Documenting OSINT feed

This commit is contained in:
DarkFeather 2022-09-25 20:53:19 -05:00
parent 8fa2901ce2
commit 214dc00e4c
Signed by: DarkFeather
GPG Key ID: 1CC1E3F4ED06F296

View File

@ -1,7 +1,7 @@
# CERT Grab-bag # CERT Grab-bag
[CERT][1], or Computing Emergency Response Team, is an acronym for first-responders to cybersecurity and computing incidents. [CERT][1], or Computing Emergency Response Team, is an acronym for first-responders to cybersecurity and computing incidents.
The FBI maintains a cyber incident reporting service -- should the incident be of a sufficiently malicious nature, it should be reported to the authorities. See [https://www.fbi.gov/file-repository/law-enforcement-cyber-incident-reporting.pdf/view this whitepaper] for a breakdown of how to report. The FBI maintains a cyber incident reporting service -- should the incident be of a sufficiently malicious nature, it should be reported to the authorities. See [this whitepaper](https://www.fbi.gov/file-repository/law-enforcement-cyber-incident-reporting.pdf/view) for a breakdown of how to report.
CERT individuals should keep a copy of the following things at all times in a grab-bag: CERT individuals should keep a copy of the following things at all times in a grab-bag:
* The above whitepaper for FBI contacts * The above whitepaper for FBI contacts
@ -12,26 +12,33 @@ CERT individuals should keep a copy of the following things at all times in a gr
* Scratch paper and thumb drives for evidentiary capture, along with chain of custody labels * Scratch paper and thumb drives for evidentiary capture, along with chain of custody labels
# Incident vs. Disaster # Incident vs. Disaster
An incident is an unplanned event affecting a service or agency, where a disaster reflects multiple services or agencies.</ref> A catastrophe is defined as one-step worse -- a destruction of AniNIX software and hardware necessitating rebuilding the same and likely a relocation of any operations and facilities. An [incident][2] is an unplanned event affecting a service or agency, where a disaster reflects multiple services or agencies. A catastrophe is defined as one-step worse -- a destruction of AniNIX software and hardware necessitating rebuilding the same and likely a relocation of any operations and facilities.
# Required Follow-ups # Required Follow-ups
: See TOGAF, COBIT, and ITIL standards for design methods for incident response. Also available is documentation from [https://duckduckgo.com/?q=NIST+Creating+security+plans+for+federal+information+systems&ia=web NIST] on how to formulate security plans. See TOGAF, COBIT, and ITIL standards for design methods for incident response. Also available is documentation from [NIST](https://duckduckgo.com/?q=NIST+Creating+security+plans+for+federal+information+systems&ia=web) on how to formulate security plans.
If any significant disruption of service is caused (more than 8 hours), an [Incident Report](./Incident_Reports.md) will be filed and users will be notified via [RSS](https://singularity.aninix.net), [IRC](https://irc.aninix.net), and all relevant social media.
## OSINT feed
Significant non-disruptive incidents detected by [AniNIX/Sharingan](https://sharingan.aninix.net) will be recorded as part of our [OSINT feed](https://aninix.net/AniNIX/Wiki/raw/branch/main/rss/osint.xml). This feed is intended to be a public service to help improve the general community. Those watching this feed are encouraged to examine their own incoming traffic for the adversaries listed and take appropriate protective action.
## Disruptive Incidents' Follow-up
If any significant disruption of service is caused (more than 8 hours), additionally an [Incident Report](./Incident_Reports.md) will be filed and users will be notified via [RSS](https://singularity.aninix.net), [IRC](https://irc.aninix.net), and all relevant social media.
As the AniNIX learns of better configuration processes or usage methodology, this Wiki will be updated, which will automatically notify users via IRC. As the AniNIX learns of better configuration processes or usage methodology, this Wiki will be updated, which will automatically notify users via IRC.
Critical patches to AniNIX software and scripts should be added to [AniNIX/Foundation](https://foundation.aninix.net/) immediately with a proper commit message -- with the right webhooks set, this will send a notification via IRC. Critical patches to AniNIX software and scripts should be added to [AniNIX/Foundation](https://foundation.aninix.net/) immediately with a proper commit message -- with the right webhooks set, this will send a notification via IRC.
# Service-level incident response ### Service-level incident response
The AniNIX maintains onsite backups -- the affected service will be stopped, repaired from best-effort backups, and restarted. Unaffected services will not be disrupted. The AniNIX maintains onsite backups -- the affected service will be stopped, repaired from best-effort backups, and restarted. Unaffected services will not be disrupted.
# Software Disaster Recovery ### Software Disaster Recovery
Should a collective failure of software occur, all services will be stopped until the damage can be repaired. The AniNIX has onsite backups to this end. Should a collective failure of software occur, all services will be stopped until the damage can be repaired. The AniNIX has onsite backups to this end.
## ISP events ### ISP events
In the event of an ISP event, a redundant method of providing access is available, but some services will be significantly limited or disabled to limit bandwidth usage. If ISP's are unavailable, admins should notify @everyone on Discord and stay available until access is restored. In the event of an ISP event, a redundant method of providing access is available, but some services will be significantly limited or disabled to limit bandwidth usage. If ISP's are unavailable, admins should notify @everyone on Discord and stay available until access is restored.
# Hardware Incident Response ### Hardware Incident Response
In the event of the failure of a redundant or unnecessary hardware component, an admin will: In the event of the failure of a redundant or unnecessary hardware component, an admin will:
* Review if the hardware needs to be removed. If not, it will be scheduled to be removed on the next downtime and review ends. * Review if the hardware needs to be removed. If not, it will be scheduled to be removed on the next downtime and review ends.
* Review if the hardware can be removed online. If so, the hardware will be removed as soon as safely possible; all reasonable effort will be made to keep maintenance off-hours. * Review if the hardware can be removed online. If so, the hardware will be removed as soon as safely possible; all reasonable effort will be made to keep maintenance off-hours.
@ -40,15 +47,15 @@ In the event of the failure of a redundant or unnecessary hardware component, an
Some redundant storage, for example, will be exchanged for failing components. Some redundant storage, for example, will be exchanged for failing components.
# Hardware Disaster Recovery ### Hardware Disaster Recovery
Should hardware critically fail, the AniNIX does not currently have a support agreement with any hardware provider -- overnight shipping and package tracking will be used to offer a best-effort at restoration of hardware. Users should be aware that some non-redundant, expensive hardware may halt service from the AniNIX for up to 48 hours. Should this happen, the AniNIX will re-evaluate the cost of the downtime against the cost of the hardware component. Should hardware critically fail, the AniNIX does not currently have a support agreement with any hardware provider -- overnight shipping and package tracking will be used to offer a best-effort at restoration of hardware. Users should be aware that some non-redundant, expensive hardware may halt service from the AniNIX for up to 48 hours. Should this happen, the AniNIX will re-evaluate the cost of the downtime against the cost of the hardware component.
If necessary, restoration from the safety-deposit backup will be utilized. If necessary, restoration from the safety-deposit backup will be utilized.
# Complete Disaster Recovery ### Complete Disaster Recovery
In the event of a complete disaster, the first line of defense is a hard-drive stored in a safety deposit box with a complete backup of the AniNIX/Core VM, which includes the source code to rebuild all other machines. In the event of a complete disaster, the first line of defense is a hard-drive stored in a safety deposit box with a complete backup of the AniNIX/Core VM, which includes the source code to rebuild all other machines.
# Catastrophic Loss Or Attack ### Catastrophic Loss Or Attack
Should all else have been compromised, a large number of [AniNIX/Aether](/AniNIX/Aether) nodes will allow rebuilding the system from source code, though there will be a massive loss of data. Some of this will be recoverable over time through file lists stored in the Aether packages, but other data will be lost. This is the last-ditch recovery method. Should all else have been compromised, a large number of [AniNIX/Aether](/AniNIX/Aether) nodes will allow rebuilding the system from source code, though there will be a massive loss of data. Some of this will be recoverable over time through file lists stored in the Aether packages, but other data will be lost. This is the last-ditch recovery method.
AniNIX admins maintain "bug-out" bags for massive environmental, political, or criminal disturbances, with copies of the Aether package on encrypted storage. They are trained to safely self-evacuate and rebuild the network in a safe location. This recovery method will take a long time to effect; users should watch the aninix.net domain name for a return of some IRC daemon with which to use to communicate with admins. As soon as possible, admins will reach out to the userbase to announce when services will be restored, the reason for loss of service, and the extent of data loss. AniNIX admins maintain "bug-out" bags for massive environmental, political, or criminal disturbances, with copies of the Aether package on encrypted storage. They are trained to safely self-evacuate and rebuild the network in a safe location. This recovery method will take a long time to effect; users should watch the aninix.net domain name for a return of some IRC daemon with which to use to communicate with admins. As soon as possible, admins will reach out to the userbase to announce when services will be restored, the reason for loss of service, and the extent of data loss.