Incident Handling 101

Published: 2007-11-15
Last Updated: 2007-11-15 19:59:01 UTC
by Mari Nichols (Version: 3)
0 comment(s)

Every day we see new exploits and old, patches and vulnerabilities, DOS and DDOS.  As the newest member of the Internet Storm Center, I am in data gathering mode.  Even though I have been a GCIH (#50) since 2000, we as handlers have to start learning the incident handling process all over again every time we join a new team.  As a new handler, my question was where is the contact list?  The first step in the Incident Handling process is preparation, so let’s do it.  Let’s get this list updated.

By the way, if you need to know how to prepare for an incident, SANS has great Incident Handling Forms as a part of SCORE (Security Consensus Operational Readiness Evaluation).  SCORE is “dedicated to providing a community consensus minimum standard of procedures, and checklists for overall infrastructure security."  There is no need to reinvent the wheel, so check out the forms and prepare your team for an incident.

So we ask, if you are on a CIRT team and would like for us to have your team’s contact information in case we see activity you should know about, please send it to us on our contact page.  We look forward to hearing from you.

Fair Winds, Mari

Follow Up:  Thanks everyone!  We are getting great response and we would like to publish a public contact page on our website.  So please include what information you want publicly available and include private contacts that should be kept to the Storm Center Handlers Only.   Be sure to include AS numbers and CIDR blocks if possible.

Update:  Thanks go out to Reg who wrote in to remind us to check our whois information and make sure it is accurate.  This procedure should be worked into a regular routine for our teams.  It sure would help during an incident.

0 comment(s)


Diary Archives