Responding to Security Incidents

Posted on 2005-05-11
Last Modified: 2008-01-09
Hi everyone,

The network I am the admin of has had quite a few security breech attempts on it.
I have notcied that within the last few months attacks have become more frequent and the attacks are usually from the same two companies.

So I have decided its time I started emailing abuse@whatever, to report these incidents.
However scince this is my first time I dont know what to write in the email or what I should include.

The only things I can think to attach to the email are: firewall logs, whois, finger, nlslookup.

Can somone please show me a good template email I can send to these ISPs and also what to attach.


Question by:dr_binks
    LVL 32

    Expert Comment

    If the presumption is that these "attacks" are probably some infected computers on their subnet, then a short email explaining the problem and the relevant snippet from a relevant log (firewall or email header) that shows where it is coming from, should be all you need.
    LVL 2

    Expert Comment

    there is no particular format, if you want to know exactly what they need. Call them and ask.
    I've had an infected computer on my network once and people complained and I got some warnings :o) It wasn't fun to find that workstation.   Also if your firewall blocks the attacks then there's not much to worry about. If you're running PIX make sure you have the latest IOS installed for additional peace of mind. And keep checking those logs that always a good thing.
    LVL 22

    Assisted Solution

    each ISP may ask for different things from you. The essentials usually include logs that contain the offending and target ip addresses, the times of the attacks (don't forget to note time zone) and nature of the offense. When i send them i usually start with something like

    Attn _______ Network Support,
      This message is to inform you that our network has logged potentially malicious activity coming from an IP address in your registered range.  The log file snippet below contains.......
      This message is for your information and reference. Future malicious activity may result in further action taken
    Thank you,

    make it short, to the point and make sure it contains all necessary info for the ISP. Also note that most of the abuse@ email addresses have an autoresponder (comcast for example) and outside of that autoresponder you'll probably get little or no response from them.

    hope that helps. cheers,
    LVL 38

    Accepted Solution

    There is more than informing the ISP or company, you should also have a tracking system for yourself, one that goes beyond email's. You should document the incident:
    Log's are great, but if you have an IDS system such as snort, you can show them actual packet captures. Event log's and syslog's are very good still.

    When reporting abuse this is a very general template we follow:
    Dear "SO AND SO"

    At "TIME AND DATE" we detected suspicious/malicious activity coming from
    "NETWORK_SUBNET OR HOST(s)". The activities have been blocked at our firewall, but are still
    occuring/being attempted. Please investigate this activity and please inform us at
    "EMAIL_ADDRESS" when corrective measures or actions have been taken.

    Attached to this email are the following file types for cross-referencing
    1) EventLog from M$ server
    2) Packet capture from Snort-IDS
    3) Syslog of pix TCP tear up/down of the tcp session
    The current attempt rate is "X_AMOUNT" since "TIME_FIREWALL WAS UPDATED" (this line might not fit each situation)

    If you require any further information, feel free to call us at "PHONE_NUMBER" or
    email us at "EMAIL_ADDRESS". We will follow up on this issue in 1 hour if we have not
    heard back from you. Thanks for your time and prompt attention.

    Again, not all this info is available each time you detect something, but it get the idea accross. It's also best to zip
    all attachments, and keep them small as possible. Time Zone is also important, stated above.

    It helps to look up the owner of the ip subnet, as there are often abuse address's to write to there.
    This can also help if the ISP is buying a range from a larger isp, or when the user is from a cable
    company or DSL service.

    whois (
    OrgName:    Microsoft Corp
    OrgID:      MSFT
    Address:    One Microsoft Way
    City:       Redmond
    StateProv:  WA
    PostalCode: 98052
    Country:    US
    NetRange: -
    NetHandle:  NET-207-46-0-0-1
    Parent:     NET-207-0-0-0-0
    NetType:    Direct Assignment
    NameServer: NS1.MSFT.NET
    NameServer: NS5.MSFT.NET
    NameServer: NS2.MSFT.NET
    NameServer: NS3.MSFT.NET
    NameServer: NS4.MSFT.NET
    RegDate:    1997-03-31
    Updated:    2004-12-09
    TechHandle: ZM39-ARIN
    TechName:   Microsoft
    TechPhone:  +1-425-882-8080
    OrgAbuseHandle: HOTMA-ARIN
    OrgAbuseName:   Hotmail Abuse
    OrgAbusePhone:  +1-425-882-8080
    OrgAbuseHandle: MSNAB-ARIN
    OrgAbuseName:   MSN ABUSE
    OrgAbusePhone:  +1-425-882-8080
    OrgAbuseHandle: ABUSE231-ARIN
    OrgAbuseName:   Abuse
    OrgAbusePhone:  +1-425-882-8080
    OrgNOCHandle: ZM23-ARIN
    OrgNOCName:   Microsoft Corporation
    OrgNOCPhone:  +1-425-882-8080
    OrgTechHandle: MSFTP-ARIN
    OrgTechName:   MSFT-POC
    OrgTechPhone:  +1-425-882-8080
    # ARIN WHOIS database, last updated 2005-05-11 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database

    The SANS policy pages are great resources also
    LVL 18

    Assisted Solution

    Sourceforge has some documents that are being generated regarding BS17799 that can be used as templates.

    In the case of any sort of breach you want to make sure you have a paper trail without as much external colaboration as you can.

    For example, start synching the clocks on anything that can produce a log to a common source that is off-site. It is probably a good idea to have a server act as a syslogger to create an archive of you logs so at a later date you could interpret the results from a series of events on different platforms.

    But as was said before, limit your corespondence with the outside world with issue identification, a request for assistance and contact info for a follow up.

    Good luck,

    LVL 25

    Expert Comment

    by:Ron M
    what is the nature of the attack ?

    Why not just block the ip's from the router or firewall ?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Suggested Solutions

    Email attacks are the most efficient and effective way for cyber criminals and hackers to compromise a computer or network. We often find our-self second guessing the authenticity of an email message, for such instances we can follow practical princ…
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now