Wiki/Operation/Incident_Response.md

70 lines
6.4 KiB
Markdown
Raw Permalink Normal View History

# CERT Grab-bag
[CERT][1], or Computing Emergency Response Team, is an acronym for first-responders to cybersecurity and computing incidents.
2022-09-25 20:53:19 -05:00
The FBI maintains a cyber incident reporting service -- should the incident be of a sufficiently malicious nature, it should be reported to the authorities. See [this whitepaper](https://www.fbi.gov/file-repository/law-enforcement-cyber-incident-reporting.pdf/view) for a breakdown of how to report.
CERT individuals should keep a copy of the following things at all times in a grab-bag:
* The above whitepaper for FBI contacts
* An up-to-date Git clone of this Wiki
* Laptop and mobile phone
* Any phyical-security tools
* Kali Linux and ArchLinux ISOs in ready-to-boot format
* Scratch paper and thumb drives for evidentiary capture, along with chain of custody labels
# Incident vs. Disaster
2022-09-25 20:53:19 -05:00
An [incident][2] is an unplanned event affecting a service or agency, where a disaster reflects multiple services or agencies. A catastrophe is defined as one-step worse -- a destruction of AniNIX software and hardware necessitating rebuilding the same and likely a relocation of any operations and facilities.
# Required Follow-ups
2022-09-25 20:53:19 -05:00
See TOGAF, COBIT, and ITIL standards for design methods for incident response. Also available is documentation from [NIST](https://duckduckgo.com/?q=NIST+Creating+security+plans+for+federal+information+systems&ia=web) on how to formulate security plans.
2023-10-23 13:11:45 -05:00
## Monitoring and Alerting
Network operators should follow the `#sharingan` IRC & Discord channels for a redundant method of being alerted when there are issues. While we have no mean-time-to-acknowledge (MTTA) or mean-time-to-recover (MTTR) service-level agreements (SLA), on-call operators should attempt to respond with all available expediency to issues.
2022-09-25 20:53:19 -05:00
## OSINT feed
Significant non-disruptive incidents detected by [AniNIX/Sharingan](https://sharingan.aninix.net) will be recorded as part of our [OSINT feed](https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml). This feed is intended to be a public service to help improve the general community. Those watching this feed are encouraged to examine their own incoming traffic for the adversaries listed and take appropriate protective action.
## Disruptive Incidents' Follow-up
If any significant disruption of service is caused (more than 8 hours), additionally an [Incident Report](./Incident_Reports.md) will be filed and users will be notified via [RSS](https://singularity.aninix.net), [IRC](https://irc.aninix.net), and all relevant social media.
As the AniNIX learns of better configuration processes or usage methodology, this Wiki will be updated, which will automatically notify users via IRC.
Critical patches to AniNIX software and scripts should be added to [AniNIX/Foundation](https://foundation.aninix.net/) immediately with a proper commit message -- with the right webhooks set, this will send a notification via IRC.
2022-09-25 20:53:19 -05:00
### Service-level incident response
The AniNIX maintains onsite backups -- the affected service will be stopped, repaired from best-effort backups, and restarted. Unaffected services will not be disrupted.
2022-09-25 20:53:19 -05:00
### Software Disaster Recovery
Should a collective failure of software occur, all services will be stopped until the damage can be repaired. The AniNIX has onsite backups to this end.
2022-09-25 20:53:19 -05:00
### ISP events
In the event of an ISP event, a redundant method of providing access is available, but some services will be significantly limited or disabled to limit bandwidth usage. If ISP's are unavailable, admins should notify @everyone on Discord and stay available until access is restored.
2022-09-25 20:53:19 -05:00
### Hardware Incident Response
In the event of the failure of a redundant or unnecessary hardware component, an admin will:
* Review if the hardware needs to be removed. If not, it will be scheduled to be removed on the next downtime and review ends.
* Review if the hardware can be removed online. If so, the hardware will be removed as soon as safely possible; all reasonable effort will be made to keep maintenance off-hours.
* If none of the above criteria are met and time is available, a notice will be issued at the discovery of the problem and the hardware replaced or repaired off-hours.
* If there is no time, hardware will be replaced ASAP and service-providing components restarted. A notice and apology will be issued immediately thereafter.
Some redundant storage, for example, will be exchanged for failing components.
2022-09-25 20:53:19 -05:00
### Hardware Disaster Recovery
Should hardware critically fail, the AniNIX does not currently have a support agreement with any hardware provider -- overnight shipping and package tracking will be used to offer a best-effort at restoration of hardware. Users should be aware that some non-redundant, expensive hardware may halt service from the AniNIX for up to 48 hours. Should this happen, the AniNIX will re-evaluate the cost of the downtime against the cost of the hardware component.
If necessary, restoration from the safety-deposit backup will be utilized.
2022-09-25 20:53:19 -05:00
### Complete Disaster Recovery
In the event of a complete disaster, the first line of defense is a hard-drive stored in a safety deposit box with a complete backup of the AniNIX/Core VM, which includes the source code to rebuild all other machines.
2022-09-25 20:53:19 -05:00
### Catastrophic Loss Or Attack
Should all else have been compromised, a large number of [AniNIX/Aether](/AniNIX/Aether) nodes will allow rebuilding the system from source code, though there will be a massive loss of data. Some of this will be recoverable over time through file lists stored in the Aether packages, but other data will be lost. This is the last-ditch recovery method.
AniNIX admins maintain "bug-out" bags for massive environmental, political, or criminal disturbances, with copies of the Aether package on encrypted storage. They are trained to safely self-evacuate and rebuild the network in a safe location. This recovery method will take a long time to effect; users should watch the aninix.net domain name for a return of some IRC daemon with which to use to communicate with admins. As soon as possible, admins will reach out to the userbase to announce when services will be restored, the reason for loss of service, and the extent of data loss.
<!-- References -->
[1]: https://www.youtube.com/watch?v=PhROeWMPBqU "Skillset via YouTube, accessed 1/4/18"
[2]: https://www.linkedin.com/learning/introduction-to-ethical-hacking/information-security "LinkedIn 'Intro to Ethical Hacking Course' by Lisa Bock"