Great resource colletion by Cert.br
http://www.cert.org/archive/pdf/04tr015.pdf CERT- RMM Incident Management and Control Ecosystem
http://www.cert.org/resilience/products-services/cert-rmm/index.cfm Responding to a compromise
http://www.forensics-intl.com/safeback.html Resources That Can Help
http://www.auscert.org.au/render.html?it=2252&cid=1920
http://www.sei.cmu.edu/news-at-sei/columns/security_matters/1999/mar/security_matters.htm
http://www.ietf.org/rfc/rfc2196.txt
http://www.ietf.org/rfc/rfc2350.txt
http://www.ietf.org/rfc/rfc2828.txt
http://terena.org/activities/tf-csirt/archive/acert7.html
http://www.enisa.europe.eu/cert_guide/downloads/CSIRT_setting_up_guide_ENISA.pdf
http://www.govcert.nl/render.html?it=69
http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf Website: ENISA
http://www.enisa.europa.eu/act/cert/background/coop
http://www.enisa.europa.eu/ac/sr/country-reports Situational Awareness: Team Cmyru
http://www.team-cymru.org/Services/
http://www.team-cymru.org/Services/CAP/ Situational Awareness: ShadowServer -1
http://www.shadowserver.org/wiki
http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork Situational Awareness: ShadowServer -2
http://www.shadowserver.org/wiki Situational Awareness: CERT .br
http://honeytarg.cert.br/honeypots/stats/flows/current/
http://honeytarg.cert.br/honeypots/stats/portsum/24-hour/current/ What Moment in Time Is This ?
http://www.ietf.org/rfc/rfc3339.txt Port Numbering
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
http://www.iana.org/assignments/port-numbers Kaspersky Security Bulletin 2013 Corporate Threats
http://www.securelist.com/en/analysis/204792317/Kaspersky_Security_Bulletin_2013_Corporate_threats Mandiat 2014 Threat Report
https://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf Studying Intrusions from the Adversaries Perspective - The Lockheed Martin Kill Chain
http://docs.ismgcorp.com/files/external/Target_Kill_Chain_Analysis_FINAL.pdf Course of Action for Mitigation
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf What Is a Windows-Based Rootkit?
http://www.f-secure.com/en_EMEA-Labs/virus-encyclopedia/encyclopedia/rootkit.html
http://www.symantec.com/business/security_response/glossary/define.jsp?letter=r&word=rootkit
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
http://www.eweek.com/c/a/Security/Whens-a-Rootkit-Not-a-Roorkit-In-Search-of-Definitions/ Functions of a Windows-Based Rootkit
http://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf
http://www.symantec.com/avcenter/reference/when.malware.meets.rootkits.pdf Recent Trends
http://nakedsecurity.sophos.com/2012/11/30/technical-paper-blackhole/
http://nakedsecurity.sophos.com/2013/01/16/technical-paper-black-hole-2/
http://nakedsecurity.sophos.com/2014/02/27/notorious-gameover-malware-gets-itself-a-kernel-mode-rootkit/ Detection of Rootkits -1
http://www.foundstone.com/resources/proddesc/carbonite.htm
http://sourceforge.net/projects/checkps/ detection of Rootkits -3
http://www.mcafee.com/us/downloads/free-tools/fport.aspx Prevention
http://www.tripwire.com/it-compliance-products/
http://sourceforge.net/projects/tripwire/
http://www.ietf.org/rfc/rfc1321.txt
http://sourceforge.net/projects/aide/ Resources
http://research.microsoft.com/apps/pubs/default.aspx?id=70076 Attack Categories
http://pages.arbornetworks.com/rs/arbor/images/WISR2014.pdf How Botnets are Operated-4
http://waste.sourceforce.net/. Preparing for DDoS Attacks
http://www.ietf.org.rfc/rfc2827.txt
http://www.team-cymru.org/Services/Bogons/
http://www.sans.org/dosstep/ Static Analysis
http://www.symatec.com/connect/articles/reverse-engineering-hostile-code Reverse Engineering Prerequisites
http://www.hex-rays.com/dapro/ Extracting Strings
http://www.mcafee.com/us/downloads/free-tools/bintext.aspx Step 2: Packed Executable Identification
http://en.wikipedia.org/wiki/UPX#Obfuscation Other Analysis Tools
http://ircr.sourceforge.net/ Sandboxes
http://www.sunbeltsoftware.com/Malware-Research-Analysis-Tools/Sunbelt-CWSandbox/
http://fileadvisor.bit9.com/services/search.aspx Debuggers
OllyDbg (Windows - free)
gdb (unix)
Disassemblers
http://developer.intel.com/design/pentiumii/manuals/243190.htm
http://developer.intel.com/design/pentiumii/manuals/243191.htm Strings (Packed Malware)
ANG3L - hop
tftp
Additional Monitoring of Network and File Activity
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Computer Security Definition
http://www.cert.org/archive/pdf/JHThesis.pdf Security Concepts
http://www.ietf.org.rfc/rfc2828.txt Privileged Programs
http://www.gnu.org/software/libc/manual/html_node/Tips-for-Setuid.html CERT Secure Coding Web Site (Wiki)
https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+coding+Standards Build Security In Web Site
https://buildsecurityin.us-cert.gov/ Software Security Touchpoints
http://doi.ieeecomputersociety.org/10.1109/MSP.2005.118
http://www.computer.org/portal/web/csdl/doi/10.1109/MSP.2005.118 Technical Vulnerability Analysis Goals
https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards Technical Vulnerability Handling Process*
http://www.us-cert.gov/cas/techalerts/
http://www.kb.cert.org/vuls/ Vulnerability Handling Resources
http://www.securityfocus.com/archive/1
http://archives.neohapsis.com/
http://xforce.iss.net/ Vulnerability Acronyms
http://scap.nist.gov/specifications/xccdf/
http://www.first.org/cvss/ CERT Advisory Metric
http://www.kb.cert.org/vuls/html/fieldhelp#metric Problems with Current Scoring
http://www.first.org/cvss/cvss-guide.html Common Vulnerability Scoring System
http://ndv.nist.gov/cvss.cfm?calculator&version=2 How Does CVSS Work
http://www.first.org/cvss/cvss-guide.html Key Points
http://www.sei.cmu.edu/libray/abstracts/reports/05tn003.cfm
http://www.sei.cmu.edu/reports/05tn003.pdf Determining What to Publish
http://www.us-cert.gov/current/
http://www.us-cert.gov/cas/techalerts/
http://www.securityfocus.com/archive/1 Methods for Publication
http://www.auscert.org.au/render.html?it=3841
http://www.us-cert.gov/nav/nt01/
http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf
http://www.cert.org/csirts/national
http://www.cert.org/search_pubs/search.php
http://www.cert.org/archive/pdf/11tr015.pdf
http://www.cert.org/csirts/csirt-staffing.html
http://www.cert.org/archive/pdf/csirts_action_list.pdf
http://www.cl.cam.ac.uk/~mgk25/iso-time.html
http://www.ietf.org/rfc/rfc3339.txt
http://www.bestpractical.com/rtir/
http://www.terena.org/activities/tf-csirt/iodef/
http://ietf.org/rfc/rfc3067.txt
http://datatracker.ietf.org/wg/mile/
http://aircert.sourceforge.net/
http://tools.netsa.cert.org/silk/
http://www.securityfocus.com/archive/1
http://lists.grok.org.uk/full-disclosure-charter.html
http://archives.neohapsis.com/
http://www.first.org/resources/guides/csirt_case_classification.html
http://www.enisa.europa.eu/activities/cert/support/incident-handling-automation
http://csrc.nist.gov/publications/PubsSPs.html
http://www.porcupine.org/forensics/tct.html
http://www.guidancesoftware.com/computer-forensics-ediscovery-software-digital-evidence.htm
http://www.forensics-intl.com/suite1.html
http://www.forensics.intl.com/safeback.html
http://www.guidancesoftware.com/
http://www.guidancesoftware.com/computer-forensics-ediscovery-software-digital-evidence.htm
http://www.forensics-intl.com/
http://www.forensics-intl.com/suite1.html
http://www.sans.org/resources/top5_logreports.pdf
chuvakin.org
http://www.switch.ch/network/projects/completed/TF-NGN/floma/software.html
http://www.caida.org/tools/utilities/flowscan/
http://code.google.com.p/flow-tools/
http://tools.netsa.cert.org/silk/
http://www.doxpara.com/DMK_BO2K8.ppt
http://dns.measurement-factory.com/surveys/openresolvers.html
http://www.cymru.com/Documents/secure-blind-template.html
http://member.dnsstuff.com/pages/dnsreport.php
http://dns.measurement-factory.com/tools/third-party-validation-tools/
http://www.icann.org/committees/security/dns-ddos-advisory-31mar06.pdf
http://www.uscert.gov/reading_room/DNS-recursion033006.pdf
http://www.verising.com/static/037903.pdf
www.icann.org/committees/security/sac025.pdf
http://dns.measurement-factory.com/
http://tools.ietf.or/html/draft-dulaunoy-kaplan-passive-dns-cof-02
http://www.trusted-introducer.nl/
http://www.ietf.org/rfc/rfc954.txt
http://www.internic.net/regist.html
whois.educause.net
http://www.dotgov.gov/portal/web/dotgov/welcome
http://apnic.net/apnic-info/search
http://wq.apnic.net/apnic-bin/whois.pl
whois.lacnic.net
http://lacnic.net/cgi-bin/lacnic/whois
http://www.afnic.fr/outils/whois_en
http://www.afrinic.net/cgi-bin/whois
http://www.iana.org/domains/root/db
http://www.internic.net/regist.html
http://icann.org/registrars/accreditation-qualified-list.html
http://www.internic.net/whois.html
http://registrar.verisign-grs.com/whois/
http://www.geektools.com/why.php
http://team-cymru.org/Services/ip-to-asn.html
http://www.ripe.net/data-tools/stats/ris/riswhois
http://www.ra.net/tutorials/query1.php
http://www.ietf.org/rfc/rfc5321.txt
http://www.unicom.com/sw/rlytest/
http://www.mail-abuse.com/an_sec3rdparty.html
http://www.cert.org/tech_tips/email_spoofing.html
http://spamlinks.net/stats.htm
http://www.spamcop.net.spamstats.shtml
http://www.spamhaus.org/statistics/networks/
http://www.mail-abuse.org/wp_introrbl.html
http://thomas.loc.gov/cgi-bin/query/z?c108:S.877:
http://www.cert.org/tech_tips/securing_browser/
http://www.wombatsecurity.com/antiphishingphil
http://www.wombatsecurity.com/antiphishingphyllis
http://www.antiphishing.org/phishReportsArchive.html
http://www.internetindentity.com.news/blog/133-phishing-rends-report-for-q-released
http://aujasus.com/2010/11/29/trends-in-phishing/
http://onguardonline.gov/phishing.html
http://www.privacyrights.org/ar/phishing.htm
http://www.secureworks.com/research/pushdo/?threat=pushdo
http://www.internetidentity.com/blog/operation-ababil-brobot-ddos-attacks/
http://www.apwg.org/resources/mobile/
http://blog.trendmicro.com/trenlabs-security-intelligence/the-reality-of-browser-based-botnets/
http://issviews.com/blog/warning-aidra-the-next-step-up-from-the-hydra-botnet/
http://trendmicro.com/en/products/network/overview.htm
http://www.team-cymru.org/Services/MHR/
http://www.threattracksecurity.com/enterprise-security/sandbox-software.aspx
http://education.apwg.org/r/en/index.htm
http://cleanbytes.net/malware-online-scanners
http://www.malwaredomainlist.com/forums/index.php?topvic=1544.0
http://ossectools.blogspot.com/2012/02/online-malware-analysis-sandbox.html
www.delegaciavirtual.rj.gov.br
www.fisepe.pe.gov.br/delegaciavirtual/index.html
www.delegaciavirtual.pa.gov.br
Sandbox
http://tiv.morphuslabs.com/sandbox/
https://www.joesecurity.org/joe-sandbox-ultimate
https://github.com/joesecurity/awesome-malware-analysis
https://github.com/AlicanAkyol/sems
https://github.com/lrq3000/PyBox
https://www.bluecoat.com/products-and-solutions/malware-analysis
https://www1.cs.fau.de/content/pybox-python-sandbox
https://www.lastline.com/platform/analyst#hosted
https://www.threattrack.com/malware-analysis.aspx
https://bsidesvienna.at/slides/2015/incident_handling_automation_with_intelmq.pdf
https://github.com/certtools/intelmq
https://zeltser.com/metasploit-framework-docker-container/
https://zeltser.com/cheat-sheets/
https://zeltser.com/remnux-malware-analysis-tips/
https://zeltser.com/security-incident-log-review-checklist/
https://zeltser.com/security-incident-log-review-checklist/ Links
https://infocon.org/ - InfoCon is a community supported, non-commercial archive of all the past hacking related convention material that can be found.
The project 'CERT-in-a-Box' and 'Alerting service-in-a-Box' is an initiative of GOVCERT.NL/NCSC to preserve the lessons learned from setting up GOVCERT.NL and 'De Waarschuwingsdienst', the Dutch national Alerting service.
The project aim is to help others starting a CSIRT or Alerting Service by:
Getting them up to speed faster
Taking the benefits and not making the same mistakes
- Gavin Reid (Cisco Systems), Dustin Schieber, Ivo Peixinho (CAIS/RNP)
It is critical that the CSIRT provide consistent and timely response to the customer, and that sensitive information is handled properly. This document provides the guidelines needed for CSIRT Incident Managers (IM) to classify the case category, criticality level, and sensitivity level for each CSIRT case. This information will be entered into the Incident Tracking System (ITS) when a case is created. Consistent case classification is required for the CSIRT to provide accurate reporting to management on a regular basis. In addition, the classifications will provide CSIRT IM’s with proper case handling procedures and will form the basis of SLA’s between the CSIRT and other Company departments.
- European Network and Information Security Agency – Enisa
The document at hand describes the process of setting up a Computer Security and Incident Response Team (CSIRT) from all relevant perspectives like business management, process management and technical perspective. This document implements two of the deliverables described in ENISAs Working Programme 2006, chapter 5.1:
This document: Written report on step-by-step approach on how to set up a CERT or similar facilities, including examples. (CERT-D1)
Chapter 12 and external files: Excerpt of roadmap in itemised form allowing an easy application of the roadmap in practice. (CERT-D2)