Professional Documents
Culture Documents
Security Incident Questionnaire Cheat Sheet
Security Incident Questionnaire Cheat Sheet
QUESTIONNAIREFORRESPONDERS
Whowillinterfacewithlegal,executive,public
relations,andotherrelevantinternalteams?
Tipsforassistingincidenthandlersinassessingthe
situationwhenrespondingtoaqualifiedincident.
AssesstheIncidentsScope
UnderstandtheIncidentsBackground
Whatisthenatureoftheproblem,asithasbeen
observedsofar?
Howwastheprobleminitiallydetected?Whenwasit
detectedandbywhom?
Whatsecurityinfrastructurecomponentsexistinthe
affectedenvironment?(e.g.,firewall,antivirus,etc.)
WhatisthesecuritypostureoftheaffectedIT
infrastructurecomponents?Howrecently,ifever,was
itassessedforvulnerabilities?
Whatgroupsororganizationswereaffectedbythe
incident?Aretheyawareoftheincident?
WhatITinfrastructurecomponents(servers,websites,
networks,etc.)aredirectlyaffectedbytheincident?
Whatbackuprestorecapabilitiesareinplacetoassist
inrecoveringfromtheincident?
Areweawareofcomplianceorlegalobligationstiedto
theincident?(e.g.,PCI,breachnotificationlaws,etc.)
Whatarethenextstepsforrespondingtothisincident?
(Whowilldowhatandwhen?)
Whatarethepossibleingressandegresspointsforthe
affectedenvironment?
Whattheoriesexistforhowtheinitialcompromise
occurred?
Preparation:Gatherandlearnthenecessarytools,
becomefamiliarwithyourenvironment.
2.
DoestheaffectedITinfrastructureposeanyriskto
otherorganizations?
Identification:Detecttheincident,determineits
scope,andinvolvetheappropriateparties.
3.
Containment:Containtheincidenttominimizeits
effectonneighboringITresources.
4.
Eradication:Eliminatecompromiseartifacts,if
necessary,onthepathtorecovery.
5.
Recovery:Restorethesystemtonormal
operations,possiblyviareinstallorbackup.
6.
Wrapup:Documenttheincidentsdetails,retail
collecteddata,anddiscusslessonslearned.
ReviewtheInitialIncidentSurveysResults
DefineCommunicationParameters
Whatcommandsortoolswereexecutedonthe
affectedsystemsaspartoftheinitialsurvey?
Whoisauthorizedtomakebusinessdecisionsregarding
theaffectedoperations?(Thisisoftenanexecutive.)
Whatmechanismswilltheteamtocommunicatewhen
handlingtheincident?(e.g.,email,phoneconference,
etc.)Whatencryptioncapabilitiesshouldbeused?
Whatmeasuresweretakentocontainthescopeofthe
incident?(e.g.,disconnectedfromthenetwork)
Whatalertsweregeneratedbytheexistingsecurity
infrastructurecomponents?(e.g.,IDS,antivirus,etc.)
Iflogswerereviewed,whatsuspiciousentrieswere
found?Whatadditionalsuspiciouseventsorstate
information,wasobserved?
PrepareforNextIncidentResponseSteps
Whatisthescheduleofinternalregularprogress
updates?Whoisresponsibleforthem?
Doestheaffectedgroupororganizationhavespecific
incidentresponseinstructionsorguidelines?
Whatisthescheduleofexternalregularprogress
updates?Whoisresponsibleforleadingthem?
Doestheaffectedgroupororganizationwishto
proceedwithliveanalysis,ordoesitwishtostart
formalforensicexamination?
Whowillconductinthefieldexaminationofthe
affectedITinfrastructure?Notetheirname,title,phone
(mobileandoffice),andemaildetails.
KeyIncidentResponseSteps
1.
Whatanalysisactionsweretakentoduringtheinitial
surveywhenqualifyingtheincident?
Whoisdesignatedastheprimaryincidentresponse
coordinator?
WherearetheaffectedITinfrastructurecomponents
physicallylocated?
Whatapplicationsanddataprocessesmakeuseofthe
affectedITinfrastructurecomponents?
Wereothersecurityincidentsobservedontheaffected
environmentortheorganizationrecently?
Whichindividualsareawareoftheincident?Whatare
theirnamesandgrouporcompanyaffiliations?
Whatmechanismsexisttotransferfilestoandfromthe
affectedITinfrastructurecomponentsduringthe
analysis?(e.g.,network,USB,CDROM,etc.)
Whattoolsareavailabletousformonitoringnetwork
orhostbasedactivitiesintheaffectedenvironment?
AdditionalIncidentResponseReferences
IncidentSurveyCheatSheetforServerAdministrators
http://zeltser.com/networkossecurity/security
incidentsurveycheatsheet.html
WindowsIntrusionDiscoveryCheatSheet
http://sans.org/resources/winsacheatsheet.pdf
CheckingWindowsforSignsofCompromise
http://www.ucl.ac.uk/cert/win_intrusion.pdf
LinuxIntrusionDiscoveryCheatSheet
http://sans.org/resources/linsacheatsheet.pdf
CheckingUnix/LinuxforSignsofCompromise
http://www.ucl.ac.uk/cert/nix_intrusion.pdf
AuthoredbyLennyZeltser,wholeadsasecurityconsultingteamatSAVVIS,andteachesmalwareanalysisatSANSInstitute.SpecialthanksforfeedbacktoJackMcCarthyandPatrickNolan.
CreativeCommonsv3AttributionLicenseforthischeatsheetv.1.2.Morecheatsheets?