Automation_in_Incident_Handling_handbook.pdf

(720 KB) Pobierz
Automation in Incident Handling
Handbook, Document for teachers
September 2014
European Union Agency for Network and Information Security
www.enisa.europa.eu
Automation in Incident Handling
Handbook, Document for teachers
September 2014
About ENISA
The European Union Agency for Network and Information Security (ENISA) is a centre of network and
information security expertise for the EU, its member states, the private sector and Europe’s citizens.
ENISA works with these groups to develop advice and recommendations on good practice in
information security. It assists EU member states in implementing relevant EU legislation and works
to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to
enhance existing expertise in EU member states by supporting the development of cross-border
communities committed to improving network and information security throughout the EU. More
information about ENISA and its work can be found at
www.enisa.europa.eu.
Acknowledgements
Contributors to this report
We would like to thank all our ENISA colleagues who contributed with their input to this report and
supervised its completion, especially Lauri Palkmets, Cosmin Ciobanu, Andreas Sfakianakis, Romain
Bourgue, and Yonas Leguesse. We would also like to thank the team of Don Stikvoort and Michael
Potter from S-CURE, The Netherlands, Mirosław Maj and Tomasz Chlebowski from ComCERT, Poland,
and Mirko Wollenberg from PRESECURE Consulting, Germany, who produced the second version of
this documents as consultants.
Agreements or Acknowledgements
ENISA wants to thank all institutions and persons who contributed to this document. A special ‘Thank
You’ goes to the following contributors: Anna Felkner, Tomasz Grudzicki, Przemysław Jaroszewski,
Piotr Kijewski, Mirosław Maj, Marcin Mielniczek, Elżbieta Nowicka, Cezary Rzewuski, Krzysztof Silicki,
Rafał Tarłowski from NASK/CERT Polska, who produced the first version of this document as
consultants and the countless people who reviewed this document.
Contact
For contacting the authors please use
CERT-Relations@enisa.europa.eu
For media enquires about this paper, please use
press@enisa.europa.eu.
Page ii
Automation in Incident Handling
Handbook, Document for teachers
September 2014
Legal notice
Notice must be taken that this publication represents the views and interpretations of the authors and
editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the
ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not
necessarily represent state-of the-art and ENISA may update it from time to time.
Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external
sources including external websites referenced in this publication.
This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA
nor any person acting on its behalf is responsible for the use that might be made of the information contained
in this publication.
Copyright Notice
© European Union Agency for Network and Information Security (ENISA), 2013
Reproduction is authorised provided the source is acknowledged.
Page iii
Automation in Incident Handling
Handbook, Document for teachers
September 2014
Table of Contents
1
2
2.1
Introduction
General Description
Tools for preparing the exercise
1
1
2
3
3.1
EXERCISE COURSE
Introduction to the exercise
2
2
2
2
3
5
3.2
Keys to the exercise
3.2.1 Task 1 Locating unique interesting hosts
3.2.2 Task 2 Geolocation
3.2.3 Task 3 Looking further
4
5
Summary of the exercise
EVALUATION METRICS
5
5
Page iv
Automation in Incident Handling
Handbook, Document for teachers
September 2014
1
Introduction
Goal
The purpose of this exercise is to develop students’ abilities to create custom scripts and filters dealing
with large amounts of data like IP addresses. After completing the exercise students should be able to
extract useful information from bulk data, even in non-standard formats.
Target audience
Incident handlers and technical staff.
This exercise does not require experience in incident handling. It can be used for experienced as well
as future CERT members.
Basic knowledge of Linux shell commands, text manipulation tools and/or programming is required.
Course Duration
1 hour, 45 minutes
Frequency
Once a year, for new team members or members reassigned to technical tasks.
Structure of this document
f
Task
Introduction to the exercise
Task 1: Locating unique interesting hosts
Task 2: Geolocation
Task 3: Looking further
Summary of the exercise
Duration
15 min
20 min
30 min
30 min
10 min
2
General Description
Sometimes information about an incident, particularly a wide-spread incident, is received in bulk –
containing not just data about your networks but from all networks. This can be the case when a site
under a DDoS attack shares its logs without time to sort and separate them for individual ISPs, look
for contacts, etc. Having one-to-many distribution channels at hand, such as mailing lists, they can
efficiently publish information for everyone to analyse.
On the other hand, sometimes you have plenty of information collected from your own sources that
you wish to share with others, distributing it on a need-to-know basis. An example can be logs from
IPS systems, early warning systems, etc. While you observe attacks from all around the world, you
may have a few interested parties who want to receive and handle reports about their networks. In
such cases you need to weed out the information.
Page 1

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin