• No results found

UNCLASSIFIED. General Enquiries. Incidents Incidents

N/A
N/A
Protected

Academic year: 2021

Share "UNCLASSIFIED. General Enquiries. Incidents Incidents"

Copied!
10
0
0

Loading.... (view fulltext now)

Full text

(1)

Version 1.2 – 19-June-2013

GUIDELINES

Incident Response Guidelines

Executive Summary

Government Departments have a responsibility to report computer incidents under the terms laid out in the SPF, issued by Cabinet Office. This document seeks to provide guidance and advice on what must be reported to GovCertUK and what can be tipped to us that doesn’t generate a “formal report” requirement.

There are 4 categories of activity:

• A - Concerted Targeted Attack must be reported to GovCertUK • B - Targeted Attack must be reported to GovCertUK

• C - Non-Targeted GovCertUK is to be tipped • D - Other Reporting GovCertUK is to be tipped

The categorisation is built primarily around whether the Department has been specifically targeted or not. GovCertUK must always be informed if a Department has been targeted specifically by a malicious actor.

Whilst this document is designed to help assess whether to notify GovCertUK of a computer security incident, all personnel can use their professional judgment when deciding whether to tip GovCertUK to those Events that may not reach the formal reporting threshold.

Situational Awareness and Victim Notifications

GovCertUK is an internationally recognised organisation and receives information from many sources. This information enhances GovCertUKs ability to maintain situational awareness across HMG and enables notifications of potential computer incidents to be sent to the relevant Departments.

Telephone (24x7x365) For Out Of Hours, phone the number above and leave a message. +44 (0) 1242 709311 The On Call Duty Office will be paged to return your call

Website http://www.govcertuk.gov.uk

UNCLASSIFIED RESTRICTED (GSi Only) General

(2)

2 of 10

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

UK UNCLASSIFIED

Information received is often limited in nature and tends to be after the event has occurred. GovCertUK will always seek to pass relevant, useful information to Departments as soon as practicable to the nominated Incident Point(s) of Contact. Appendix B contains a few samples of Victim Notifications that are sent out.

A component of Situational Awareness is not only what is happening from “outside” organisations but also what is happening within that is not usually reported. Where Departments have information available on internal incidents, GovCertUK would like to request anonymised versions to be sent to our enquiries mailbox. A sample list of information requested is in Appendix C.

Sample of Suspicious or Malicious data

Samples, whether part of an incident or not, contribute to GovCertUKs knowledge of current issues across HMG and enable specific Alerts or Advisories to be formed and distributed to assist other Departments in identifying and mitigating malicious activity (whether email, or malware).

GovCertUK welcomes any samples of:

• suspicious emails with mail headers where possible • executables

• logs

• packet captures • paste bin articles • forum posts • etc.

Any suspected or known to be bad information can be sent to our samples mailbox (samples@govcertuk.gsi.gov.uk) inside a password protected zip file with the password “infected”.

Reporting and Tipping

Traditionally, as part of GovCertUKs formal remit, Departments would make contact during a category A or B incident (see Appendix A)

GovCertUK recognises that not all Events require formal reporting as incidents. Departments are able to “Tip” information to the enquiries mailbox that may be useful or where a Department requests information to assist their own investigation into an event. A tip does not declare an Incident with GovCertUK; a ticket will be created purely for tracking purposes if the event escalates to an incident and also so that the information can be data mined in the future. A ticket number is generated and should be used when enquiring about an incident.

(3)

Notification Period

It is accepted that during an incident the last task on an Incident Handlers mind is contacting GovCertUK. Whilst this is understandable, GovCertUK has access to a vast pool of information. During an incident GovCertUK may hold some useful information to assist the focus and targeting of your investigation and provide tactical IA advice.

Facts About GovCertUK GovCertUK

• does not maintain a “black book” of “repeat offenders”

• does not blacklist anyone if a report or tip results in “no further action” • is not an audit or vetting body

(4)

4 of 10

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

UK UNCLASSIFIED

Appendix A - Incident Categorisation

Category Definition Actions

A • Incidents that are, or suspected to be, a concerted, repeating, targeted, effort causing harm to confidentiality, integrity or availability of ICT systems or data

• Phone on 24x7x365 to Tip and Seek Advice

• Interim Report within 24hrs

• Further Interim Reports as agreed with GovCertUK

• Full Report when practicable

B • Incidents that are or suspected to be targeted attacks attempting to cause harm to confidentiality, integrity or availability of ICT systems or data

• Incidents in relation to GSi, PSN, GCSx, xGSi, CJ*, GSX, GCX, PNN, N3, etc.

• Tip GovCertUK via Phone

• Interim Report within 72hrs

• Full Report when practicable

C • Incidents that are likely to be non-targeted

• Instances where IT Teams have a “gut feeling” behaviour is suspicious

• Phone or Email to Tip

D • Events that are of a cryptographic nature, loss of laptops / media, protective marking breaches etc.

• Report to the relevant body (CINRAS, ICO, Cabinet Office, etc)

• Tip GovCertUK

Definitions used for this document

Alert – an atomic occurrence that has triggered a system or person to take notice Event – a set of Alerts that are cause for some concern and need investigating

Incident – an Event or set of Events that have activated incident response activities or meet GovCertUK Category C or above.

Whilst it may be possible that an incident could be categorised in multiple categories, the higher of the categories should take precedence. Note, declaring a specific category of incident does not stop it being re-categorised either up or down the scale as more information in discovered. There are no penalties or black marks for “miscategorising” incidents.

(5)

Appendix B - Sample Victim Notifications

Typical Beaconing Notification

BEGIN

(PROTECTIVE MARKING) Your network may be infected with malicious software, which is attempting to connect to a malicious server on the Internet.

(PROTECTIVE MARKING) The activity occurred as follows:

Date From IP To IP

(PROTECTIVE MARKING) dd/mm/yyyy x.x.x.x y.y.y.y

(PROTECTIVE MARKING) Should you have any questions, please contact us on the details below. We would also be interested in the results of your investigation.

END

Recommended Actions for Beacons above and beyond basic AV / Malware scanning 1. Identify whether any IP address’s belong to your organisation

2. Use boundary logs (firewall, router, proxy, dhcp, etc.) to track back to the source client system

a. Perform historic checks on as much data as practicable 3. Use your incident handling policies to clean the machine in question

a. If there are special circumstances, GovCertUK will notify you and advise accordingly – in the case of APT, cleaning a single machine is unlikely to completely remove the malicious actor in - seek advice from GovCertUK

4. Report back to GovCertUK on any findings, forensic analysis, executable analysis, log analysis, etc.

(6)

6 of 10

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

UK UNCLASSIFIED

Typical Spearphish Notification

BEGIN

(PROTECTIVE MARKING) GovCertUK is aware of the following malicious email sent to your organisation

(PROTECTIVE MARKING) Date: [dd/mm/yyyy] (PROTECTIVE MARKING) From: [email address]

(PROTECTIVE MARKING) Recipients: [email address list] (PROTECTIVE MARKING) Subject Line: [subject]

(PROTECTIVE MARKING) Attachment: [file name of any attachments]

(PROTECTIVE MARKING) We recommend, at a minimum, that you search through all email logs for the information listed above, with the intention of quarantining or deleting matching messages (hopefully, before the user has opened them).

END

Recommended Actions for Spearphish, above and beyond basic AV / Malware scanning

1. Identify the email from mail logs

a. Establish whether the mail was delivered, blocked or sent to an invalid recipient

b. Use the subject or other feature (mailers etc) within the email to identify any further, similar emails that may have been received – this notification may not be the only email received

2. Using the contents of the email

a. Search proxy, web and DNS logs to identify whether a link within the email has been activated by the user – if you have the body of the email in your logs, this task should be completed even if the link was not clicked

b. Search for any attachments being saved to the file system (incl. Temp areas) or new activity emanating from the client machine that the email was opened on

3. If you have positive results in logs for the activated link, attachments being put down on the file system or new/strange network activity, this is a strong indicator of compromise and an investigation should be launched

4. Follow your incident handling policies and procedures

a. If there are special circumstances, GovCertUK will notify you and advise accordingly – in the case of APT, cleaning a single machine is unlikely to completely remove the malicious actor - seek advice from GovCertUK.

(7)

Appendix C – Management Information

GovCertUK requests that Departments send a subset of management information on computer incidents / events where:

• Actions to investigate a declared or potential incident has taken place • Number and type of incidents

• Incidents declared by a 3rd party (e.g. a supplier to the Department in question) relevant to your ICT system

GovCertUK would be interested in these types of incidents – insider threat (anonymised), IDS firings that are true positives, unwarranted configuration changes, privilege escalation without authority, Virus/Malware/Trojan/Spyware/RansomWare outbreaks, beacons, targeted malicious emails, remediation actions taken and any interesting findings.

It is accepted that different Departments will have different sets of information in different formats. A brief covering note to explain the statistical information would be greatly received.

(8)

8 of 10

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

UK UNCLASSIFIED

Appendix D – Definitions

Term Definition

Alert An atomic occurrence that has triggered a system or person to take notice. These are likely to come from Systems rather than People and are usually from event based monitoring tools such as proxys, intrusion detection/prevention systems, traffic monitors, etc.

Event A set of Alerts that are cause for concern and need investigating Incident An Event or set of Events that have activated incident response

activities or meet GovCertUK Category A, B or C.

Targeted Attack An attack that has been specifically crafted for a particular individual or organisation. This type of attack is likely to have been preceded by reconnaissance activity.

Non Targeted Attack

An attack that where an individual or organisation has not been specifically selected. This is likely to manifest itself in normal spam or port scanning (but not always!)

Defacement This is generally a targeted attack that aims to impact the reputation of the organisation or individual. This is likely to manifest itself on web sites exploiting vulnerabilities that have been identified through reconnaissance.

Denial of Service

This attack is normally used to degrade web based services (either static, dynamic or transactional) with the intention of causing reputational damage to the organisation or individual. It is not uncommon that side attacks follow by other malicious actors looking to capitalise on the situation.

Spearphish This attack manifests itself in the form of targeted emails; usually containing a link and a socially engineered piece of text enticing the user to click the link. They are likely to contain malicious attachments using various methods to obfuscate their filenames to avoid detection and named to entice the user to open them. Not all spearphish emails are well crafted – some are very good though.

Advanced Persistent Threat

APT is the term used to identify malicious actors who are determined to gain and retain access within a network to meet requirements being levied upon them. These malicious actors are well versed in their trade and are effective at hiding and evading Anti virus/anti malware, Content Filters, IDS, IPS, etc. Malicious actors are most likely to use Spearphish emails and watering holes but have used zero-days and other nefarious means to gain access

Watering Hole A web site that has been compromised with the intention to serve malicious content to specific and likely unknown IP addresses with the effect of compromising specific targets of interest

Zero-day A vulnerability that has been identified in software that has no available patch.

Exfiltration The unauthorised copying of data out a network by a malicious actor

(9)

Beaconing Typically a packet sent by malicious software informing the malicious actor that it is available and ready to be used

Reconnaissance The deliberate act by a malicious actor to research targets and form a plan of action often leading to a compromise and exfiltration of data

Kill Chain The set of events used to describe the process that APT actors utilise to meet their end goal – Recon, Weaponisation, Delivery, Exploit, Installation, Command and Control (C2C), Tasking

Incident Response

A set of stages to move through in order to deal with a compromise – Planning, Identification, Containment, Eradication, Remediation, Improvement

(10)

10 of 10

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

UK UNCLASSIFIED

Appendix E – Contact Information

UNCLASSIFIED 01242 709311 24x7x365

BRENT 01138 936847

For Incident Reporting or Tipping

UNCLASSIFIED incidents@govcertuk.gov.uk RESTRICTED incidents@govcertuk.gsi.gov.uk For General Enquiries / Advice

UNCLASSIFIED enquiries@govcertuk.gov.uk RESTRICTED enquiries@govcertuk.gsi.gov.uk For Samples (zip file with password set as “infected”) UNCLASSIFIED samples@govcertuk.gov.uk RESTRICTED samples@govcertuk.gsi.gov.uk

References

Related documents

As soon as security incidents are detected they should be immediately reported to a member of the Security Incident Response Team or the Security Officer.. A Security

As a transformative orientated study, this research had an interest in empowering parents, principals and all other stakeholders in education towards taking responsibilities

Mark asked him why he hadn’t told him that in the first place.. Elisa wishes she weren’t busy

But what differentiates a loyalty program from traditional CRM is that a loyalty programs aim at proactively and continuously rewarding the customer for loyal behaviors and

• 1 1 876 876 First sheet asphalt pavement laid in First sheet asphalt pavement laid in Washington, DC with imported lake.. Washington, DC with

your other hand as a pivot and gently step down in the opposite direction.(example: lift your  lift your  left hand, turn clockwise for 180 degrees, put it down again, lower one

•  Response: Develop an Incident Response Plan and the staff to respond to security incidents. Invest in the appropriate training and tools

6.1 Assistant Director, Information Resource Management 6.1.1 Appoint Incident Response Team Leaders 6.1.2 Appoint the Incident Response Coordinator 6.1.3 Declare