Library items tagged: CSIRT

Janet Network Security Incident Classification Scheme

James Davis
Tuesday, December 17, 2013 - 11:11
CSIRT
infosec
security
The statistics provided by Jisc's Janet network CSIRT require a degree of interpretation. Often the numbers are influenced more by the team's activities than they are by external influences. For example: an increase in the number of malware incidents may indicate increasing infections, but it is just as likely to be due to increased detection rates by CSIRT.
Read more

2010 - House of Lords enquiry into EU Internal Security Strategy

Andrew Cormack
Thursday, June 28, 2012 - 13:23
CSIRT
Cybercrime
incident response
This is JANET(UK)’s submission to the inquiry into the EU Internal Security Strategy by the Home Affairs Sub-Committee of the House of Lords Select Committee on the European Union.
Read more

References

Anonymous
Sunday, February 19, 2012 - 17:58
security
CSIRT
DDOS
denial of service
technical guide
[1] Wikipedia - IP address spoofing: https://en.wikipedia.org/wiki/IP_address_spoofing [2] ZoneAlarm: http://www.zonelabs.com/ [3] Snort - the Lightweight Network Intrusion Detection System: http://www.snort.org/
Read more

Aftermath

Anonymous
Sunday, February 19, 2012 - 17:58
security
CSIRT
DDOS
denial of service
investigating
technical guide
In this particular incident, the initial tip-off led directly to the departmental network containing the compromised hosts. This information is not always so readily available, since IP spoofing can also be used to simulate traffic from machines on many different networks. Such a situation could be handled by repositioning the network monitor on the backbone (at M’ in the diagram, for example), and again examining the source MAC addresses of attack packets (but note that performance is likely to be a concern, with monitors dropping traffic at gigabit speeds).
Read more

What we saw

Anonymous
Sunday, February 19, 2012 - 17:57
security
CSIRT
DDOS
denial of service
investigation
technical guide
We left the monitor in place for two days, until our log fi le began to grow rapidly indicating a new attack in progress. The following entries are typical of what was observed: [**] IDS253 - DDoS shaft synflood outgoing [**] 06/12-14:30:46.599036 8:0:20:1B:22:A9 -> 0:D0:D3:56:D1:30 type:0x800 len:0x3C 98.76.54.111:1008 -> 12.34.56.78:6666 TCP TTL:30 TOS:0x0 ID:59926 DF
Read more

The network monitor

Anonymous
Sunday, February 19, 2012 - 17:57
security
CSIRT
DDOS
denial of service
investigating
technical guide
Our monitor is a Linux system running the Snort lightweight intrusion detection system [3]. Demands on hardware are not very high: we use a redundant Pentium 133-based system with two 10/100Mbit/s network interface cards, 128MB memory and 4GB disk space. This allows us to use one interface to access the console, while the other is dedicated to the RSPAN traffic. It is configured with a minimum number of services running and no user accounts [4].
Read more

Network infrastructure

Anonymous
Sunday, February 19, 2012 - 17:57
security
CSIRT
DDOS
denial of service
investigating
technical guide
The university network is based on a Gigabit Ethernet backbone, linking together departmental Local Area Networks (LANs) which typically deliver switched 10/100Mbit/s to the desktop. The network is shown diagrammatically in Figure 1. Figure 1: Schematic of the university network
Read more

Detecting Conficker on your network

Anonymous
Monday, February 13, 2012 - 20:15
CSIRT
conficker
detecting
incident response
malware
security
From time to time Janet CSIRT may report activity to you that is related to the Conficker worm. Typically this is a record of traffic from an infected host, to a Conficker sinkhole server. These sinkhole servers pretend to be part of the worm’s command and control infrastructure. The worm then attempts to load a web page on the sinkhole server, that were the server real, would contain instructions for the worm. Our reports typically look like this
Read more

Protecting yourself from Conficker

Anonymous
Monday, February 13, 2012 - 20:14
CSIRT
conficker
incident response
malware
protection
security
The Conficker worm (also known as Downup, Downadup and Kido) is probably the most prevalent computer worm on Janet and the Internet at this time. It’s success can be attributed to it’s use of a number of different vectors it uses to infect machines:
Read more

Zeus/Zbot

Anonymous
Monday, February 13, 2012 - 20:12
security
incident response
CSIRT
advice
malware
Zeus
Zbot
Zeus is the name for a family, or perhaps ecosystem of malware that is created and customised using a single toolkit. Not only does the toolkit generate the executable that infects systems, but it also produces server files that act as the command and control infrastructure for the operator’s botnet. Primarily Zeus is used to steal banking details through the use of keystroke logging and screen captures that are sent from the infected system to the command and control sever.
Read more