Clearinghouse for Incident Handling Tools TF-CSIRT Seminar January 18, 2001 Barcelona Yuri Demchenko.

Slides:

Advertisements

Similar presentations

Advertisements

ServiceDesk Plus Product Overview Presented by ManageEngine 1.

ServiceDesk Plus MSP Product Overview. Why ServiceDesk Plus - MSP? Capability of Managing Multiple Client’s in one Help Desk Stop Juggling with multiple.

CSC458 Programming Assignment II: NAT Nov 7, 2014.

1 Requirements Catalog Scott A. Moseley Farbum Scotus.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

Handling Internet Network Abuse Reports at APNIC 21 October 2010 LAP-CNSA Workshop, Melbourne George Kuo.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Essential NetTools Pranay Kumar. Essential NetTools  This tool is a set of network tools useful in diagnosing networks and monitoring your computer's.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

1 System support & Management Protocols Lesson 13 NETS2150/2850 School of Information Technologies.

SNMP & MIME Rizwan Rehman, CCS, DU. Basic tasks that fall under this category are: What is Network Management? Fault Management Dealing with problems.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

NDT Tools Tutorial: How-To setup your own NDT server Rich Carlson Summer 04 Joint Tech July 19, 2004.

©2011 Quest Software, Inc. All rights reserved. Steve Walch, Senior Product Manager Blog: November, 2011 Partner Training Webcast.

Emanuele Pasqualucci Extending AppManager Monitoring with the SNMP Toolkit.

10 Best Productivity Features in SharePoint 2013 Christian Buckley, SharePoint MVP.

Guide to MCSE , Second Edition, Enhanced1 Windows XP Network Overview Most versatile Windows operating system Supports local area network (LAN) connections.

Justice Information Exchange Model (JIEM) Larry Webster SEARCH January 23, 2004.

COEN 252 Computer Forensics

思科网络技术学院理事会. 1 Application Layer Functionality and Protocols Network Fundamentals – Chapter 3.

Internet applications Bill Chu. © Bei-Tseng Chu Aug 2000 Need for Domain Name Service (DNS) Natively, a TCP host is identified by its IP address hosts.

CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.

蓄勢待發迎WebSAMS Preparation Forum for WebSAMS Implementation Document 12

Incident Object Description and Exchange Format TF-CSIRT at TERENA IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

Copyright Scott Conti Tools that Work… …At Umass-Amherst Scott F. Conti Network Operations Manager

Networks – Network Architecture Network architecture is specification of design principles (including data formats and procedures) for creating a network.

Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.

Hour 7 The Application Layer 1. What Is the Application Layer? The Application layer is the top layer in TCP/IP's protocol suite Some of the components.

IODEF and Extended Incident Handling Framework TF-CSIRT Seminar May 31, 2001 Ljubljana.

Incident Object Description and Exchange Format

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.

Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,

Google Apps (Education Edition) A step guide to a successful deployment January 10 th, 2008 California Technology Assistance Project

Application Layer Khondaker Abdullah-Al-Mamun Lecturer, CSE Instructor, CNAP AUST.

Application Block Diagram III. SOFTWARE PLATFORM Figure above shows a network protocol stack for a computer that connects to an Ethernet network and.

Relations between IODEF and IDMEF Based on IDMEF XML DTD and Data Model Analysis TERENA ITDWG IODEF Editorial Group Yuri Demchenko.

Integrating and Troubleshooting Citrix Access Gateway.

Fonkey Project Update: Target Applications TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

Module: Software Engineering of Web Applications Chapter 2: Technologies 1.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.

CSI 3125, Preliminaries, page 1 Networking. CSI 3125, Preliminaries, page 2 Networking A network represents interconnection of computers that is capable.

Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.

CPMT 1449 Computer Networking Technology – Lesson 3

Institute for the Protection and Security of the Citizen HAZAS – Hazard Assessment ECCAIRS Technical Course Provided by the Joint Research Centre - Ispra.

Relations between IODEF and IDMEF Based on IDMEF XML DTD and Data Model Analysis TERENA ITDWG IODEF Editorial Group Yuri Demchenko.

Networking SPARCS 2000 wheel seminar

Installing VERITAS Cluster Server. Topic 1: Using the VERITAS Product Installer After completing this topic, you will be able to install VCS using the.

Ch. 31 Q and A IS 333 Spring 2016 Victor Norman. SNMP, MIBs, and ASN.1 SNMP defines the protocol used to send requests and get responses. MIBs are like.

Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –

IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.

OPEN SOURCE NETWORK MANAGEMENT TOOLS

Understanding Web Server Programming

Integrating ArcSight with Enterprise Ticketing Systems

Incident Object Description and Exchange Format

Integrating ArcSight with Enterprise Ticketing Systems

Data Transport for Online & Offline Processing

Overview – SOE PatchTT November 2015.

Linux Ubuntu Network Commands 3 A.S.

Unit4 Customer Portal Signing In and Account Management.

Passive Research Section 2 11/29/2018.

OPS235: Configuring a Network Using Virtual Machines – Part 2

1 TRANSMISSION CONTROL PROTOCOL / INTERNET PROTOCOL (TCP/IP) K. PALANIVEL Systems Analyst, Computer Centre Pondicherry University, Puducherry –

Access eJournals Form Your Home

Module 12 Network Configuration

Presentation transcript:

Clearinghouse for Incident Handling Tools TF-CSIRT Seminar January 18, 2001 Barcelona Yuri Demchenko

©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _2 Agenda  Clearinghouse goals  Tools used by CSIRTs u Evidence Collection tools u Investigative tools u Incident tracking/reporting tools  Remedy Action Request System by Andrew Cormack, CERT UKERNA  Recommendations u How to proceed?

©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _3 Clearinghouse goals  Experience exchange u E.g., library of rules for Intrusion/Activity detection u Can we do it in effective way?  Easy setting up work procedure for new CSIRT teams  Simplify information exchange  Provide collective feedback for manufactures and developers  Possible establishing recommended/common tools set

©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _4 Tools used by CSIRTs  Evidence collection tools  Investigative tools  Proactive tools  Incident registration and tracking tools u Support CSIRT procedure u Customer support (call center)

©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _5 Evidence collection tools – Requirements 1 Actions required during Incident data (Evidence) collection  processes examining  examining system state  program for doing bit-to-bit copies  programs for generating core images and for examining them  Programs/scripts to automate evidence collection

©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _6 Recommended Evidence collection tools set  Forensics CD should include the following u a program for examining processes (e.g., 'ps'). u programs for examining system state (e.g., 'showrev', 'ifconfig', 'netstat', 'arp'). u a program for doing bit-to-bit copies (e.g., 'dd'). u programs for generating core images and for examining them (e.g, 'gcore', 'gdb'). u scripts to automate evidence collection (e.g., The Coroner's Toolkit)  The programs on the forensics CD should be statically linked, and should not require the use of any libraries other than those on the CD.

©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _7 Investigative tools – Requirements 2 Actions required during Incident data analysis/investigation  Checking Attacker and Victim identity u IP -> DN, DN -> IP u Contact, network data  Extracting information from collected data and CSIRT archives u Extended log file analysis –Based on library of rules u Tracking similar cases

©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _8 Investigative tools – CERT UKERNA Example about - obtains information from DNS and whois servers for a given IP address or name; checks the current CERT mailboxes and router logs to see if the IP address has been reported in other contexts apnic, arin, ripe - look up details of a numeric IP address in the APNIC, ARIN or RIPE gross - script to distill information from some supplied router log files. Attempts to identify hosts probed, start and end times of probing and ports probed. eh - script to identify well-known portnumbers findref - script to search for a string in JANET-CERT mailboxes (open, closed or all) keykatch - script to extract contact information only from RIPE, ARIN and APNIC db soa - script to find the address responsible for the DNS server in a domain e.g. internic - script to query the InterNIC for details about some networks ip2host - public domain script to take a file of IP addr. and convert them to hostnames janic - script to query the JANET whois server for details about.ac.uk domains nameof - script to translate a numeric IP address into a name

©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _9 Incident tracking tools – Requirements 4  Support CSIRT procedure u Incident registration u Incident tracking u Incident reporting  Easy configurable u Web-based interface  Customer support (call center) – optional?

©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _10 Incident tracking tools – Examples  Action Request System from Remedy (ARS) u Web-based user self-support u Easy configurable u Integration with Network Management packages  Magic Total Service Desk (Magic TDS) u Web-based customised interface u Network Oriented and scalable up to 1000 nodes u SNMP support (traps, etc.) u XML built and database format customisation u Based on MS DNA: Support VB abd COM scripts u Enables end-users to send requests via  Clarify

©Jan. 18, TF-CSIRT Seminar, Barcelona. Clearinghouse of Incident Handling Tools Slide2 _11 Recommendations or How to proceed? Clearinghouse of Incident Handling Tools  Create repository of investigative tools for incident/evidence collection u Manual/Tutorial is very desirable  Prepare list of recommended tools for Incident tracking  Questionnaire on used tools and practices to CSIRT Teams  Include basic/recommended tools into Training Programme/materials  Develop common tools and/or recommendations to make Incident/CSIRT information exchangeable u Think about IODEF implementation