A guide to AUSCERT Member Security Incident Notifications: MSINs Introduction The Member Security Incident Notifications (MSINs) service provides crucial alerts and insights on security incidents affecting members. What is an MSIN? An MSIN is a daily customised composite security report targeted towards AUSCERT member organizations. It contains a compilation of “security incident reports” as observed by AUSCERT through its threat intelligence platforms. MSIN Dashboard As part of this service, a dashboard view provides high level statistics along with the ability to search and filter organisational alerts. The dashboard is accessible at https://portal.auscert.org.au/msins MSIN Dashboard Statistics Tabs The Australia and organisation statistics tabs provide insights into both nation-wide and your own organisation’s MSIN alerts. Near the beginning of the week, it is not unusual for your organisation’s statistics to show zero or be blank, as alerts are ingested into AUSCERT’s systems around 3pm each day, and it can take up to 24-48hours for the charts to be updated. MSIN Results Table The results table is the primary interface for your organisation’s MSIN alerts and allows you to perform advanced searches, sort and filter your alerts, view the full details as well as exploring the CVEs associated with them by clicking through to the external NVD links for each CVE. By default, this view will show all alerts excluding “info” level alerts in the last 48 hours for your organisation. 48 hours has been chosen as it factors in the ~24 hour delay that occurs while MSIN alerts are ingested and processed by AUSCERT’s systems. MSIN Details Page Under the actions column for every MSIN, the three dots dropdown can be expanded to open up the details popup for each alert. This shows all available information relating to the MSIN and may contain extra information relating to specific alerts. Source reference links for additional context can also be viewed here. Further Information Daily MSINs are processed and issued daily MSINs are only issued if at least one incident report specific to the member is detected within the past 24-hour period If there are no incidents to report, no MSIN will be issued. The more security incidents spotted corresponding to your organization, the more incident reports will be included in the MSIN and the larger the MSIN is received Customised MSINs are tailored for each member organization, based on IPs and Domains provided To receive accurate and useful MSINs, it’s important this information updated is kept updated in your membership profile (see FAQ below) Severity Individual events in MSINs are categorised into the following severity levels: Critical Highly critical vulnerabilities that are being actively exploited, where failure to remediate poses a very high likelihood of compromise. For example, a pre-auth RCE or modification or leakage of sensitive data High End of life systems, systems that you can log into with authentication that are meant to be internal (SMB, RDP), some data can be leaked. Sinkhole events end up in this category. Medium Risk that does not pose an immediate threat to the system but can over time escalate to a higher severity. For example, risk of participating in DDoS, unencrypted services requiring login, vulnerabilities requiring visibility into network traffic (MITM without being able to manipulate the traffic) to exploit, attacker will need to know internal systems/infrastructure in order to exploit it. Low Deviation from best practice – little to no practical way to exploit, but setup is not ideal. Vulnerabilities requiring MITM (including manipulating the traffic) to exploit. For example, SSL POODLE reports may end up in this category. Info Informational only. Review in accordance with your security policy. These severity levels are based on those used by Shadowserver. Events which have not been assigned a severity will be marked as Unknown. A summary of reports by severity level can be found at the top of your MSIN. For example:     Summary of reports based on severity:     * Critical: accessible-ssh 3     * High    : vulnerable-exchange-server 1     * Medium  : accessible-cwmp 1 The MSIN subject will be prefixed with the highest-level severity seen in the report. For example: [Severity:CRITICAL] AusCERT Member Security Incident Notification (MSIN) for “Member Name” Composite Each MSIN could potentially consist of multiple incident TYPE reports. For example, it could contain an Infected Hosts report which highlights hosts belonging to a member organization that have been spotted attempting to connect to a known botnet C&C server, followed by a DNS Open Resolvers report listing open recursive DNS resolvers that could be used in a DNS amplification DDoS attack. Each incident type report could also include multiple incident reports. For example, this “infected hosts” report contains 2 incidents: Incidents Reported Timestamp:                      2015-08-25T00:20:34+00:00 Drone IP:                       123.456.789.abc Drone Port:                     13164 Drone Hostname:                 abc.xxx.xxx.xxx.au Command and Control IP:         aaa.bbb.ccc.ddd Command and Control Hostname:   imacnc1.org Command and Control Port:       80 Malware Type:                   redyms Timestamp:                      2015-08-25T00:20:34+00:00 Drone IP:                       321.654.987.cba Drone Port:                     2343 Drone Hostname:                 def.xxx.xxx.xxx.au Command and Control IP:         ddd.eee.fff.ggg Command and Control Hostname:   imacnc2.org Command and Control Port:       123 Malware Type:                   dyre All timestamps are in UTC. It is imperative that these incidents be reviewed and handled individually. Structure An MSIN has the following basic structure. ==================HEADING FOR INCIDENT TYPE 1================== Incident Type Name of the incident and any known exploited vulnerabilities and associated CVEs. Incident Description Further information on potential attack vectors and impacts. Incidents Reported List of individual reports sighted by AUSCERT Incident report 1 Incident report 2 … Incident report n AUSCERT recommended mitigations Steps for resolution of incidents or mitigation of vulnerabilities which could be exploited in the future. References Links to resources referenced within the report. Additional Resources Links to additional material such as tutorials, guides and whitepapers relevant to the report aimed at enhancing the recipients understanding of the addressed vulnerabilities, potential impacts and mitigation techniques. =============================END OF REPORT========================= =====================HEADING FOR INCIDENT TYPE 2=================== Incident Type Incident Description Incidents Reported Incident report 1 Incident report 2 … Incident report n AUSCERT recommended mitigations References Additional Resources =============================END OF REPORT========================= … … =====================HEADING FOR INCIDENT TYPE X=================== =============================END OF REPORT=========================   MSINs API Overview The MSINs API provides two endpoints for querying and retrieving information about MSINs. Base URL https://portal.auscert.org.au/api/msins/v1/ Authentication All endpoints require API key authentication. Include your API key in the request headers as follows: 1 | API-Key: <your_api_key> Endpoints Search MSINs Returns a list of MSINs matching the specified parameters or default values. Endpoint: /search Method: GET Get MSIN Details Returns the detailed information for a single specified MSIN object. Endpoint: /get Method: GET   Frequently Asked Questions 1. How can I update domain/IP information for my organisation? If you are a Primary AUSCERT contact simply email AUSCERT Membership at membership@auscert.org.au and provide the updated information. If you have a privileged account in the Member portal you can request changes through the portal. AUSCERT will perform a validation check to ensure the domains are under your organisation’s ownership or control prior to including them in the monitoring list. 2. Where does the information in an MSIN come from? AUSCERT receives information relating to compromised and/or vulnerable resources from several trusted third parties, through secure means. The trust relationship between AUSCERT and third parties entails conditions which prevent disclosure of the source(s) of information.  

AUSCERT Bulletin Formats AUSCERT publishes two security bulletin formats: External Security Bulletin (ESB) – produced by vendors that are summarised and re-released by AUSCERT in a consistent format. AUSCERT Security Bulletin (ASB) – produced by AUSCERT with Overview, Impact and Mitigation information. ASBs typically describe critical vulnerabilities and emerging threats. They are collated from a variety of resources including vendors, security researchers and incident response teams around the world. Every AUSCERT bulletin contains a Bulletin Summary which highlights the essential information to assist in the vulnerability management process. The Bulletin Summary consists of the following categories (where relevant): Product Publisher Operating System Resolution CVE Names Original Bulletin URL Comment CVSS (Max) EPSS (Max) CISA KEV (if applicable) These categories are described in further detail below. ESB Structure Bulletin Titles and Email Subject Lines Bulletin titles and bulletin email subject lines display information in a concise format. The title includes the bulletin ID (eg ESB-2024.1234), revision number if applicable (eg ESB-2024.1234.2) and may include an ‘ALERT’ flag if the contents of the bulletin are time critical or reference a serious actively exploited vulnerability. The title also lists operating systems or hardware types that the vulnerability affects, and the product or product family. Example of a bulletin title: ESB-2024.1234 libarchive   Example of an email subject line: ESB-2024.1234 [SUSE] libarchive: CVSS (Max): 7.3 Bulletin Header The bulletin header consists of the ESB (or ASB) ID, a short summary of the purpose of the bulletin, and the date. Bulletin Summary The bulletin summary is an overview of the essential information in the bulletin typically used in the vulnerability management process. Both ESBs and ASBs contain a summary with individual fields as shown in this example: Product The product field displays the affected product name and version numbers (if any). Both ESBs and ASBs will have a Product field. Publisher Only present in an ESB, the Publisher field gives the name of the original source of the bulletin. This is often a vendor such as SUSE or Red Hat but it may also be another security team or research group. Operating System This field gives a list of operating systems or operating system families that are affected by the vulnerability. Resolution The Resolution field gives a quick indication on how to protect against the vulnerability. The values are: None: No resolution is currently available. Patch/Upgrade: A patch or new, unaffected version of the product is available. Note that only official vendor patches are acceptable as a patch – third party patches would be considered a mitigation. Mitigation: There are mitigation steps available that may be used, however there is no specific fix to the vulnerability. Alternate Program: Another program with similar functionality is available that is not vulnerable. CVE Names This field lists any CVE identifiers that relate to this vulnerability. CVEs are effective for tracking vulnerabilities that affect multiple products. Original Bulletin URL This field lists the URL of the original bulletin source. The original bulletin will often have additional links for further information. Comment This field contains any additional information that AUSCERT believes should be highlighted, including: CVSS (Max) EPSS (Max) CISA KEV (if applicable) These categories are described in detail further below. CVSS (Max) The Common Vulnerability Scoring System, or CVSS score, is included in all AUSCERT ASBs and ESBs in the Comment field. The CVSS is a published standard for assessing security vulnerabilities which classifies and scores vulnerabilities based on their severity. Scores are calculated based on a formula that depends on several metrics including required access, impact and authentication. The scores range from 0 to 10, with 10 being the most severe. This field consists of the CVSS (Max) CVSS Score, CVE-ID and CVSS description of the CVE with the highest score. If there is no CVSS (Max) score available at the time of publishing, the Comment field will show as “CVSS (Max): None”. For further information about how the CVSS (Max) is calculated and used, please see https://auscert.org.au/blogs/bulletin-impact-access-to-cvss-migration. EPSS (Max) Where an Exploitation Prediction Scoring System (EPSS Score) is available, this will also be included in the Comment field of a bulletin as “EPSS (Max)”. EPSS employs advanced algorithms to forecast the likelihood of vulnerabilities being exploited in real-world scenarios. A higher EPSS score will indicate a higher risk of exploitation which may provide input into the vulnerability management process. The syntax of the EPSS (Max) score is: EPSS (Max): (*Probability) (**Percentile) (CVE Number) (Date EPSS calculated). Probability: The likelihood of exploitation of the given CVE within the next 30 days Percentile: The vulnerability’s relative severity compared to others, ranking it within a distribution of similar security issues based on their assessed risks and potential impacts. AUSCERT advises members to research EPSS thoroughly before considering its application in vulnerability management. Understanding EPSS can require effort, and its suitability can vary depending on the environment. See articles below for further details on use and interpretation: https://www.first.org/epss https://www.first.org/epss/user-guide https://www.first.org/epss/faq https://vulners.com/blog/epss-exploit-prediction-scoring-system/ https://blog.stackaware.com/p/deep-dive-into-the-epss https://asimily.com/blog/epss-and-its-role-in-vulnerability-management/ https://security.cms.gov/posts/assessing-vulnerability-risks-exploit-prediction-scoring-system-epss CISA KEV A CISA Known Exploited Vulnerability (KEV) is also present in the Comment field if applicable. The KEV catalogue is a CISA-maintained authoritative source of vulnerabilities that have been exploited in the wild. It is recommended that all members review and monitor the KEV catalogue and prioritize remediation efforts of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors. The field consists of the CISA KEV CVE(s) and the CISA KEV url for reference. For example: For further information about CISA KEV, please see https://www.cisa.gov/known-exploited-vulnerabilities. Bulletin Updates and Versioning An ESB or ASB can be updated in the event of crucially new or updated information becoming available since the original date of publication. Updates will have a version number appended to the bulletin ID, eg ESB-2024.1234 will become ESB-2024.1234.2, and the ‘UPDATE’ tag will be added. ASB Structure An ASB contains the same bulletin title, bulletin header, bulletin summary and comment sections as an ESB, however the main body of an ASB differs from an ESB. The main body of an ASB generally consists of four headings: OVERVIEW: This is a summary of the vulnerability being reported and the products that are affected. IMPACT: This section outlines in more detail what the vulnerability allows attackers to perform (eg remote code execution), and the potential outcome of these vulnerabilities (eg significant data breaches, circumvent firewalls, intrusion detection systems, etc). MITIGATION: This section outlines steps to mitigate the risk. This can range from applying available patches to address the vulnerability to restricting or segmenting access to the network, including deploying additional monitoring and alerts against specific criteria. REFERENCES: This is a list of websites that report on the vulnerability. It can be a third-party website or the vendor itself. The websites are referenced within the ASB as the source of information being reported. Examples Full example of an ESB:     Full example of an ASB:    

Membership Services and Benefits AUSCERT provides members with proactive and reactive advice and solutions to current threats and vulnerabilities. We’ll help you prevent, detect, respond and mitigate cyber-based attacks. As a not-for-profit security group based at The University of Queensland, AUSCERT provides a range of comprehensive services to strengthen your cyber security strategy. AUSCERT services are split across three capability pillars: Incident Support, Vulnerability Management and Threat Intelligence. These services are all included in AUSCERT Membership. Incident Support Incident Support – Assists your organisation to detect, interpret and respond to attacks from around the world. Includes access to our highly skilled team of analysts and developers who are available through email, Slack or a 24/7 hotline. Phishing Takedown – Designed to help your organisation with targeted phishing, spear phishing and whaling attacks. Vulnerability Management Security Bulletins – Provides information on threats and vulnerabilities affecting a range of platforms, applications and devices. Member Security Incident Notifications – Customised composite security report containing incident notifications relevant to your organisation’s domains and IP ranges. Proactively informs about security incidents affecting your organisation’s data, systems or networks. Early Warning SMS – Receive SMS notifications for the most critical security threats and vulnerabilities. Threat Intelligence AusMISP – Our MISP service provides threat indicators acquired from trusted communities and organisations to enhance your cyber security posture. Malicious URL Feed – AUSCERT provides a list of active phishing, malware, malware logging or mule recruitment web sites which can added to your firewall blacklist. Sensitive Information Alert – Alert notification for sensitive material and breached credentials found online by our analyst team which specifically targets your organisation. Additional Benefits Member benefits for the annual AUSCERT Cyber Security Conference, Australia’s longest running information security conference. The next conference will be held in May 2025 at The Star Gold Coast. Further details are available here: https://conference.auscert.org.au/ Reduced registration price (available to all members) 50% off one conference registration or 1-day registration (small members) One or more conference registrations (medium members and above). Member pricing for AUSCERT’s range of cyber security training courses. Course information, pricing and calendar are available here: https://auscert.org.au/services/training/ Access to AUSCERT member meetups, workshops and events. Download AUSCERT Membership Services & Benefits (PDF)