NIST SP 800-61
Handling an Incident
3.3. Identifying the Attacking Hosts
During incident handling, system owners and others sometimes want to or need to identify the attacking
host or hosts. Although this information can be important, incident handlers should generally stay focused
on containment, eradication, and recovery. Identifying an attacking host can be a time-consuming and
futile process that can prevent a team from achieving its primary goal – minimizing the business impact.
The following items describe the most commonly performed activities for attacking host identification:
- Validating the Attacking Host's IP Address. New incident handlers often focus on the attacking
host's IP address. The handler may attempt to validate that the address was not spoofed by verifying
connectivity to it; however, this simply indicates that a host at that address does or does not respond
to the requests. A failure to respond does not mean the address is not real – for example, a host may
be configured to ignore pings and traceroutes. Also, the attacker may have received a dynamic
address that has already been reassigned to someone else.
- Researching the Attacking Host through Search Engines. Performing an Internet search using the
apparent source IP address of an attack may lead to more information on the attack – for example, a
mailing list message regarding a similar attack.
- Using Incident Databases. Several groups collect and consolidate incident data from various
organizations into incident databases. This information sharing may take place in many forms, such
as trackers and real-time blacklists. The organization can also check its own knowledge base or issue
tracking system for related activity.
- Monitoring Possible Attacker Communication Channels. Incident handlers can monitor communication channels that may be used by an attacking host. For example, many bots use IRC as their primary means of communication. Also, attackers may congregate on certain IRC channels to brag about their compromises and share information. However, incident handlers should treat any such information that they acquire only as a potential lead, not as fact.