Threat Level: green Handler on Duty: Tom Webb

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Making Intelligence Actionable: Part 2

Published: 2008-10-30
Last Updated: 2008-10-30 16:53:40 UTC
by Kevin Liston (Version: 1)
0 comment(s)

In addition to making malware and vulnerability intelligence actionable for the system administrator, there is also the problem of making intelligence actionable to victims and law enforcement.

There are three different players in this scenario: the researcher, the victim, and the law enforcer.

 The researcher is the one who is monitoring the network, or analyzing the malware and eventually they will come upon somebody’s private information.
 The victim is the person or organization whose information has been stolen
 The law enforcer is the organization that has the power to apprehend and punish criminals.
 In its simplest form, the flow of information should go like this:
 
 1) The researcher identifies that Group A, used IP address B, during time-frame C.
 2) The victim group takes B, and C to identify a list of victims D and total impact of $E.
 3) The law enforcer is given A through E and if everything is accurate and E is large enough, they can pursue and prosecute Group A.

This is nice and simple, right? Except that there are limitations in how these three players are allowed to communicate and cooperate. Researchers can only talk to law enforcers on a “intelligence only” basis. Law enforcers can’t build cases without victims. Victims don’t always know that they’re victims or that their case, when added to others’ can actually have an impact.

I recently had the opportunity to sit in a room where all three players were represented. There was a tremendous amount of progress made in those few days. As one other attendee noted: “if we had this for a month, we could probably knock out all Internet crime.” I know that was hyperbole but I think that the group could have reduced 80% of it (citing the 80/20 rule.)
 
A light bulb went on inside my head when a presenter explained it this way. Intelligence is not evidence, we cannot have evidence without a crime, and we cannot have a crime without a victim.

There are a few forums that attempt to link these three groups.  They still need some development. 

If you’re a home-user or small business, consider reporting to the Internet Crime Complaint Center (http://www.ic3.gov.)   If you are a larger organization consider joining one of these information-sharing forums.

 

Kevin Liston
kliston at isc.sans.org

 

Keywords: intelligence
0 comment(s)

Day 30 - Applying Patches and Updates

Published: 2008-10-30
Last Updated: 2008-10-30 15:06:39 UTC
by Kevin Liston (Version: 2)
0 comment(s)

Today's topic revolves around applying patches and updates as a response measure.

My first personal comment is that patching and updating is really a Preparation step and helps avoid incidents in the first place.  But we all already knew that. :-)  I'm interested in how your patching and updating process differs when you've had an incident before patches become available.

Reader comments to follow...

Chris: wants to remind us about Secunia's PSI inspector.  I should also point out that we musn't forget the home-user scaled incident response.

Anonymous: wants to remind us to disable an unpatched service until the patche become available-- especially in the dreaded "zero day" scenario with exploits ongoing and patches still being developed/tested.

Keywords: Awareness2008
0 comment(s)

Opera 9.62 available - security update

Published: 2008-10-30
Last Updated: 2008-10-30 14:12:27 UTC
by Kevin Liston (Version: 1)
0 comment(s)

Eagle-eyed reader Juha-Matti reports that Opera has released a security update to 9.62: http://www.opera.com/docs/changelogs/windows/962/

This update addresses the following issues:

Advisory: History Search can be used to execute arbitrary code: http://www.opera.com/support/search/view/906/

Advisory: The links panel can allow cross-site scripting: http://www.opera.com/support/search/view/907/

The latest version is available here: http://www.opera.com/download/

 

 

Keywords: opera
0 comment(s)

Vista updates (KB957200 and KB953155)

Published: 2008-10-30
Last Updated: 2008-10-30 14:02:45 UTC
by Kevin Liston (Version: 2)
1 comment(s)

A few readers are writing in to ask about two recent updates appearing in their queue: KB957200 and KB953155.

KB957200 is listed as a reliability update and according to Microsoft: "this update resolves some performance and reliability issues in Windows Vista. By applying this update, you can achieve better performance and responsiveness in various scenarios. After you install this item, you may have to restart your computer."

KB953155 is a security update related to MS08-062 (not -067 as I previously wrote- thank's t.)

Keywords:
1 comment(s)
Diary Archives