We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byDerick Tappe
Modified about 1 year ago
Clearinghouse for Incident Handling Tools TF-CSIRT Seminar January 18, 2001 Barcelona Yuri Demchenko
©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _2 Agenda Clearinghouse goals Tools used by CSIRTs u Evidence Collection tools u Investigative tools u Incident tracking/reporting tools Remedy Action Request System by Andrew Cormack, CERT UKERNA Recommendations u How to proceed?
©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _3 Clearinghouse goals Experience exchange u E.g., library of rules for Intrusion/Activity detection u Can we do it in effective way? Easy setting up work procedure for new CSIRT teams Simplify information exchange Provide collective feedback for manufactures and developers Possible establishing recommended/common tools set
©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _4 Tools used by CSIRTs Evidence collection tools Investigative tools Proactive tools Incident registration and tracking tools u Support CSIRT procedure u Customer support (call center)
©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _5 Evidence collection tools – Requirements 1 Actions required during Incident data (Evidence) collection processes examining examining system state program for doing bit-to-bit copies programs for generating core images and for examining them Programs/scripts to automate evidence collection
©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _6 Recommended Evidence collection tools set Forensics CD should include the following u a program for examining processes (e.g., 'ps'). u programs for examining system state (e.g., 'showrev', 'ifconfig', 'netstat', 'arp'). u a program for doing bit-to-bit copies (e.g., 'dd'). u programs for generating core images and for examining them (e.g, 'gcore', 'gdb'). u scripts to automate evidence collection (e.g., The Coroner's Toolkit) The programs on the forensics CD should be statically linked, and should not require the use of any libraries other than those on the CD.
©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _7 Investigative tools – Requirements 2 Actions required during Incident data analysis/investigation Checking Attacker and Victim identity u IP -> DN, DN -> IP u Contact, network data Extracting information from collected data and CSIRT archives u Extended log file analysis –Based on library of rules u Tracking similar cases
©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _8 Investigative tools – CERT UKERNA Example about - obtains information from DNS and whois servers for a given IP address or name; checks the current CERT mailboxes and router logs to see if the IP address has been reported in other contexts apnic, arin, ripe - look up details of a numeric IP address in the APNIC, ARIN or RIPE gross - script to distill information from some supplied router log files. Attempts to identify hosts probed, start and end times of probing and ports probed. eh - script to identify well-known portnumbers findref - script to search for a string in JANET-CERT mailboxes (open, closed or all) keykatch - script to extract contact information only from RIPE, ARIN and APNIC db soa - script to find the address responsible for the DNS server in a domain e.g. internic - script to query the InterNIC for details about some networks ip2host - public domain script to take a file of IP addr. and convert them to hostnames janic - script to query the JANET whois server for details about.ac.uk domains nameof - script to translate a numeric IP address into a name
©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _9 Incident tracking tools – Requirements 4 Support CSIRT procedure u Incident registration u Incident tracking u Incident reporting Easy configurable u Web-based interface Customer support (call center) – optional?
©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _10 Incident tracking tools – Examples Action Request System from Remedy (ARS) u Web-based user self-support u Easy configurable u Integration with Network Management packages Magic Total Service Desk (Magic TDS) u Web-based customised interface u Network Oriented and scalable up to 1000 nodes u SNMP support (traps, etc.) u XML built and database format customisation u Based on MS DNA: Support VB abd COM scripts u Enables end-users to send requests via Clarify
©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _11 Recommendations or How to proceed? Clearinghouse of Incident Handling Tools Create repository of investigative tools for incident/evidence collection u Manual/Tutorial is very desirable Prepare list of recommended tools for Incident tracking Questionnaire on used tools and practices to CSIRT Teams Include basic/recommended tools into Training Programme/materials Develop common tools and/or recommendations to make Incident/CSIRT information exchangeable u Think about IODEF implementation
Incident Object Description and Exchange Format TF-CSIRT IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer.
Incident Object Description and Exchange Format TF-CSIRT at TERENA IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Handling Internet Network Abuse Reports at APNIC 21 October 2010 LAP-CNSA Workshop, Melbourne George Kuo.
Application Block Diagram III. SOFTWARE PLATFORM Figure above shows a network protocol stack for a computer that connects to an Ethernet network and.
◦ Understand methods of networking design unique to TCP/IP networks, including subnetting, CIDR, and address translation ◦ Explain the differences between.
ServiceDesk Plus MSP Product Overview. Why ServiceDesk Plus - MSP? Capability of Managing Multiple Client’s in one Help Desk Stop Juggling with multiple.
Relations between IODEF and IDMEF Based on IDMEF XML DTD and Data Model Analysis TERENA ITDWG IODEF Editorial Group Yuri Demchenko.
Networking SPARCS 2000 wheel seminar
Module: Software Engineering of Web Applications Chapter 2: Technologies 1.
1 IP Forwarding. 2 Roadmap IP forwarding A protocol design exercise Notes on the lab.
ServiceDesk Plus Product Overview Presented by ManageEngine.
Copyright Scott Conti Tools that Work… …At Umass-Amherst Scott F. Conti Network Operations Manager
CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
Installing VERITAS Cluster Server. Topic 1: Using the VERITAS Product Installer After completing this topic, you will be able to install VCS using the.
Tivoli Service Request Manager Presented by: Bakker Shamel.
Ch. 31 Q and A IS 333 Spring 2016 Victor Norman. SNMP, MIBs, and ASN.1 SNMP defines the protocol used to send requests and get responses. MIBs are like.
Networks – Network Architecture Network architecture is specification of design principles (including data formats and procedures) for creating a network.
Application Layer Khondaker Abdullah-Al-Mamun Lecturer, CSE Instructor, CNAP AUST.
Hour 7 The Application Layer 1. What Is the Application Layer? The Application layer is the top layer in TCP/IP's protocol suite Some of the components.
IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.
CCNA1 v3 Module 9 v3 CCNA 1 Module 9 JEOPARDY K. Martin Galo Valencia.
Networking in Linux. ♦ Introduction A computer network is defined as a number of systems that are connected to each other and exchange information across.
Emanuele Pasqualucci Extending AppManager Monitoring with the SNMP Toolkit.
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Guide to MCSE , Second Edition, Enhanced1 Windows XP Network Overview Most versatile Windows operating system Supports local area network (LAN) connections.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Essential NetTools Pranay Kumar. Essential NetTools This tool is a set of network tools useful in diagnosing networks and monitoring your computer's.
Google Apps (Education Edition) A step guide to a successful deployment January 10 th, 2008 California Technology Assistance Project
Institute for the Protection and Security of the Citizen HAZAS – Hazard Assessment ECCAIRS Technical Course Provided by the Joint Research Centre - Ispra.
IODEF Incident Data Exchange Format Rhodes, 8 June 2004 Jan Meijer.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
1 System support & Management Protocols Lesson 13 NETS2150/2850 School of Information Technologies.
IODEF and Extended Incident Handling Framework TF-CSIRT Seminar May 31, 2001 Ljubljana.
Module 7: Configuring TCP/IP Addressing and Name Resolution.
Oracle SQL Developer: Unit Testing, Tuning and Other Advanced Features Kris Rice Senior Director of Development, Database Tools.
NDT Tools Tutorial: How-To setup your own NDT server Rich Carlson Summer 04 Joint Tech July 19, 2004.
CSC458 Programming Assignment II: NAT Nov 7, 2014.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
Windows Server 2008 Chapter 8 Last Update
Web Hosting. The purpose of this Startup Guide is to familiarize you with Own Web Now's Web Hosting. Own Web Now offers two web hosting platforms, one.
MAKANI ANDROID APPLICATION Prepared by: Asma’ Hamayel Alaa Shaheen.
Linux Networking Commands. Commands Reviewed Ifconfig dmesg netstat ping route tcpdump wireshark traceroute nslookup arp dig.
Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –
COEN 252 Computer Forensics Collecting Network-based Evidence.
Internet applications Bill Chu. © Bei-Tseng Chu Aug 2000 Need for Domain Name Service (DNS) Natively, a TCP host is identified by its IP address hosts.
© 2017 SlidePlayer.com Inc. All rights reserved.