Sat, 13 Dec 2014
CSIRTs Considered Harmful
OK, I am fed up with spam coming from local CSIRTs. Firstly from CSIRT MU, and recently even from the CESNET CSIRT.
"The Guild of Firefighters had been outlawed by the Patrician the previous year after many complaints. The point was that, if you bought a contract from the Guild, your house would be protected against fire. Unfortunately, the general Ankh-Morpork ethos quickly came to the fore and fire fighters would tend to go to prospective clients’ houses in groups, making loud comments like ‘Very inflammable looking place, this’ and ‘Probably go up like a firework with just one carelessly-dropped match, know what I mean?’"
-- Terry Pratchett: Guards! Guards!
This is the problem with Computer security incident response teams (CSIRTs). When they are to actually handle the security incident, they work well. However, security incidents are not very frequent, at least the important ones. So they tend to over-estimate the impact of many so-called security problems, and tend to keep people notified about their own existence by spamming them, or even demanding replies.
For example, CSIRT MU monitors the network traffic and sends notifications about "suspicious" traffic. The report is an e-mail with the URL where the details supposedly can be found. In that page, there is a partial description of the incident, with complete description available through another link. So instead of opening, reading and deleting a single e-mail, one has to read the e-mail, open the included URL, and follow the link in that page. For example, CSIRT MU sends us notifications about some computers in our network "scanning" foreign networks, even though it is clearly visible that the "attack" uses one source and one destination address, and lasts for only a few seconds. Which most probably means that someone ran nmap against his own remote machine. So CSIRT sends us their report using their ticket system, and even demands that we respond in time about the cause (each response gets sent back to us twice - once in Group reply, and the second time through their ticket system). After we explain what is probably going on, their response is not a polite "sorry for bothering you with false-positive, we will refine our detection criteria". The response is "OK, I am closing the ticket", and the next day they send us another false-positive.
A few days ago we've got another "incident report", this time from CESNET CSIRT. They were notifying us about a new HTTPS server in our network with the Poodlebleed vulnerability. OK, we have notified the server owner and got the response "we will eventually look at it, but the same content is available over plain HTTP, and it is only a testing server". Which is a perfectly valid response. But CESNET CSIRT thinks they should spam us every day until this so called "problem" gets fixed.
In my opinion, something like CSIRT with dedicated staff should not exist (except in the largest companies, may be). The security response people should be the regular staff doing their own work, designed to stop their regular work immediately, should the security incident emerge, and work on the security incident instead. But the dedicated staff has too much time in their hands, and tend to look for opportunities to let people know about their existence. The same way as Ankh-Morpork Firefighters Guild did.
5 replies for this story:
Vašek Stodůlka wrote:
You should create some serious incident for them to keep them busy for a while. :-)
bodik wrote: YES!!
this is very nice feedback and writing about something which I was thinking for some time now ... we'll definitely discuss this topic at the next wg meeting. thank you!
Yenya wrote: Re: bodik
Well, the real feedback (a polite one) has been sent in reply to that spam from CESNET CSIRT. So if you really want to help, look at that mail and think about whether it was OK to send out such a report.
bodik wrote: Re: Re: bodik
I'm not a handler nor regular administrator of that spamming device. I'm just a consultant for the team, so rising a broader discussion (beyond ticketing system) is the only thing I can do for now ...
Yenya wrote: Re: bodik