Presentation is loading. Please wait.

Presentation is loading. Please wait.

Clearinghouse for Incident Handling Tools TF-CSIRT Seminar January 18, 2001 Barcelona Yuri Demchenko.

Published byDerick Tappe Modified over 9 years ago

Similar presentations

Presentation on theme: "Clearinghouse for Incident Handling Tools TF-CSIRT Seminar January 18, 2001 Barcelona Yuri Demchenko."— Presentation transcript:

1 Clearinghouse for Incident Handling Tools TF-CSIRT Seminar January 18, 2001 Barcelona Yuri Demchenko

2 ©Jan. 18, 2001. TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _2 Agenda  Clearinghouse goals  Tools used by CSIRTs u Evidence Collection tools u Investigative tools u Incident tracking/reporting tools  Remedy Action Request System by Andrew Cormack, CERT UKERNA  Recommendations u How to proceed?

3 ©Jan. 18, 2001. TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _3 Clearinghouse goals  Experience exchange u E.g., library of rules for Intrusion/Activity detection u Can we do it in effective way?  Easy setting up work procedure for new CSIRT teams  Simplify information exchange  Provide collective feedback for manufactures and developers  Possible establishing recommended/common tools set

4 ©Jan. 18, 2001. TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _4 Tools used by CSIRTs  Evidence collection tools  Investigative tools  Proactive tools  Incident registration and tracking tools u Support CSIRT procedure u Customer support (call center)

5 ©Jan. 18, 2001. TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _5 Evidence collection tools – Requirements 1 Actions required during Incident data (Evidence) collection  processes examining  examining system state  program for doing bit-to-bit copies  programs for generating core images and for examining them  Programs/scripts to automate evidence collection

6 ©Jan. 18, 2001. TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _6 Recommended Evidence collection tools set http://www.ietf.org/internet-drafts/draft-ietf-grip-prot-evidence-01.txt  Forensics CD should include the following u a program for examining processes (e.g., 'ps'). u programs for examining system state (e.g., 'showrev', 'ifconfig', 'netstat', 'arp'). u a program for doing bit-to-bit copies (e.g., 'dd'). u programs for generating core images and for examining them (e.g, 'gcore', 'gdb'). u scripts to automate evidence collection (e.g., The Coroner's Toolkit)  The programs on the forensics CD should be statically linked, and should not require the use of any libraries other than those on the CD.

7 ©Jan. 18, 2001. TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _7 Investigative tools – Requirements 2 Actions required during Incident data analysis/investigation  Checking Attacker and Victim identity u IP -> DN, DN -> IP u Contact, network data  Extracting information from collected data and CSIRT archives u Extended log file analysis –Based on library of rules u Tracking similar cases

8 ©Jan. 18, 2001. TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _8 Investigative tools – CERT UKERNA Example about - obtains information from DNS and whois servers for a given IP address or name; checks the current CERT mailboxes and router logs to see if the IP address has been reported in other contexts apnic, arin, ripe - look up details of a numeric IP address in the APNIC, ARIN or RIPE gross - script to distill information from some supplied router log files. Attempts to identify hosts probed, start and end times of probing and ports probed. eh - script to identify well-known portnumbers findref - script to search for a string in JANET-CERT mailboxes (open, closed or all) keykatch - script to extract contact information only from RIPE, ARIN and APNIC db soa - script to find the e-mail address responsible for the DNS server in a domain e.g. internic - script to query the InterNIC for details about some networks ip2host - public domain script to take a file of IP addr. and convert them to hostnames janic - script to query the JANET whois server for details about.ac.uk domains nameof - script to translate a numeric IP address into a name

9 ©Jan. 18, 2001. TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _9 Incident tracking tools – Requirements 4  Support CSIRT procedure u Incident registration u Incident tracking u Incident reporting  Easy configurable u Web-based interface  Customer support (call center) – optional?

10 ©Jan. 18, 2001. TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _10 Incident tracking tools – Examples  Action Request System from Remedy (ARS) u Web-based user self-support u Easy configurable u Integration with Network Management packages  Magic Total Service Desk (Magic TDS) u Web-based customised interface u Network Oriented and scalable up to 1000 nodes u SNMP support (traps, etc.) u XML built and database format customisation u Based on MS DNA: Support VB abd COM scripts u Enables end-users to send requests via e-mail  Clarify

11 ©Jan. 18, 2001. TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _11 Recommendations or How to proceed? Clearinghouse of Incident Handling Tools  Create repository of investigative tools for incident/evidence collection u Manual/Tutorial is very desirable  Prepare list of recommended tools for Incident tracking  Questionnaire on used tools and practices to CSIRT Teams  Include basic/recommended tools into Training Programme/materials  Develop common tools and/or recommendations to make Incident/CSIRT information exchangeable u Think about IODEF implementation

Download ppt "Clearinghouse for Incident Handling Tools TF-CSIRT Seminar January 18, 2001 Barcelona Yuri Demchenko."

Similar presentations

1.

1.
ServiceDesk Plus Product Overview Presented by ManageEngine 1.

ServiceDesk Plus Product Overview Presented by ManageEngine 1.
ServiceDesk Plus MSP Product Overview. Why ServiceDesk Plus - MSP? Capability of Managing Multiple Client’s in one Help Desk Stop Juggling with multiple.

ServiceDesk Plus MSP Product Overview. Why ServiceDesk Plus - MSP? Capability of Managing Multiple Client’s in one Help Desk Stop Juggling with multiple.
CSC458 Programming Assignment II: NAT Nov 7, 2014.

CSC458 Programming Assignment II: NAT Nov 7, 2014.
1 Requirements Catalog Scott A. Moseley Farbum Scotus.

1 Requirements Catalog Scott A. Moseley Farbum Scotus.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Handling Internet Network Abuse Reports at APNIC 21 October 2010 LAP-CNSA Workshop, Melbourne George Kuo.

Handling Internet Network Abuse Reports at APNIC 21 October 2010 LAP-CNSA Workshop, Melbourne George Kuo.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Essential NetTools Pranay Kumar. Essential NetTools  This tool is a set of network tools useful in diagnosing networks and monitoring your computer's.

Essential NetTools Pranay Kumar. Essential NetTools  This tool is a set of network tools useful in diagnosing networks and monitoring your computer's.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
1 System support & Management Protocols Lesson 13 NETS2150/2850 School of Information Technologies.

1 System support & Management Protocols Lesson 13 NETS2150/2850 School of Information Technologies.
SNMP & MIME Rizwan Rehman, CCS, DU. Basic tasks that fall under this category are: What is Network Management? Fault Management Dealing with problems.

SNMP & MIME Rizwan Rehman, CCS, DU. Basic tasks that fall under this category are: What is Network Management? Fault Management Dealing with problems.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
NDT Tools Tutorial: How-To setup your own NDT server Rich Carlson Summer 04 Joint Tech July 19, 2004.

NDT Tools Tutorial: How-To setup your own NDT server Rich Carlson Summer 04 Joint Tech July 19, 2004.
©2011 Quest Software, Inc. All rights reserved. Steve Walch, Senior Product Manager Blog: November, 2011 Partner Training Webcast.

©2011 Quest Software, Inc. All rights reserved. Steve Walch, Senior Product Manager Blog: November, 2011 Partner Training Webcast.
Emanuele Pasqualucci Extending AppManager Monitoring with the SNMP Toolkit.

Emanuele Pasqualucci Extending AppManager Monitoring with the SNMP Toolkit.
10 Best Productivity Features in SharePoint 2013 Christian Buckley, SharePoint MVP.

10 Best Productivity Features in SharePoint 2013 Christian Buckley, SharePoint MVP.
Guide to MCSE 70-270, Second Edition, Enhanced1 Windows XP Network Overview Most versatile Windows operating system Supports local area network (LAN) connections.

Guide to MCSE , Second Edition, Enhanced1 Windows XP Network Overview Most versatile Windows operating system Supports local area network (LAN) connections.
Justice Information Exchange Model (JIEM) Larry Webster SEARCH January 23, 2004.

Justice Information Exchange Model (JIEM) Larry Webster SEARCH January 23, 2004.
COEN 252 Computer Forensics

COEN 252 Computer Forensics

Similar presentations

Ads by Google