Incident Response and Handling Procedures Checklists
No Activity 1 Determine appropriate response
2 Collect and safeguard the
information
3 Contain the situation. At this
point, the threat (e.g., malicious code) has occurred.
4 Assemble the incident
management team
5 Create evidence disk(s) and
printouts
6 Eradicate/clean up/recover 7 Prepare preliminary status report for management and other authorities
8 Document and report all activity
9 Lessons learned: make
appropriate process improvements to prevent similar incidents nd Handling Procedures Checklists
Detail Status Notes
• Identify the problem • Initially, assess the situation to determine current status (e.g., Did an incident occur? Is it over? Is it still spreading?) • Determine if criminal in nature; if so, contact law enforcement; else dispatch the response handler to the scene to preserve evidence
• Determine if keystroke monitoring is required
• Ensure that audits are turned on (they should be already on) and that they cover the entire period during which the file was accessible
• Obtain the most volatile evidence, including human testimony
• Record everything: annotate date/times, actions taken, interviews/ contacts, extent of problem, etc. • Log the information in a medium that maintains the integrity of the investigation (i.e., a bound legal notebook that would reveal missing pages using ink rather than pencil) • Determine if the system/network must be shut down or taken offline
• Estimate the impact to operations if the system/network is taken
offline • Determine best course of action to minimize downtime • Follow procedures for appropriate measured response for isolation • Ensure that everyone recognizes only one team leader/coordinator
• Estimate the level of effort involved
• Determine if additional expertise outside of the team’s skills is required • Agree on a best course of action • Ensure management approval and support • Find the evidence; employ active and passive techniques to determine full extent of problem; if e-mail is involved, ensure that all envelope/ header information is included • Determine what evidence is relevant to the case at hand • Collect evidence in order of volatility, working from the most volatile to the least volatile (i.e., registers, cache, operating system tables, kernel statistics and modules, main memory, temporary files, router configuration) • Copy the evidence to two compact disks: one to be safeguarded as part of the legal chain-of-custody and the second to be used in the investigation (use CD-R versus CD-RW media to prevent the possibility of modification to copies) • Manage the evidence chain-of-custody • Assess the damage • Ensure that the latest virus signature files are installed and the system is inoculated • Search for all instances; check backup/archived files, shadow/mirrored files, search engines, caching proxies, and meta-data for instances of the offending file/information; don’t forget to check wastebaskets • Notify users prior to fully restoring system/network operations • Restore system/network to a secure operational state • Analyze the forensic evidence to reconstruct the events and determine cause, time, place, etc.
• Estimate damage and costs
• Obtain information damage assessment from the data owner(s) • Create memos recording daily status to keep interested parties “in the loop” • Report the incident to cognizant authorities (e.g., management, data owners, accreditation authorities, law enforcement, Computer Emergency Response Team) • Analyze causes of the incident (remember that it is usually a combination of factors)
• Determine whether policies and procedures need to be modified to
prevent reoccurrence • Determine whether additional training is required • Determine whether administrative actions are warranted • Follow-up to ensure corrective actions are implemented