auscert.org.au
Open in
urlscan Pro
108.158.20.18
Public Scan
URL:
https://auscert.org.au/publications/member-information/2017-06-30-guide-auscert-member-security-incident/
Submission: On June 16 via api from AU — Scanned from AU
Submission: On June 16 via api from AU — Scanned from AU
Form analysis 1 forms found in the DOM
POST /publications/member-information/2017-06-30-guide-auscert-member-security-incident/?simply_static_page=443327#gf_1
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_1" id="gform_1" action="/publications/member-information/2017-06-30-guide-auscert-member-security-incident/?simply_static_page=443327#gf_1" data-formid="1" novalidate=""
autocomplete="off">
<div class="gform-body gform_body">
<ul id="gform_fields_1" class="gform_fields top_label form_sublabel_below description_below validation_below">
<li id="field_1_1" class="gfield gfield--type-text gfield_contains_required field_sublabel_below gfield--no-description field_description_below field_validation_below gfield_visibility_visible" data-js-reload="field_1_1">
<label class="gfield_label gform-field-label" for="input_1_1">Name<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_text">
<input autocomplete="off" name="input_1" id="input_1_1" type="text" value="" class="medium" placeholder="Name" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_1_2" class="gfield gfield--type-email gfield_contains_required field_sublabel_below gfield--no-description field_description_below field_validation_below gfield_visibility_visible" data-js-reload="field_1_2">
<label class="gfield_label gform-field-label" for="input_1_2">Email Address<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_email">
<input autocomplete="off" name="input_2" id="input_1_2" type="email" value="" class="medium" placeholder="Email Address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_1_3" class="gfield gfield--type-honeypot gform_validation_container field_sublabel_below gfield--has-description field_description_below field_validation_below gfield_visibility_visible" data-js-reload="field_1_3">
<label class="gfield_label gform-field-label" for="input_1_3">Name</label>
<div class="ginput_container"><input autocomplete="off" name="input_3" id="input_1_3" type="text" value=""></div>
<div class="gfield_description" id="gfield_description_1_3">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_1" class="gform_button button" value="Subscribe"
onclick="if(window["gf_submitting_1"]){return false;} if( !jQuery("#gform_1")[0].checkValidity || jQuery("#gform_1")[0].checkValidity()){window["gf_submitting_1"]=true;} "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_1"]){return false;} if( !jQuery("#gform_1")[0].checkValidity || jQuery("#gform_1")[0].checkValidity()){window["gf_submitting_1"]=true;} jQuery("#gform_1").trigger("submit",[true]); }">
<input type="hidden" name="gform_ajax" value="form_id=1&title=1&description=1&tabindex=0&theme=legacy">
<input type="hidden" class="gform_hidden" name="is_submit_1" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="1">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_1" value="WyJbXSIsIjJkYjJhNTZmZTVhYWE4NTJiMmE5YzdjOGViNDJiY2IyIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_1" id="gform_target_page_number_1" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_1" id="gform_source_page_number_1" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>Text Content
Member Portal
Subscribe for updates
* Become a member
* Services
* Incident Support
* Vulnerability Management
* Threat Intelligence
* Training & Education
* Governance, Risk & Compliance
* Training
* Resources
* Blog & Publications
* Events
* Security Bulletins
* Glossary
* About Us
* Contact
PUBLICATIONS
A GUIDE TO AUSCERT MEMBER SECURITY INCIDENT NOTIFICATIONS: MSIN
11 Jul 2017
Member information
A guide to AUSCERT Member Security Incident Notifications: MSIN
INTRODUCTION
As part of its ongoing efforts to enhance member services, AUSCERT has launched
its Member Security Incident Notification services.
WHAT’S AN MSIN?
An MSIN is a daily customised composite security report targeted towards AUSCERT
member organizations. It contains a compilation of “security incident reports”
as observed by AUSCERT through its threat intelligence platforms.
DAILY
* MSINs are issued on a daily basis.
* They are only issued to a member if at least one incident report specific to
the member is detected within the past 24-hour period.
* This also means, if there are no incidents to report, you will not receive an
MSIN!
So it follows, the more security incidents spotted corresponding to your
organization, the more incident reports will be included in the MSIN, the larger
the MSIN you receive!
CUSTOMISED
* MSINs are tailored for each member organization, based on: IPs and Domains
provided
* To receive accurate and useful MSINs, it’s important you keep this
information updated (see FAQ)
SEVERITY
Individual events in MSINs are categorised into the following severity levels:
* Critical Highly critical vulnerabilities that are being actively exploited,
where failure to remediate poses a very high likelihood of compromise. For
example, a pre-auth RCE or modification or leakage of sensitive data.
* High End of life systems, systems that you can log into with authentication
that are meant to be internal (SMB, RDP), some data can be leaked. Sinkhole
events end up in this category.
* Medium Risk that does not pose an immediate threat to the system but can over
time escalate to a higher severity. For example, risk of participating in
DDoS, unencrypted services requiring login, vulnerabilities requiring
visibility into network traffic (MITM without being able to manipulate the
traffic) to exploit, attacker will need to know internal
systems/infrastructure in order to exploit it.
* Low Deviation from best practice – little to no practical way to exploit, but
setup is not ideal. Vulnerabilities requiring MITM (including manipulating
the traffic) to exploit. For example, SSL POODLE reports may end up in this
category.
* Info Informational only. Typically no concerns. Review in accordance with
your security policy.
These severity levels are based on those used by Shadowserver. Events which have
not been assigned a severity will be marked as Unknown.
A summary of reports by severity level can be found at the top of your MSIN. For
example:
Summary of reports based on severity:
* Critical: accessible-ssh 3
* High : vulnerable-exchange-server 1
* Medium : accessible-cwmp 1
The MSIN subject will be prefixed with the highest level severity seen in the
report. For example:
[Severity:CRITICAL] AusCERT Member Security Incident Notification (MSIN) for
“Member Name”
COMPOSITE
* Each MSIN could potentially consist of multiple incident TYPE reportsFor
example, it could contain an Infected Hosts report which highlights hosts
belonging to a member organization that have been spotted attempting to
connect to a known botnet C&C server, followed by a DNS Open Resolvers report
listing open recursive DNS resolvers that could be used in a DNS
amplification DDoS attack.
* Each incident type report could also include multiple incident reportsFor
example, this “infected hosts” report contains 2 incidents:Incidents Reported
Timestamp: 2015-08-25T00:20:34+00:00
Drone IP: 123.456.789.abc
Drone Port: 13164
Drone Hostname: abc.xxx.xxx.xxx.au
Command and Control IP: aaa.bbb.ccc.ddd
Command and Control Hostname: imacnc1.org
Command and Control Port: 80
Malware Type: redyms
Timestamp: 2015-08-25T00:20:34+00:00
Drone IP: 321.654.987.cba
Drone Port: 2343
Drone Hostname: def.xxx.xxx.xxx.au
Command and Control IP: ddd.eee.fff.ggg
Command and Control Hostname: imacnc2.org
Command and Control Port: 123
Malware Type: dyre
All timestamps are in UTC
It is imperative these incidents be reviewed and handled individually.
STRUCTURE
An MSIN has the following basic structure.
==================HEADING FOR INCIDENT TYPE 1==============
Incident Type
Name of the incident and any known exploited vulnerabilities and associated
CVEs.
Incident Description
Further information on potential attack vectors and impacts.
Incidents Reported
List of individual reports sighted by AUSCERT
Incident report 1
Incident report 2
…
Incident report n
AUSCERT recommended mitigations
Steps for resolution of incidents or mitigation of vulnerabilities which could
be exploited in the future.
References
Links to resources referenced within the report
Additional Resources
Links to additional material such as tutorials, guides and whitepapers relevant
to the report aimed at enhancing the recipients understanding of the addressed
vulnerabilities, potential impacts and mitigation techniques.
=============================END OF REPORT=========================
=====================HEADING FOR INCIDENT TYPE 2====================
Incident Type
Incident Description
Incidents Reported
Incident report 1
Incident report 2
…
Incident report n
AUSCERT recommended mitigations
References
Additional Resources
=============================END OF REPORT=========================
…
…
=====================HEADING FOR INCIDENT TYPE X====================
=============================END OF REPORT=========================
FREQUENTLY ASKED QUESTIONS
1. How can I update domain/IP information for my organization?If you are a
Primary AUSCERT contact simply write to AUSCERT Membership at
membership@auscert.org.au and provide the updated information.If you have a
privileged account in the Member portal you can request changes through the
portal.
AUSCERT will perform a validation check to ensure the domains are under your
organization’s ownership or control prior to including them in the
monitoring list.
2. Where does the information in an MSIN come from?AUSCERT receives information
relating to compromised and/or vulnerable resources from several trusted
third parties, through secure means.
The trust relationship between AUSCERT and third parties entails conditions
which prevent disclosure of the source(s) of information.
MORE MEMBER INFORMATION
// Member information - 9 Jan 2024
MEMBERSHIP SERVICES AND BENEFITS
// Member information - 11 Jul 2017
AUSCERT BULLETIN FORMATS
View more...
Subscribe to our mailing list.
SUBSCRIBE FORM
* Name*
* Email Address*
* Name
This field is for validation purposes and should be left unchanged.
* Services
* Incident Support
* Vulnerability Management
* Threat Intelligence
* Training & Education
* Governance, Risk & Compliance
* Blog & Publications
* About Us
* Cyber Security Conference
Become a Member
Contact us
© 2024 AUSCERT, All Rights Reserved.
Privacy Policy · Legal
171405
Notifications