A guide to AusCERT Member Security Incident Notifications: MSIN June 30, 2017


Introduction

As part of its ongoing efforts to enhance member services, AusCERT has launched its Member Security Incident Notification services.

What’s an MSIN?

An MSIN is a daily customised composite security report targeted towards AusCERT member organizations. It contains a compilation of “security incident reports” as observed by AusCERT through its threat intelligence platforms.

Daily

  • MSINs are issued on a daily basis.
  • They are only issued to a member if at least one incident report specific to the member is detected within the past 24-hour period.
  • This also means, if there are no incidents to report, you will not receive an MSIN!

So it follows, the more security incidents spotted corresponding to your organization, the more incident reports will be included in the MSIN, the larger the MSIN you receive!

Customised

  • MSINs are tailored for each member organization, based on: IPs and Domains provided
  • To receive accurate and useful MSINs, it’s important you keep this information updated (see FAQ)

Composite

  • Each MSIN could potentially consist of multiple incident TYPE reports

    For example, it could contain an Infected Hosts report which highlights hosts belonging to a member organization that have been spotted attempting to connect to a known botnet C&C server, followed by a DNS Open Resolvers report listing open recursive DNS resolvers that could be used in a DNS amplification DDoS attack.

  • Each incident type report could also include multiple incident reports

    For example, this “infected hosts” report contains 2 incidents:

    Incidents Reported

        Timestamp:                      2015-08-25T00:20:34+00:00
        Drone IP:                       123.456.789.abc
        Drone Port:                     13164
        Drone Hostname:                 abc.xxx.xxx.xxx.au
        Command and Control IP:         aaa.bbb.ccc.ddd
        Command and Control Hostname:   imacnc1.org
        Command and Control Port:       80
        Malware Type:                   redyms

        Timestamp:                      2015-08-25T00:20:34+00:00
        Drone IP:                       321.654.987.cba
        Drone Port:                     2343
        Drone Hostname:                 def.xxx.xxx.xxx.au
        Command and Control IP:         ddd.eee.fff.ggg
        Command and Control Hostname:   imacnc2.org
        Command and Control Port:       123
        Malware Type:                   dyre

    All timestamps are in UTC

    It is imperative these incidents be reviewed and handled individually.

Structure

An MSIN has the following basic structure.
==================HEADING FOR INCIDENT TYPE 1==============
Incident Type
Name of the incident and any known exploited vulnerabilities and associated CVEs.

Incident Description
Further information on potential attack vectors and impacts.


Incidents Reported
List of individual reports sighted by AusCERT
Incident report 1
Incident report 2

Incident report n

AusCERT recommended mitigations
Steps for resolution of incidents or mitigation of vulnerabilities which could be exploited in the future.
References
Links to resources referenced within the report
Additional Resources
Links to additional material such as tutorials, guides and whitepapers relevant to the report aimed at enhancing the recipients understanding of the addressed vulnerabilities, potential impacts and mitigation techniques.

=============================END OF REPORT=========================


=====================HEADING FOR INCIDENT TYPE 2====================
Incident Type
Incident Description

Incidents Reported
Incident report 1
Incident report 2

Incident report n
AusCERT recommended mitigations
References
Additional Resources
=============================END OF REPORT=========================


=====================HEADING FOR INCIDENT TYPE X====================
=============================END OF REPORT=========================

Frequently Asked Questions

  1. How can I update domain/IP information for my organization?

    If you are a Primary AusCERT contact simply write to AusCERT Membership at membership@auscert.org.au and provide the updated information.

    If you have a privileged account in the Member portal you can request changes through the portal.

    AusCERT will perform a validation check to ensure the domains are under your organization’s ownership or control prior to including them in the monitoring list.

  2. Where does the information in an MSIN come from?

    AusCERT receives information relating to compromised and/or vulnerable resources from several trusted third parties, through secure means.

    The trust relationship between AusCERT and third parties entails conditions which prevent  disclosure of the source(s) of information.


« Back to publications