Templates for reporting a security incident
(The templates are from EGEE OSCT incident response procedure with minor modification)Should a security incident be suspected, the use of the following email templates is encouraged.
Head-up email template
The first template is aimed at notifying the grid participants soon after the incident has been discovered (heads-up), as described in Step 3 of the GridPP incident handling procedure. =====================Head-up email Template=====================FROM: your_email_address@your_organisation
TO: GridPP-CSIRTs@jiscmail.ac.uk;
SUBJECT: Security incident suspected at [your site]>
** PLEASE DO NOT REDISTRIBUTE **
GridPP-DATE (ex: EGEE-20090531)
** This message is sent to the GridPP CSIRTs and must NOT be publicly archived **
Dear CSIRTs,
It seems a security incident has been detected at [site name].
Summary of the information available so far:
[Ex: A malicious SSH connection was detected from 012.012.012.012. The extent of the incident is unclear for now, and more information will be published in the coming hours as forensics are progressing at our site. However, all sites should check for successful SSH connection from 012.012.012.012 as a precautionary measure.]
=====================End of Template===========================
Following-up email template
The second template can be used to provide a detailed view of the incident, and may be completed and reposted as the investigation progresses, as described in Step 5 of GridPP incident handling procedure.=====================Following-up email Template=====================
FROM: your_email_address@your_organisation
TO: GridPP-CSIRTs@jiscmail.ac.uk
SUBJECT: Security incident suspected at [site name]
** PLEASE DO NOT REDISTRIBUTE **
GridPP-[DATE] (ex: GridPP-20090531)
** This message is sent to the GridPP CSIRTs and must NOT be publicly archived **
Dear CSIRTs,
It seems a security incident has been detected at [site name].
- Short summary of the incident
[Provide a high level overview of the incident]
- Host(s) affected
[List of compromised hosts and/or hosts running suspicious user code. ex: grid-worker-node-124.mysite.org (123.123.123.123)]
- Host(s) used as a local entry point to the site (ex: UI or WMS IP address)
[The host that the attacker is likely to have used to access the site. ex: grid-ui-101.mysite.org (123.123.123.124)]
- Remote IP address(es) of the attacker
[The remote host from where the attacker is likely to have connected from. ex: 123.adsl.somecorp.com (012.012.012.012)]
- Evidence of the compromise, including timestamps (ex: suspicious files or log entry)
[Ex: the attacker logged in has root from 123.adsl.somecorp.com. Times are UTC:Mar 24 12:00:09 grid-ui-101 sshd[13896]: Accepted password for root from 012.012.012.012]
- What was lost, details of the attack
[Provide available details on the extent of the compromise. For ex: System logs revealed the attacker guested the root password of grid-ui-101 on Mar 24 12:00:09 (UTC) after hundreds of attempts. Then, the attacker [...] etc.]
- If available and relevant, the list of other sites possibly affected
[Ex: firewall logs reveals suspicious SSH connections from the compromised node to gridui.friendlysite.org on Mar 24 13:01:03 (UTC). friendlysite.org has been contacted.]
- Possible vulnerabilities exploited by the attacker
[Ex: the attacker exploited a weak root password and gained further access by exploiting CVE-20091234 against [...] etc.]
- The actions taken to resolve the incident
[Ex: Disc images have been saved, hosts have been reinstalled from scratched with new, strong root passwords, and SSH has been configured to prevent "root" logins with password.]
- Recommendations for other sites, actions suggested
[Ex: Sites should check and report any successful SSH connection grid-ui-101 between Mar 24 12:00:09 (UTC) and Mar 24 17:00:00 (UTC).It is also recommended to avoid direct SSH access, and to configure sshd with "PermitRootLogin without-password".]
- Timeline of the incident
[Ex:2009-03-24 09:12:43 Multiple SSH connection attempts from 012.012.012.012 2009-03-24 12:00:09
Attacker connects as root on grid-ui-101.mysite.org from 012.012.012.012 2009-03-24 13:01:03
SSH scan from grid-ui-101 against grid-ui.friendlysite.org
[,,,]
2009-03-24 15:00:00 Site security team investigating
2009-03-24 15:34:00 GridPP CSIRTs informed via GridPP CSIRTs mailing list
[...]]
=====================End of following-up email Template=====================
Last modified Fri 13 November 2009 . View page history
Switch to HTTPS . Website Help . Print View . Built with GridSite 1.4.3