Incident management service
AusCERT’s Incident Management Service (sometimes referred to as incident response) includes incident coordination and incident handling, both of which are standard inclusions as part of AusCERT’s subscription services.
AusCERT's Incident Management Service involves providing assistance and expertise to help reporting members to detect, interpret and respond to attacks from around the globe.
AusCERT provides both proactive and reactive incident response assistance to members. That is, we actively seek out information from a variety of sources to help find information which may indicate that a member's network or information associated with the member's domain may have been compromised, or could be compromised. The sources are varied but include monitoring malicious activity on the Internet to identify systems that may have been compromised.
Increasingly, most incident response assistance AusCERT provides to members is a result of AusCERT's proactive actions to detect and obtain information affecting the member network or domain, which the member may not otherwise have detected or know has occurred. AusCERT's domain and IP address monitoring is derived from sources that aren't generally available outside of the CERT communities. We process data feeds containing information on (among other things):
- web sites which are compromised and are leaking malware (which leads to brand/reputation damage to the site owner),
- lists of hosts which are participating in denial of service attacks, botnets and other similar activities,
- hosts which are misconfigured and could be used for attacks,
- evidence of phishing attacks,
- public posts of confidential data, such as online account credentials.
For example, we may become aware of a phishing email that seeks to impersonate a member's brand or name. We will take action to shut down the associated web site or email address that is seeking to capture sensitive information. Or we may find a malware logging site that has captured sensitive information from a member's customers, when those customers accessed the member's web site. Sometimes this information shows a compromise of the member's network or domain; or it may indicate that computers used by customers or public visitors to the member's web site were compromised instead.
Please note that the proactive incident response does not involve examining members' sites for the presence of malicious code or other forms of compromise. AusCERT will not scan or attempt to penetrate members' sites. There will be occasions when incidents occur affecting member domains or hosts which are not included in the feed information we processed on a given day; this means we may not know about these specific incidents in advance. We recommend members carry out regular penetration tests against their own infrastructure, as part of an overall information security plan.
Reactive incident management refers to AusCERT's response to a computer network security incident reported to us and the accompanying instructions about how the member would like us to assist them. For information about how we handle the privacy and confidentiality of incident reports please refer to our Privacy Statement (located within AusCERT Policies).
AusCERT acts as a trusted intermediary, coordinating communication about incidents between affected parties. When AusCERT receives a report of an incident from a member asking us to investigate it, we follow certain well-defined procedures in an effort to obtain resolution or a satisfactory outcome from the appropriate third party. In general, the main purpose of incident coordination is to pass relevant but sanitised information about an incident to affected parties in order that they may themselves, resolve or ‘handle’ the incident.
We do this by contacting the affected sites and/or other CERTs and CSIRTs in the appropriate region and asking them to investigate the incident further. Our default action is to sanitise references to the member from any logs before they are forwarded to other relevant parties or affected sites.
We will also pass reports of incidents received by us from third parties, which may relate to members’ networks.
Our Incident Management Service has proven to be a successful and popular mechanism to halt ongoing incidents, alert attacking sites that their actions have been detected, are being monitored and are unwelcome. It is not uncommon, through the provision of our Incident Management Service, that some sites first become aware that their networks have been compromised (and used to attack other sites). In doing so we assist not only the reporting site but the secondary victim.
Our Incident Management Service provides advice to members to assist with identification of a computer security incident or breach, mitigate against further damage and recover from it.
In seeking to assist members to effectively handle an incident, we may, with their consent, communicate with other parties, eg, CSIRTs, law enforcement agencies, vendors and other experts around the globe.
AusCERT can assist members by analysing incident artefacts, such as log files or attack tools, to determine likely causes of attack and potential remediation steps in the case of sites suffering a compromise.
AusCERT provides the Incident Management Service to its members 24 x 7. After hours contact for emergencies is by telephone hotline only. Assisting members with incidents on site is not included as part of the annual membership fee