Identifying the attacking host a secondary concern in cyber-incident response, says NIST

From: FierceGovernmentIT

By Molly Bernhart Walker

Cybersecurity incident handling should focus principally on containment,  eradication and recovery, and secondarily on identifying the attacking host or  hosts, according to final guidance, SP  800-61 Revision 2 (.pdf), published Aug. 8 by the National Institute of  Standards and Technology.

“Identifying an attacking host can be a time-consuming and futile process  that can prevent a team from achieving its primary goal–minimizing the business  impact,” writes NIST.

This latest revision to NIST’s “Computer Security Incident Handling Guide”  differs from the  draft, which was published in February 2012, by changing the objective from  “identifying the attacker” to “identifying the attacking host.”

Publication authors say in investigating the host, compromised agencies often  focus on the attacking host’s IP address by validating that the address was not  spoofed. This approach is flawed, however, because verifying connectivity simply  indicates that a host at that address does or does not respond to the requests.  “The attacker may have received a dynamic address that has already been  reassigned to someone else,” notes NIST.

Using a search engine to find more information on the apparent source IP  address could provide more information, as could checking the address against an  incident database. Incident handlers may also want to monitor communication  channels that may be used by the attacking host, says NIST.

“Attackers may congregate on certain IRC [Internet relay chat] channels to  brag about their compromises and share information,” write authors. “However,  incident handlers should treat any such information that they acquire only as a  potential lead, not as fact.”

The final publication expands guidance on information sharing with outside  parties. Agencies should have policies in place for communicating with the  media, Internet service providers, vendors of vulnerable software, law  enforcement and other incident response teams, says NIST.

The publication also includes revised incident response life cycle diagrams,  such as the one below.

For more: – download  the “Computer Security Incident Handling Guide,” SP-800-61 Rev.2 (.pdf)

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.

Please Answer: *