Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1126
  • Last Modified:

Responding to Security Incidents

Hi everyone,

The network I am the admin of has had quite a few security breech attempts on it.
I have notcied that within the last few months attacks have become more frequent and the attacks are usually from the same two companies.

So I have decided its time I started emailing abuse@whatever, to report these incidents.
However scince this is my first time I dont know what to write in the email or what I should include.

The only things I can think to attach to the email are: firewall logs, whois, finger, nlslookup.

Can somone please show me a good template email I can send to these ISPs and also what to attach.


3 Solutions
If the presumption is that these "attacks" are probably some infected computers on their subnet, then a short email explaining the problem and the relevant snippet from a relevant log (firewall or email header) that shows where it is coming from, should be all you need.
there is no particular format, if you want to know exactly what they need. Call them and ask.
I've had an infected computer on my network once and people complained and I got some warnings :o) It wasn't fun to find that workstation.   Also if your firewall blocks the attacks then there's not much to worry about. If you're running PIX make sure you have the latest IOS installed for additional peace of mind. And keep checking those logs that always a good thing.
Reid PalmeiraTelecom EngineerCommented:
each ISP may ask for different things from you. The essentials usually include logs that contain the offending and target ip addresses, the times of the attacks (don't forget to note time zone) and nature of the offense. When i send them i usually start with something like

Attn _______ Network Support,
  This message is to inform you that our network has logged potentially malicious activity coming from an IP address in your registered range.  The log file snippet below contains.......
  This message is for your information and reference. Future malicious activity may result in further action taken
Thank you,

make it short, to the point and make sure it contains all necessary info for the ISP. Also note that most of the abuse@ email addresses have an autoresponder (comcast for example) and outside of that autoresponder you'll probably get little or no response from them.

hope that helps. cheers,
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Rich RumbleSecurity SamuraiCommented:
There is more than informing the ISP or company, you should also have a tracking system for yourself, one that goes beyond email's. You should document the incident: http://www.sans.org/incidentforms/
Log's are great, but if you have an IDS system such as snort, you can show them actual packet captures. Event log's and syslog's are very good still.

When reporting abuse this is a very general template we follow:
Dear "SO AND SO"

At "TIME AND DATE" we detected suspicious/malicious activity coming from
"NETWORK_SUBNET OR HOST(s)". The activities have been blocked at our firewall, but are still
occuring/being attempted. Please investigate this activity and please inform us at
"EMAIL_ADDRESS" when corrective measures or actions have been taken.

Attached to this email are the following file types for cross-referencing
1) EventLog from M$ server
2) Packet capture from Snort-IDS
3) Syslog of pix TCP tear up/down of the tcp session
The current attempt rate is "X_AMOUNT" since "TIME_FIREWALL WAS UPDATED" (this line might not fit each situation)

If you require any further information, feel free to call us at "PHONE_NUMBER" or
email us at "EMAIL_ADDRESS". We will follow up on this issue in 1 hour if we have not
heard back from you. Thanks for your time and prompt attention.

Again, not all this info is available each time you detect something, but it get the idea accross. It's also best to zip
all attachments, and keep them small as possible. Time Zone is also important, stated above.

It helps to look up the owner of the ip subnet, as there are often abuse address's to write to there.
This can also help if the ISP is buying a range from a larger isp, or when the user is from a cable
company or DSL service.

whois (microsoft.com)
[Querying whois.arin.net]
OrgName:    Microsoft Corp
OrgID:      MSFT
Address:    One Microsoft Way
City:       Redmond
StateProv:  WA
PostalCode: 98052
Country:    US
NetRange: -
NetHandle:  NET-207-46-0-0-1
Parent:     NET-207-0-0-0-0
NetType:    Direct Assignment
NameServer: NS1.MSFT.NET
NameServer: NS5.MSFT.NET
NameServer: NS2.MSFT.NET
NameServer: NS3.MSFT.NET
NameServer: NS4.MSFT.NET
RegDate:    1997-03-31
Updated:    2004-12-09
TechHandle: ZM39-ARIN
TechName:   Microsoft
TechPhone:  +1-425-882-8080
TechEmail:  noc@microsoft.com
OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName:   Hotmail Abuse
OrgAbusePhone:  +1-425-882-8080
OrgAbuseEmail:  abuse@hotmail.com
OrgAbuseHandle: MSNAB-ARIN
OrgAbuseName:   MSN ABUSE
OrgAbusePhone:  +1-425-882-8080
OrgAbuseEmail:  abuse@msn.com
OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-425-882-8080
OrgAbuseEmail:  abuse@microsoft.com
OrgNOCHandle: ZM23-ARIN
OrgNOCName:   Microsoft Corporation
OrgNOCPhone:  +1-425-882-8080
OrgNOCEmail:  noc@microsoft.com
OrgTechHandle: MSFTP-ARIN
OrgTechName:   MSFT-POC
OrgTechPhone:  +1-425-882-8080
OrgTechEmail:  iprrms@microsoft.com
# ARIN WHOIS database, last updated 2005-05-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database

The SANS policy pages are great resources also http://www.sans.org/resources/policies/
Sourceforge has some documents that are being generated regarding BS17799 that can be used as templates. http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=123341

In the case of any sort of breach you want to make sure you have a paper trail without as much external colaboration as you can.

For example, start synching the clocks on anything that can produce a log to a common source that is off-site. It is probably a good idea to have a server act as a syslogger to create an archive of you logs so at a later date you could interpret the results from a series of events on different platforms.

But as was said before, limit your corespondence with the outside world with issue identification, a request for assistance and contact info for a follow up.

Good luck,

Ron MalmsteadInformation Services ManagerCommented:
what is the nature of the attack ?

Why not just block the ip's from the router or firewall ?

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now