld be remved t help avid cnfusin. What yu immediately recgnize as nrmal entries may appear t be intruder activity t smene else. If the intruder's activity generated a large number f very similar entries, it is usually sufficient t extract a sample prtin f the lg and indicate this in the message. A quick estimate f the number f lg entries is useful as well. A descriptin f the lg frmat may als be helpful t system administratrs wh are nt familiar with the lgs prvided. This is very imprtant fr lg entries that d nt include descriptive text, r are generated by tls that are nt widely distributed. When sending lg entries t ther sites, take care t ensure that yu d nt vilate any nn-disclsure plicies yu may have. Sensitive infrmatin can be remved by replacing it with X's. Yu may want t make a nte f this in yur reprt t ensure that the ther site is aware f the changes. If yu d nt have lgs shwing the intruder's activity (perhaps because they were deleted by the intruder), then state this clearly in yur reprt t help minimize requests fr this infrmatin. Even if yu d nt include lg entries shwing the activity, we encurage yu t describe the date and time when the events ccurred. This allws the ther site t review their lgs when lking fr related activity at their site. 7. Yur time zne and the accuracy f yur clck Since the recipient may be in a different time zne, yu shuld clearly identify the time zne fr yur cmments and lgs. A time zne reference relative t GMT, such as GMT+3 is preferred, since less frmal time zne designatins can be misinterpreted. If the times recrded in the lg entries are knwn t be inaccurate by mre than a minute r tw, yu may want t include a statement warning the recipient f this inaccuracy. On the ther hand, if the

10 system was synchrnized with a natinal time server via NTP (Netwrk Time Prtcl), then yu may want t mentin this as well. 8. Clarificatin abut what yu wuld like frm the recipient If yu are reprting intruder activity slely fr the ther site's benefit, let them knw that yu d nt expect a respnse frm them regarding yur reprt. If yu wuld like them t take a specific actin, such as acknwledging yur message r prviding yu with additinal infrmatin regarding the activity, request this plitely in yur message. Keep in mind that the ther site's incident handling plicies and prcedures may prevent them frm respnding as yu have requested. Internet service prviders frequently have plicies prtecting the identity f their custmers, and they will nt release this infrmatin withut a subpena. If a site requests infrmatin r an actin frm yu that vilates yur site's security plicy, plitely explain that yu are unable t respnd as they requested. Finally, when requesting assistance frm Q-CERT r anther CSIRT, remember that resurce limitatins may prevent them frm respnding as yu have requested. V. Hw shuld I reprt an incident t Q-CERT? Yu can reprt intruder activity t Q-CERT via , telephne htline, r fax. We encurage yu t encrypt yur reprts t ensure yur privacy, and t authenticate yur identity. A. Q-CERT's preferred mechanism fr receiving incident reprts is thrugh . allws us t priritize the incidents reprted t us and t reply t thse messages quickly and efficiently. als prvides an accurate and efficient medium fr exchanging infrmatin t cmplex t discuss ver the telephne, such as packet dumps r large lg files. Finally, prvides a reliable lg f cmmunicatins that we may refer t in the prcess f respnding t an incident. Our address fr crrespndence regarding incidents is incidents@qcert.rg. B. Telephne htline

11 If yu have discnnected frm the Internet t recver frm a cmprmise, r if yu are unable t send mail due t a denial-f-service attack, yu can cntact Q-CERT n ur telephne htline. Our telephne htline number is Occasinally, a cmprmised system's will be mnitred by the intruder. If yu are unable t btain access frm a secure system, and yu d nt want t alert the intruder by using n the cmprmised system, yu may als want t cntact us n the telephne. Please keep in mind that while the Q-CERT htline is staffed 24 hurs a day, utside f nrmal wrking hurs incident handlers are available nly fr emergency calls. Nrmal wrking hurs are frm 8:00am t 4:00pm GMT+3, Sunday thrugh Thursday. Hurs may vary n hlidays r under ther special circumstances. C. Fax When is nt available r prvides inadequate security, and yu have lgs r ther infrmatin that is nt easily cnveyed n the telephne, yu may want t send that infrmatin t us via fax. The Q-CERT fax machine is checked regularly during nrmal wrking hurs. Faxes received during the evenings, weekends, and hlidays will be reviewed n the next business day. Our fax number is D. Encrypting reprts t Q-CERT prvides little r n privacy fr the infrmatin yu send acrss the Internet. If yu wish t ensure that mail sent t Q-CERT is nt read by unauthrized peple while in transit, we encurage yu t use a strng encryptin algrithm. Q-CERT currently supprts a public key based n the Pretty Gd Privacy (PGP) prduct. PGP is Q-CERT's preferred encryptin mechanism. It prvides authenticatin and privacy. N special arrangements have t be made with us in advance in rder t cmmunicate securely via PGP. Yu can btain ur public key by visiting ur Sending Sensitive Infrmatin page. This key will allw yu t ensure the privacy f messages sent t us and verify the authenticity f messages yu receive frm us. If yu encrypt messages yu send t Q-CERT, we will respnd with encrypted messages whenever pssible. Since it can be difficult fr us t cnfirm the validity f yur public PGP key, please be sure t include yur public key in the bdy f any encrypted messages yu send t us. Q-CERT signs all utging mail with ur PGP key. If yu receive any cmmunicatin frm us withut a PGP signature, r with an invalid PGP

12 signature, please cnsider the message suspect and let us knw. We encurage all sites cmmunicating with us t encrypt and sign their messages with PGP. Mre infrmatin abut PGP is available frm VI. When shuld I reprt an incident? Incident reprts that are sent shrtly after the incident ccurred are the mst likely t be valuable t the recipient and t us. This des nt imply that an incident reprt becmes useless after sme perid f time. We encurage yu t reprt all activity yu discver, even if the intruder's activity is quite ld by the time yu reprt it. Other than being extra careful t ensure that the date f the activity is clearly identified, we encurage yu t reprt the incident as yu wuld any ther incident, since ther sites may nt yet be aware f the incident.

Privacy Policy. Information We Collect. Information You Choose to Give Us. Information We Get When You Use Our Services

Privacy Policy. Information We Collect. Information You Choose to Give Us. Information We Get When You Use Our Services Privacy Plicy Last Mdified: September 26, 2016 Pictry is a fast and fun way t share memes with yur friends and the wrld arund yu. Yu can send a Pictry game t friends and view the pictures they submit in