DEFINITIONS OF INCIDENTS
1. Malicious Codes
Malicious code is the term used to describe any code in any part of a software system or script that is intended to cause undesired effects, security breaches or damage to a system. Malicious code describes a broad category of system security terms that includes attack scripts, viruses, worms, Trojan horses, backdoors, and malicious active content.
1.1 Malicious Codes – Botnet C&C
Botnet is a jargon term for a collection of software agents, or robots, that run autonomously and automatically. The term is most commonly associated with malicious software, but it can also refer to the network of computers using distributed computing software. While botnets are often named after their malicious software name, there are typically multiple botnets in operation using the same malicious software families but operated by different criminal entities.
1.2 Malicious Codes – Bots
A bot typically runs hidden and uses a covert channel (e.g. IRC, twitter or IM) to communicate with its C&C server. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, etc). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping."
1.3 Malicious Codes – Malware
Malware, short for malicious software, is software designed to infiltrate a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. The term "computer virus" is sometimes used as a catch-all phrase to include all types of malware, including true viruses.
1.4 Malicious Codes – Malware Hosting
Definition of Malware hosting is where the malware resides whether at a comprise server or client PC that have been infected by virus/malware. Malicious software that is installed on a user’s machine without their consent.
2. DOS
A denial of service (DOS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. In a distributed denial-of-service, large numbers of compromised systems (sometimes called a botnet) attack a single target.
3. Fraud
The term fraud generally refers to any type of fraud scheme that uses one or more online services to present fraudulent solicitations to prospective victims, to conduct fraudulent transactions, or to transmit the proceeds of fraud to financial institutions or to others connected with the scheme. Internet fraud can take place on computer programs such as chat rooms, e-mail, message boards, or Web sites.
3.1 Fraud – Phishing
Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or online banking are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
3.2 Fraud – Fraud Site
Scammer usually create a fraud website that to entice user on acquire their service or buy certain product which actually not providing actual goods or services. This particular fraud site also has the possibility embedded with Malware / Trojan software in which will infect unsuspected visitors.
3.3 Fraud - Lottery Scam
Lottery scams are one of the most common types of fraudulent email currently hitting inboxes. Scammer will informs that you have won a large sum of money in an international lottery. This is a common Internet scam. There is no lottery and no prize. Those who initiate a dialogue with the scammers by replying to the lottery scam emails will eventually be asked for advanced fees to cover expenses associated with delivery of the supposed "winnings".
3.4 Fraud – Impersonation & Spoofing
Impersonation is a phishing technique. Cybercriminals create email address that look legitimate to trick their targets into trusting them
A spoofing attack happens when a person or program successfully identifies as another by falsifying data to gain an illegitimate advantage.
3.5 Fraud - Business Email Compromised
Business email compromise (BEC) is a scam which an attacker targets a business to defraud the company. BEC attackers rely heavily on social engineering tactics to trick unsuspecting employees and executives. Often, they impersonate CEO or any executive authorized to do wire transfers. BEC is sometimes described as a “man-in-the-email attack”.
3.6 Fraud – Bogus Email
Bogus email is intentional deception for either personal gain or to damage another individual via email. Almost as soon as email became widely used, it is exploited to defraud people.
3.7 Fraud – Love/Parcel Scam
Love/Parcel scam involves romantic intentions towards the prey where perpetrator pretend to form a relationship via online platform by gaining their trust and affection using fake online identity. The most common tactic is by sending huge love pack consisting of luxury items and cash to victim. Perpetrator then, inform victim the parcels are detained for inspection by the authorities and provide fake tracking email as evidence.
3.8 Fraud – Job Scam
Job scams, also known as employment scams, are a type of advance fee scam that targets potential victims, obviously job seekers, on the net. The scam poses as a recruitment agency from well known companies in the Oil & Gas, Cruise Liner, Mega Yacht sectors. They offer attractive remuneration packages and benefits when actually it operates with malicious motives to obtain money in advance from interested job seekers in the name of processing fees, work visas, travel expenses and so on.
4 Intrusion Attempt
4.1 Intrusion Attempt- Port Scanning
The act of systematically scanning a computer's ports. Since a port is a place where information goes into and out of a computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer.
4.2 Intrusion Attempt - Login Brute Force
The systematic, exhaustive testing of all possible methods that can be used to break a security system. For example, in cryptanalysis, trying all possible keys in the keyspace to decrypt a ciphertext, or trying to automate ssh login : username and password attack.
4.3 Intrusion Attempt - Vulnerabilities Probes
The automated process of proactively identifying vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened.
5. Content Related
5.1 Content Related - Data breach
Data breach expose confidential, sensitive, or protected information to an unauthorised person to view and/or share these files without permission.
6. Intrusion
Intrusion is referred to the unauthorized access or illegal access to a system or network, successfully. This could be the act of root compromise, web defacements, installation of malicious programs, ie backdoor or trojan.
6.1 Intrusion – Account compromise
An account compromise is the unauthorized use of a computer account by someone other than the account owner, might expose the victim to serious data loss, data theft, or theft of services. The lack of root-level access means that the damage can usually be contained, but a user-level account is often an entry point for greater access to the system.
6.2 Intrusion – Defacement
Also referred to as Web defacement or Web site defacement, a form of malicious hacking in which a Web site is “vandalized.” Often the malicious hacker will replace the site’s normal content with a specific political or social message or will erase the content from the site entirely, relying on known security vulnerabilities for access to the site’s content.
7. Spam
7.1 Spam – Spam
Unsolicited e-mail, often of a commercial nature, sent indiscriminately to multiple mailing lists, individuals, or newsgroups; junk e-mail.
7.2 Spam – Spam Relay
Sending mail to a destination via a third-party mail server or proxy server in order to hide the address of the source of the mail. When e-mail servers (SMTP servers) are used, it is known as an "open relay" or "SMTP relay," and spammers commonly used this method in the past when SMTP servers were not locked down.
8. Vulnerabilities Report
A security vulnerability is a flaw in a product that makes it infeasible – even when using the product properly —to prevent an attacker from usurping privileges on the user's system, regulating its operation, compromising data on it, or assuming un granted trust.
8.1 Vulnerabilities Report – Misconfiguration (Disclosure)
A problem exists with certain configuration that may allow root access or system compromise from any account on the system.
8.2 Vulnerabilities Report - Web
User or complainant report vulnerabilities which related to Web sites.
8.3 Vulnerabilities Report – System
User or complainant report vulnerabilities on any specific system.
Service Level Agreement (SLA)
MyCERT will use the following guidelines in prioritizing incidents and will respond to the incident within the target time frame. Actual response times may be shorter or longer depending on the volume and complexity of incidents.
NOTE/DISCLAIMER: * Response Time is defined as the time taken between receiving of an incident and the time taken by a MyCERT staff to begin working on the incident which include analysis, communication and sending notifications to respective parties. Due to the wide diversity, complexity of incidents that can occur, and the methods needed to resolve them, response time IS NOT defined as the time taken between receiving of an incident and problem resolution.