??ࡱ?>?? 46????5?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????;*?(`??` ??/? 0????DTimes New Roman@?a????v? 0??(? 0?DSymbolew Roman@?a????v? 0??(? 0  ?DMonotype Sorts@?a????v? 0??(? 0??f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? ?????~J*& 3?)2      S ?~??????????1???????????0? ??????n?@???????8???????g??43d3dv? 0?????????p?pp?0 ? <?4BdBd???? 0L?N?u?ʚ;2N??ʚ;<?4!d!d??{? 0??<?4dddd??{? 0???F?>?___PPT9? /? 0?z????-?VJan. 18, 2001. TF-CSIRT Seminar, Barcelona. ?PClearinghouse of Incident Handling ToolsO? ?=?????*Clearinghouse for Incident Handling Tools ?$+*/+??,TF-CSIRT Seminar January 18, 2001 Barcelona ?"-,"?, ?B5??Agenda ?  ???Clearinghouse goals Tools used by CSIRTs Evidence Collection tools Investigative tools Incident tracking/reporting tools Remedy Action Request System by Andrew Cormack, CERT UKERNA Recommendations How to proceed??h)ZQZNZZ)Q=??! ?G:??Clearinghouse goals?&? ??-Experience exchange E.g., library of rules for Intrusion/Activity detection Can we do it in effective way? Easy setting up work procedure for new CSIRT teams Simplify information exchange Provide collective feedback for manufactures and developers Possible establishing recommended/common tools set ?DW?W??- ?J;??Tools used by CSIRTs?&? ???Evidence collection tools Investigative tools Incident registration and tracking tools Support CSIRT procedure Customer support (call center) ?>W7W7?  a ?K<??TEvidence collection tools  Requirements 1?+*'#?* ???Actions required during Incident data (Evidence) collection processes examining examining system state program for doing bit-to-bit copies programs for generating core images and for examining them Programs/scripts to automate evidence collection?*<?<?? ? ?RC??)Recommended Evidence collection tools set?*)#?) ??Thttp://www.ietf.org/internet-drafts/draft-ietf-grip-prot-evidence-01.txt Forensics CD should include the following a program for examining processes (e.g., 'ps'). programs for examining system state (e.g., 'showrev', 'ifconfig', 'netstat', 'arp'). a program for doing bit-to-bit copies (e.g., 'dd'). programs for generating core images and for examining them (e.g, 'gcore', 'gdb'). scripts to automate evidence collection (e.g., The Coroner's Toolkit) The programs on the forensics CD should be statically linked, and should not require the use of any libraries other than those on the CD.?VI*X?I*X??*       d  .            0  D    ? ?SD??HInvestigative tools  Requirements 2?%'#?$ ??Actions required during Incident data analysis/investigation Checking Attacker and Victim identity IP -> DN, DN -> IP Contact, network data Extracting information from collected data and CSIRT archives Extended log file analysis Based on library of rules Tracking similar cases ??=&)>=&)>      ?  ?O@??RInvestigative tools  CERT UKERNA Example? * ??about - obtains information from DNS and whois servers for a given IP address or name; checks the current CERT mailboxes and router logs to see if the IP address has been reported in other contexts apnic, arin, ripe - look up details of a numeric IP address in the APNIC, ARIN or RIPE gross - script to distill information from some supplied router log files. Attempts to identify hosts probed, start and end times of probing and ports probed. eh - script to identify well-known portnumbers findref - script to search for a string in JANET-CERT mailboxes (open, closed or all) keykatch - script to extract contact information only from RIPE, ARIN and APNIC db soa - script to find the e-mail address responsible for the DNS server in a domain e.g. internic - script to query the InterNIC for details about some networks ip2host - public domain script to take a file of IP addr. and convert them to hostnames janic - script to query the JANET whois server for details about .ac.uk domains nameof - script to translate a numeric IP address into a name??Z?G?-OKU@RK8?n)  ?      O  K  T    V            7 ?L=??PIncident tracking tools  Requirements 4?)# ?( ??FSupport CSIRT procedure Incident registration Incident tracking Incident reporting Easy configurable Web-based interface Customer support (call center)  optional??j;+;+? ? ?PA??DIncident tracking tools  Examples?###?" ???Action Request System from Remedy (ARS) Web-based user self-support Easy configurable Integration with Network Management packages Magic Total Service Desk (Magic TDS) Web-based customised interface Network Oriented and scalable up to 1000 nodes SNMP support (traps, etc.) XML built and database format customisation Based on MS DNA: Support VB abd COM scripts Enables end-users to send requests via e-mail Clarify ?j([%? ([%? ?Z?   t    D ?M>??"Recommendations or How to proceed??##&? # ???Clearinghouse of Incident Handling Tools Create repository of investigative tools for incident/evidence collection Manual/Tutorial is very desirable Prepare list of recommended tools for Incident tracking Questionnaire on used tools and practices to CSIRT Teams Include basic/recommended tools into Training Programme/materials Develop common tools and/or recommendations to make Incident/CSIRT information exchangeable Think about IODEF implementation??)J"")J"89?"  ??" /?? P?????T? `? ????????f??????`? ???3?????????????`? ???___?????????????>???" dd=??????????????" dd?=?????????????uA?4? d?O?" ?i ?n???" dd??????????   @@``P?P   4 O i`? p?@??@    ? ?)? ?( ? ??p ? ? ?H??????d???? ?'W??? ? ? ?Z??a?a????a?????????? ??x8???? a ?T?? Click to edit Master title style?!? !?: ? ? ?T?\Z??a????a????????? ??Sg??? a ???RClick to edit Master text styles Second Level Third Level Fourth Level Fifth Level?!    ? S?  ?  ?`?a??a????a??????????? ?? ????? a ?b???*? ???=44OOii?  ?   ?`?H??a????a??????????? ?? `???  ? ?b??*? ???=44OOii?& ?!  ?`?? ??a????a??????????? ??!????? ? ?~??Slide2_*?(  ???=44OOii?Z?F ?1?lY ?$ ??~???~ ?" ? ?N?????????2?????1?l$?~ ?# ? ?N?????????2?????1IlY??F ??? ?) ???c?8 ?% s ?B?C{DE?8F?@??????????????????@????????F??h??=?Zhz?zFz?\F3? @???????????????????0 ?& s ?B?C?DE?4F?<??????????????????@????? ????i??<?????<??#i?????@???????????????g?5?0 ?' s ?B-C?DE?4F?<??????????????????@????? ??o?????*l??,J??????Jz?o@???????????????Arn*? ?( ? ??BKCoDE?4F?<?????????? ??(%+(J27JQ+E%nEQ7@???????????????????H ? ? ?0??@??޽h??? ?? ??????????f?????? ?International?? ? ??@?% ?E?( ??4p? ~?p? ? ?^ ? ? ?6??????? ?@_??p ? ? ?H??????d???? ??_??? ? ? ?Z??R??a????a?????????? ???????? ? ?T?? Click to edit Master title style?!? !?? ? ? ?Z?????a????a?????????? ??HZjG ?? ? ?W??#Click to edit Master subtitle style?$? $? ?  ?`????a????a??????????? ???????? ? ?\??*????=44OOii? ?  ?`?xX??a????a??????????? ???S ???  ? ?^??*????=44OOii? ?  ?`????a????a??????????? ???????? ? ?n??Slide 2_*?  ???=44OOii?H ? ? ?0??@??޽h??? ?? ??????????f??????????0 ??`??*?( ? ?? ? ? ?T??:??jJ??jJ??????? ???? ,G??  ? ?h??*? ?? ? ??? ? ? ?T?<ؼ?jJ??jJ??????? ????l ?G?? ? ?j??*? ?? ? ???p ? ? ?0?????1? ????? ?? ??: ? ? ?T??ڼ??g?ֳ??g?ֳ?????? ??? LL??? ? ???RClick to edit Master text styles Second level Third level Fourth level Fifth level?!    ? S?  ? ? ?Z?$??jJ??jJ???????? ?? ,l??  ? ?h??*? ?? ? ???  ? ? ?Z?t??jJ??jJ???????? ??l ?l?? ? ?j??*? ?? ? ???H ? ? ?0??b?f?@???? ?? ??????̙33????????? ?????0?( ? ??H ? ? ?0???b?f?@??? ?? ??????̙33??????????? 0?(0????( ? ??? ? # ?l?Lż?g????g????????????? ? ??x??? ? ? ??? ? # ?l?Ƽ?g????g????????????? ? ?H????? ? ? ??H ? ? ?0???@??޽h?? ?? ??????????f????????? ? ??p???0?( ? ???x ?? c ?$?4 `???x8????  ` ? ??x ?? c ?$?? `???Sg??? ` ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ???????$?( ? ???r ?? S ????a???x8????  a ? ??r ?? S ??t?a???Sg??? a ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??????<?( ? ???~ ?? s ?*??#`????x8????  ` ? ??~ ?? s ?*?\$`????Sg??? ` ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??????<?( ? ???~ ?? s ?*? ;`????x8????  ` ? ??~ ?? s ?*??;`????Sg??? ` ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??????<?( ? ???~ ?? s ?*??a????x8????  a ? ??~ ?? s ?*???a????Sg??? a ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??????<?( ? ???~ ?? s ?*??M`????x8????  ` ? ??~ ?? s ?*?.`????Sg??? ` ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ???????$?( ? ???r ?? S ??t@????x8????  ? ? ??r ?? S ??A????S???? ? ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ?????<?( ? ???~ ?? s ?*??B`????x8????  ` ? ??~ ?? s ?*??B`????Sg??? ` ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??? ???$?( ? ???r ?? S ???y????x8????  ? ? ??r ?? S ??l{????Sg??? ? ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ??0???<?( ? ???~ ?? s ?*??w`????x8????  ` ? ??~ ?? s ?*?t]`????Sg??? ` ? ??H ?? ? ?0???@??޽h?? ?? ??????????f?????????0 ???P????( ????? ???X ?? C ??????? ??  a?? ?? C ??????? LL???  a ?"?? ?H ?? ? ?0???b?f?@??? ?? ??????̙33???????r``?A?HC*?:fI ?_B?KG?MJ@?O?Q?Y?]O ?W?[R ?S?U?>? ?aWt?K*?(`??` ??/? 0????DTimes New Roman@?a|?d?v? 0|?(? 0?DSymbolew Roman@?a|?d?v? 0|?(? 0  ?DMonotype Sorts@?a|?d?v? 0|?(? 0??f???? ? .??@  @@``???  @?n???" dd@???????????՜.??+,??0H?????? ? ?? ????  ??A4 Paper (210x297 mm) ]?c ? Times New RomanSymbolMonotype SortsInternational+Clearinghouse for Incident Handling Tools Agenda Clearinghouse goalsTools used by CSIRTs+Evidence collection ???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? ?????~J*&3Root Entry??????????d?O?????)??:???dCurrent User????????????6/SummaryInformation(???????? PowerPoint Document(????]?  !"#$%&'()*+,-./01M78L????????j9:;<=>?@ABCDEFGHIJKc????NOPQRSTUVWXYZ[\]^_`ab3iefgh2????????????????????????????????????????????????????????????????????????????????????????????  !"#$%&'7)*+,-./012345????????89:;<=>?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????tools ? Requirements 1*Recommended Evidence collection tools set%Investigative tools ? Requirements 2*Investigative tools ? CERT UKERNA Example)Incident tracking tools ? Requirements 4#Incident tracking tools ? Examples#Recommendations or How to proceed?  Fonts UsedDesign Template Slide Titles ??_???9???demchdemchuri Demc . .?)2   S ?~??????????1???????????0? ??????n?@???????8???????g??4CdCdv? 0p?t???????p?pp?0 ? <?4BdBd???? 0,?N?u?ʚ;2N??ʚ;<?4!d!d??{? 0??<?4dddd??{? 0???F?>?___PPT9? /? 0?z????-?VJan. 18, 2001. TF-CSIRT Seminar, Barcelona. ?PClearinghouse of Incident Handling ToolsO? ?=?? ???*Clearinghouse for Incident Handling Tools ?$+*/+??QTF-CSIRT Seminar January 18, 2001 Barcelona Yuri Demchenko ?"R-%"?H-      ?B5??Agenda ? ???Clearinghouse goals Tools used by CSIRTs Evidence Collection tools Investigative tools Incident tracking/reporting tools Remedy Action Request System by Andrew Cormack, CERT UKERNA Recommendations How to proceed??h)ZQZNZZ)Q=??! ?G:??Clearinghouse goals?&? ??-Experience exchange E.g., library of rules for Intrusion/Activity detection Can we do it in effective way? Easy setting up work procedure for new CSIRT teams Simplify information exchange Provide collective feedback for manufactures and developers Possible establishing recommended/common tools set ?DW?W??- ?J;??Tools used by CSIRTs?&? ???Evidence collection tools Investigative tools Proactive tools Incident registration and tracking tools Support CSIRT procedure Customer support (call center) ?>g7g7?  $a ?K<??TEvidence collection tools  Requirements 1?+*'#?* ???Actions required during Incident data (Evidence) collection processes examining examining system state program for doing bit-to-bit copies programs for generating core images and for examining them Programs/scripts to automate evidence collection?*<?<??? ?RC??)Recommended Evidence collection tools set?*)#?) ??Thttp://www.ietf.org/internet-drafts/draft-ietf-grip-prot-evidence-01.txt Forensics CD should include the following a program for examining processes (e.g., 'ps'). programs for examining system state (e.g., 'showrev', 'ifconfig', 'netstat', 'arp'). a program for doing bit-to-bit copies (e.g., 'dd'). programs for generating core images and for examining them (e.g, 'gcore', 'gdb'). scripts to automate evidence collection (e.g., The Coroner's Toolkit) The programs on the forensics CD should be statically linked, and should not require the use of any libraries other than those on the CD.?VI*X?I*X??B       d  .            0  D    ? ?SD??HInvestigative tools  Requirements 2?%'#?$ ??Actions required during Incident data analysis/investigation Checking Attacker and Victim identity IP -> DN, DN -> IP Contact, network data Extracting information from collected data and CSIRT archives Extended log file analysis Based on library of rules Tracking similar cases ??=&)>=&)>      ? ?O@??RInvestigative tools  CERT UKERNA Example?* ??about - obtains information from DNS and whois servers for a given IP address or name; checks the current CERT mailboxes and router logs to see if the IP address has been reported in other contexts apnic, arin, ripe - look up details of a numeric IP address in the APNIC, ARIN or RIPE gross - script to distill information from some supplied router log files. Attempts to identify hosts probed, start and end times of probing and ports probed. eh - script to identify well-known portnumbers findref - script to search for a string in JANET-CERT mailboxes (open, closed or all) keykatch - script to extract contact information only from RIPE, ARIN and APNIC db soa - script to find the e-mail address responsible for the DNS server in a domain e.g. internic - script to query the InterNIC for details about some networks ip2host - public domain script to take a file of IP addr. and convert them to hostnames janic - script to query the JANET whois server for details about .ac.uk domains nameof - script to translate a numeric IP address into a name??Z?G?-OKU@RK8?z)  ?      O  K  T    V            7 ?L=??PIncident tracking tools  Requirements 4?)# ?( ??FSupport CSIRT procedure Incident registration Incident tracking Incident reporting Easy configurable Web-based interface Customer support (call center)  optional??j;+;+?? ?PA??DIncident tracking tools  Examples?###?" ???Action Request System from Remedy (ARS) Web-based user self-support Easy configurable Integration with Network Management packages Magic Total Service Desk (Magic TDS) Web-based customised interface Network Oriented and scalable up to 1000 nodes SNMP support (traps, etc.) XML built and database format customisation Based on MS DNA: Support VB abd COM scripts Enables end-users to send requests via e-mail Clarify ?j([%? ([%? ?b?   t    D ?M>??"Recommendations or How to proceed??##&?# ???Clearinghouse of Incident Handling Tools Create repository of investigative tools for incident/evidence collection Manual/Tutorial is very desirable Prepare list of recommended tools for Incident tracking Questionnaire on used tools and practices to CSIRT Teams Include basic/recommended tools into Training Programme/materials Develop common tools and/or recommendations to make Incident/CSIRT information exchangeable Think about IODEF implementation??)J"")J"89?"  ??" /?? P???????? 0?(0????( ?DocumentSummaryInformation8????????????(x??????????????????????????????????????  @@``?? ?????~J*& 3?)2      S ?~??????????1???????????0? ??????n?@???????8???????g??43d3dv? 0p????????p?pp?0 ? <?4BdBd???? 0,?N?u?ʚ;2N??ʚ;<?4!d!d??{? 0??<?4dddd??{? 0???F?>?___PPT9? /? 0?z????-?VJan. 18, 2001. TF-CSIRT Seminar, Barcelona. ?PClearinghouse of Incident Handling ToolsO? ?=?????*Clearinghouse for Incident Handling Tools ?$+*/+??,TF-CSIRT Seminar January 18, 2001 Barcelona ?"-,"?, ?B5??Agenda ?  ???Clearinghouse goals Tools used by CSIRTs Evidence Collection tools Investigative tools Incident tracking/reporting tools Remedy Action Request System by Andrew Cormack, CERT UKERNA Recommendations How to proceed??h)ZQZNZZ)Q=??! ?G:??Clearinghouse goals?&? ??-Experience exchange E.g., library of rules for Intrusion/Activity detection Can we do it in effective way? Easy setting up work procedure for new CSIRT teams Simplify information exchange Provide collective feedback for manufactures and developers Possible establishing recommended/common tools set ?DW?W??- ?J;??Tools used by CSIRTs?&? ???Evidence collection tools Investigative tools Proactive tools Incident registration and tracking tools Support CSIRT procedure Customer support (call center) ?>g7g7?  $a ?K<??TEvidence collection tools  Requirements 1?+*'#?* ???Actions required during Incident data (Evidence) collection processes examining examining system state program for doing bit-to-bit copies programs for generating core images and for examining them Programs/scripts to automate evidence collection?*<?<?? ? ?RC??)Recommended Evidence collection tools set?*)#?) ??Thttp://www.ietf.org/internet-drafts/draft-ietf-grip-prot-evidence-01.txt Forensics CD should include the following a program for examining processes (e.g., 'ps'). programs for examining system state (e.g., 'showrev', 'ifconfig', 'netstat', 'arp'). a program for doing bit-to-bit copies (e.g., 'dd'). programs for generating core images and for examining them (e.g, 'gcore', 'gdb'). scripts to automate evidence collection (e.g., The Coroner's Toolkit) The programs on the forensics CD should be statically linked, and should not require the use of any libraries other than those on the CD.?VI*X?I*X??*       d  .            0  D    ? ?SD??HInvestigative tools  Requirements 2?%'#?$ ??Actions required during Incident data analysis/investigation Checking Attacker and Victim identity IP -> DN, DN -> IP Contact, network data Extracting information from collected data and CSIRT archives Extended log file analysis Based on library of rules Tracking similar cases ??=&)>=&)>      ?  ?O@??RInvestigative tools  CERT UKERNA Example? * ??about - obtains information from DNS and whois servers for a given IP address or name; checks the current CERT mailboxes and router logs to see if the IP address has been reported in other contexts apnic, arin, ripe - look up details of a numeric IP address in the APNIC, ARIN or RIPE gross - script to distill information from some supplied router log files. Attempts to identify hosts probed, start and end times of probing and ports probed. eh - script to identify well-known portnumbers findref - script to search for a string in JANET-CERT mailboxes (open, closed or all) keykatch - script to extract contact information only from RIPE, ARIN and APNIC db soa - script to find the e-mail address responsible for the DNS server in a domain e.g. internic - script to query the InterNIC for details about some networks ip2host - public domain script to take a file of IP addr. and convert them to hostnames janic - script to query the JANET whois server for details about .ac.uk domains nameof - script to translate a numeric IP address into a name??Z?G?-OKU@RK8?n)  ?      O  K  T    V            7 ?L=??PIncident tracking tools  Requirements 4?)# ?( ??FSupport CSIRT procedure Incident registration Incident tracking Incident reporting Easy configurable Web-based interface Customer support (call center)  optional??j;+;+? ? ?PA??DIncident tracking tools  Examples?###?" ???Action Request System from Remedy (ARS) Web-based user self-support Easy configurable Integration with Network Management packages Magic Total Service Desk (Magic TDS) Web-based customised interface Network Oriented and scalable up to 1000 nodes SNMP support (traps, etc.) XML built and database format customisation Based on MS DNA: Support VB abd COM scripts Enables end-users to send requests via e-mail Clarify ?j([%? ([%? ?Z?   t    D ?M>??"Recommendations or How to proceed??##&? # ???Clearinghouse of Incident Handling Tools Create repository of investigative tools for incident/evidence collection Manual/Tutorial is very desirable Prepare list of recommended tools for Incident tracking Questionnaire on used tools and practices to CSIRT Teams Include basic/recommended tools into Training Programme/materials Develop common tools and/or recommendations to make Incident/CSIRT information exchangeable Think about IODEF implementation??)J"")J"89?"  ??" /?? P??????? ? ??????<?( ? ???~ ?? s ?*??#`????x8????  ` ? ??~ ?? s ?*?\$`????Sg??? ` ? ??H ?? ? ?0???@??޽h?? ?? ??????????f??????r bJs??;? ?aw?Wt??*?(`??` ??/? 0????DTimes New RomanR?|?d?v? 0|?(? 0?DSymbolew RomanR?|?d?v? 0|?(? 0  ?DMonotype SortsR?|?d?v? 0|?(? 0??f ??? ? # ?l?X?|?g????g????????????? ? ??x??? | ? ??? ? # ?l??|?g????g????????????? ? ?H????? | ? ??H ? ? ?0???@??޽h?? ?? ???????Oh??+'??0? px??? ??  , 8 DPX?? HTTP и CGI TP=D:\msoffice\Templates\Presentation Designs\International.potfdemchff209Microsoft PowerPoint 7.0sen@?pi%?@??G?}Y?@`??X7?@0?????G? ?????y  ?0&?????? &????&#????TNPP??2??OMiT & TNPP? &????&TNPP   ?? ????-?-- !???-????-??-????--- !?T?F--?-&????u??&????-?-????- $u?u?~~????-? $~?~???????-? $???????>>?-? $????????-? $??????-?--&????&????--PM:--?? ???w???w?g?w? - ????@Times New Roman???w?g?wx v -? .02 ?vClearinghouse for Incident *   . .2 ?Handling Tools - (.--O Gl-- ????@Times New Roman???w?g?w?  -? . 2 w'TF. . 2 wS-F . .2 w^ CSIRT Seminar   . .2 ?<January 18, 2001  . .2 ?p Barcelona .????@Times New Roman???w?g?wx ? -? .2 8?Yuri Demchenko <   ??????????f??????r?????? ??!?W?2 8? demchenko   . .2 8'@terena.  . . 2 8?nl. . 2 8?>l.--??"Systemwof&? ?? -?&TNPP &????