Date: 11 May 2004
Click here for printable version
AusCERT’s Incident Management Services (sometimes referred to as incident response) include incident coordination and incident handling, both of which are standard inclusions as part of AusCERT’s subscription services. These services are also available to the public, on a priority basis.
AusCERT's Incident Management Services involve
providing assistance and expertise to help reporting sites to detect, interpret
and respond to attacks from around the globe.
AusCERT provides both proactive and reactive incident response assistance to members. That is, we actively seek out information from a variety of sources to help find information which may indicate that a member's network or information associated with the member's domain may have been compromised, or could be compromised. The sources are varied but include monitoring malicious activity on the Internet to identify systems that may have been compromised.
Increasingly, most incident response assistance AusCERT provides to members is a result of AusCERT's proactive actions to detect and obtain information affecting the member network or domain, which the member may not otherwise have detected or know has occurred. AusCERT's domain and IP address monitoring is derived from sources that aren't generally available outside of the CERT communities. We process data feeds containing information on:
- web sites which are compromised and are leaking malware (which leads to brand/reputation damage to the site owner);
- lists of hosts which are participating in denial of service attacks, botnets and other similar activities,
- hosts which are misconfigured and could be used for attacks
- evidence of phishing attacks; and
- public posts of confidential data, such as online account credentials.
For example, we may become aware of a phishing email that seeks to impersonate a member's brand or name. We will take action to shut down the associated web site or email address that is seeking to capture sensitive information. Or we may find a malware logging site that has captured sensitive information from a member's customers, when those customers accessed the member's web site. Sometimes this information shows a compromise of the member's network or domain; or it may indicate that computers used by customers or public visitors to the member's web site were compromised instead.
Please note that the proactive incident response does not involve examining sites for the presence of malicious code or other forms of compromise and there will be occasions when incidents occur affecting member domains or hosts which are not included in the feed information we processed on a given day; this means we may not know about these specific incidents in advance.
Reactive incident management refers to AusCERT's response to a computer network security incident reported to us and the accompanying instructions about how the reporting site would like us to assist them. For information about how we handle the privacy and confidentiality of incident reports please refer to our Privacy Statement.
AusCERT acts as a trusted intermediary, coordinating communication about incidents between affected parties. When AusCERT receives a report of an incident from a site asking us to investigate it, we follow certain well-defined procedures in an effort to obtain resolution or a satisfactory outcome from the alleged attacking site or other appropriate third party. In general, the main purpose of incident coordination is to pass relevant but sanitised information about an incident to affected parties in order that they may themselves, resolve or ‘handle’ the incident.
We do this by contacting the affected sites and/or other CERTs and CSIRTs in the appropriate region and asking them to investigate the incident further. Our default action is to sanitise references to the source site from any logs before they are forwarded to other relevant parties or affected sites.
In giving priority to members, we will also pass reports of incidents, received by us from third parties, which may relate to members’ networks.
Our incident coordination services have proven to be a successful and popular mechanism to halt ongoing incidents, alert attacking sites that their actions have been detected, are being monitored and are unwelcome. It is not uncommon, through the provision of our incident coordination services, that some sites first become aware that their networks have been compromised (and used to attack other sites). In doing so we assist not only the reporting site but the secondary victim.
Our incident handling services involve providing advice to help reporting sites identify the nature of a computer security incident or breach, mitigate against further damage and recover from it.
In seeking to assist sites to effectively handle an incident, we may, with their consent, communicate with other parties, eg, CSIRTs, law enforcement agencies, vendors and other experts around the globe.
AusCERT can assist sites by analysing incident artefacts, such as log files or attack tools, to determine likely causes of attack
and potential remediation steps in the case of sites suffering a
AusCERT provides incident handling services to its members 24 x 7. After hours contact for emergencies is by telephone hotline only. AusCERT will not go 'on-site' to assist with incident handling/resolution.