Exercise 1
Exercise 1
Exercise 1: Triage and Basic Incident Handling
| Main Objective | This exercise provides students with experience of real-life incident reports, their ambiguity and complexity. After finishing the exercise they should understand what to focus on during initial analysis, how different factors may affect priorities and how to communicate with reporters as well as third parties. During the exercise, they will apply a given classification scheme to incidents – the purpose of this part of the exercise is to work on the consistent classification of disputable cases (eg, worm v scanning) across team members and possibly to suggest a clearer, more unambiguous classification scheme for the team. | |
|---|---|---|
| Targeted Audience | The exercise is aimed at incident handlers at any level of experience. It requires a good understanding of Internet topology and services. | |
| Total Duration | 2 hours, 25 minutes | |
| Time Schedule | Introduction to the exercise | 10 min. |
| Task 1-9: Incident report analysis, classification and prioritisation | 60 min. | |
| Discussion | 60 min. | |
| Exercise summary and wrap-up | 15 min. | |
| Frequency | Once a year for new team members or members reassigned to incident response. This exercise can be used with real reports as an intra-team exercise for all incident handlers in a CERT. In this case, the goal is to make sure there is a consistency between the classification and prioritisation of reports by different team members. |
|
General Description
The exercise simulates the initial phases of incident handling with 10 real-life incident reports. These phases include:
- verification of the report (did the incident actually occur?);
- interpretation (what actually happened?);
- determination of the scope of incident (what are the actual and possible consequences for your constituency and others?);
- classification; and
- prioritisation (based on the previous factors).
The students will try to complete these phases for each of the reports. Discrepancies between their results will then be discussed.
Before conducting the exercise, read through all the reports and key answers. If students come from an already established team or teams, ask them to provide the classification scheme they use in everyday work. You may decide to use those schemes rather than the ones suggested in the exercises, but it is important that all students use the same scheme as it provides common ground for a discussion. You may also consider using real-life examples from your own experience instead of some of the cases provided in the student’s book. The guidelines on anonymising data for the purposes of this exercise are as follows:
- 10/8 are networks located in Utopia
- 10.187/16 are networks of Utopia NREN
- .ut is Utopia’s top-level domain
Download Exercise 1 Toolset - 127 kB
Summary
Summary of the Exercise
Some points to use for wrap-up and conclusions in the summary:
- Most classification schemes are not perfect; probably none are. Creating a classification scheme specifically for a given team can make the choices more obvious initially, but it will have to be updated from time to time. On the other hand, using one classification scheme over a longer period of time and sharing it with other teams would allow for the comparison of statistics.
- When an incident type is ambiguous, it is not the name of the class that matters. More important is how you describe this class in your statistics. And the most important thing is consistency, so make sure that all incident handlers classify similar incidents in the same way. Regular meetings and ad hoc discussions should help resolve any discrepancies.
- Priority is not a function of just one variable – the incident type. Some groups might have classified a report in the same way, but give them different priorities based on additional knowledge or assumptions such as ‘it is a widespread worm’. In real life, it is vital to know these factors and collect any necessary information to avoid confusion.
Evaluation metrics
Evaluation Metrics
As stated above, there are no single ‘correct’ answers in this exercise. Some cases can be more disputable than others. Following the key provided above and the suggested answers below, make sure that the students have not missed some important spots that may not be obvious in the first place and have correctly identified the nature of the problem. It is also vital that, when justifying the priorities applied to the reports, students take into account not just the type of incident but also its scope and relevance to the constituency.
The table below contains suggested classification and prioritisation for the exercise:
| Task | Classification | Priority | Comments |
|---|---|---|---|
| 1 | None | N/A | This is not an incident |
| 2 | DDoS | 1 | If the attack is not ongoing, the priority may be lowered. |
| 3 | Spam | 3 | 1.1.1 |
| 4 | Login attempts | 2 | 1.1.2 |
| 5 | Scanning | 2 | Worm, if worm activity is high or other evidence is available. |
| 6 | Fraud | 3 | 1.1.3 |
| 7 | Worm | 2 | 1.1.4 |
| 8 | Masquerade | 1 | Active phishing and malware distribution sites should be treated with higher than usual priority. |
| 9 | Malicious Code | 1 | See above. It may be suggested that the classification scheme should be expanded to include drive-by-download infections and other malware distribution mechanisms. |
