[anti-abuse-wg] Adding a "Security Information" contact?

Yes this simply adds to paperwork and extra coding.  It should be relatively trivial with an abuse report / IR oriented ticketing system to separate out genuine DDoS from random desktop firewall complaints about port scans from spam reports from all the outright spam that directly reaches such accounts.


From: anti-abuse-wg <anti-abuse-wg-bounces at ripe.net> on behalf of Carlos Friaças via anti-abuse-wg <anti-abuse-wg at ripe.net>
Date: Saturday, 11 June 2022 at 12:28 PM
To: Ángel González Berdasco <angel.gonzalez at incibe.es>
Cc: gert at space.net <gert at space.net>, anti-abuse-wg at ripe.net <anti-abuse-wg at ripe.net>
Subject: Re: [anti-abuse-wg] Adding a "Security Information" contact?

Hi,
(CSIRT hat on)

I don't really agree with the vision where the taxonomy needs to be
overloaded into object fields.

I always perceived the abuse-c field already as the security-c.
People interested in processing security/abuse issues will take messages
received on the abuse-mailbox: seriously.

Moreover, there are also irt objects.

Regards,
Carlos



On Tue, 7 Jun 2022, Ángel González Berdasco via anti-abuse-wg wrote:

> El mar, 07-06-2022 a las 13:14 +0200, Gert Doering escribió:
>> Hi,
>>
>> On Tue, Jun 07, 2022 at 11:02:19AM +0000, Ángel González Berdasco via
>> anti-abuse-wg wrote:
>>> I don't think the problem would be to add a new attribute if
>> needed.
>>> The problem would be to *define* what should go there (and then get
>>> everyone downstream to use that new attribute)
>>
>> This...  so, what would you suggest?
>>
>> Gert Doering
>>         -- NetMaster
>> --
>
> I would use the Reference Security Incident Taxonomy (RSIT) as
> the classification source, which is the taxonomy used by (most of) the
> CSIRT community. See [1]
>
> So the PTY-MAXGROBECKER network could have:
>
> abuse-c: GROBECKER-ABUSE
>
> and the GROBECKER-ABUSE object:
> abuse-mailbox: general at abuse.grobecker.info
> abuse-mailbox-vulnerable: vulnerability-reports at abuse.grobecker.info
> abuse-mailbox-fraud: fraudabuses at abuse.grobecker.info
>
> where 'vulnerable', 'fraud', etc. are the machine readable tags defined
> in the RSIT for the values in the classification column.
>
> Thus, when CERT BUND wanted to report an unpatched Confluence, they
> would have an incident of type: "Vulnerable ? Vulnerable System", find
> that there is a 'abuse-mailbox-vulnerable' attribute and report it
> there.
>
> Whereas if it was a phishing landing page (incident of type Fraud ?
> Phishing), that would go to fraudabuses at abuse.grobecker.info (from
> 'abuse-mailbox-fraud')
>
> But if it was a host sending out spam, (incident classification Abusive
> Content       ? Spam), having no "abuse-mailbox-abusive-content", it would
> fall back to abuse-mailbox and direct it to
> general at abuse.grobecker.info.
>
>
>
> Does something like this seem sensible to others?
>
>
> Best regards
>
>
>
> 1-
> https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force/blob/master/working_copy/humanv1.md
>
> --
> INCIBE-CERT - Spanish National CSIRT
> https://www.incibe-cert.es/
>
> PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys
>
> ====================================================================
>
> INCIBE-CERT is the Spanish National CSIRT designated for citizens,
> private law entities, other entities not included in the subjective
> scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen
> Jurídico del Sector Público", as well as digital service providers,
> operators of essential services and critical operators under the terms
> of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de
> las redes y sistemas de información" that transposes the Directive (EU)
> 2016/1148 of the European Parliament and of the Council of 6 July 2016
> concerning measures for a high common level of security of network and
> information systems across the Union.
>
> ====================================================================
>
> In compliance with the General Data Protection Regulation of the EU
> (Regulation EU 2016/679, of 27 April 2016) we inform you that your
> personal and corporate data (as well as those included in attached
> documents); and e-mail address, may be included in our records
> for the purpose derived from legal, contractual or pre-contractual
> obligations or in order to respond to your queries. You may exercise
> your rights of access, correction, cancellation, portability,
> limitationof processing and opposition under the terms established by
> current legislation and free of charge by sending an e-mail to
> dpd at incibe.es. The Data Controller is S.M.E. Instituto Nacional de
> Ciberseguridad de España, M.P., S.A. More information is available
> on our website: https://www.incibe.es/proteccion-datos-personales
> and https://www.incibe.es/registro-actividad.
>
> ====================================================================
>
> --
>
> To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://mailman.ripe.net/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20220611/db83d1e8/attachment.html>