topic Re: Incident Response Checklist in Tech Talk

Incident Response Checklist

lmsaeb — Mon, 09 Oct 2023 09:07:57 GMT

I was wondering if anyone had a good security incident checklist they would be willing to share? I am a one person shop where I work and assistance would be greatly appreciated. Thanks.

Re: Incident Response Checklist

rslade — Tue, 05 Mar 2019 17:42:53 GMT

> lmsaeb (Newcomer I) posted a new topic in Tech Talk on 03-05-2019 11:04 AM in

> I was wondering if anyone had a good security incident checklist they would be
> willing to share? I am a one person shop where I work and assistance would be
> greatly appreciated.

The Vancouver Chapter/Vancouver Security SIG was once asked to draw up one
such. We worked on it for some time before determining that we simply could not
cover all possible contigencies.

(I *do* have a one-page incident response *planning* chart that I use as a
handout for a seminar on the subject ...)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
When cryptography is outlawed, bayl bhgynjf jvyy unir rapelcgvba.
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Incident Response Checklist

emb021 — Tue, 05 Mar 2019 19:02:50 GMT

A couple of good resources:

Blue Team Handbook. Can get off Amazon. You'll want vol1, as vol2 is about SOCs. Website for it http://www.blueteamhandbook.com/ (hope this link works)

From NIST, the Computer Security Incident Handling Guide, SP800-61R2, which you can find here: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

The BTH may be more useful. Gives checklists and the like for the 6 steps of incident response from SANS and most other groups. NIST basically compresses three of the steps as 1.

Re: Incident Response Checklist

lmsaeb — Tue, 19 Mar 2019 13:17:47 GMT

Thank you.

Re: Incident Response Checklist

lmsaeb — Tue, 19 Mar 2019 13:18:18 GMT

Thanks. I ordered the book.

Re: Incident Response Checklist

DLegault — Thu, 30 Apr 2020 17:17:43 GMT

I created a checklist using a randomware attack vector that i can share.

Re: Incident Response Checklist

Gijs — Fri, 26 Jun 2020 07:54:20 GMT

Hi DLegault,

Yes, I would be interested in a Ransonware attack IR checklist. Would appreciate if you can share it, if you don't mind. Thank you in advance.

Re: Incident Response Checklist

rslade — Fri, 26 Jun 2020 17:09:40 GMT

> Gijs (Viewer III) posted a new reply in Tech Talk on 06-26-2020 03:54 AM in the

> Yes, I would be interested in a Ransonware attack IR checklist.

Incident Response Checklist for Ransomware:

1) Make a backup.
2) Make multiple types of backup.
3) Check your backups occasionally.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
La madre degli imbecilli e' sempre incinta.
The moron's mother is always pregnant.
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: Incident Response Checklist

CraginS — Sat, 27 Jun 2020 14:34:22 GMT

Over a year ago Lisa @lmsaeb asked, "I was wondering if anyone had a good security incident checklist they would be willing to share? I am a one person shop where I work and assistance would be greatly appreciated. Thanks."

I apologize for being late to the party, but reviewing the responses I saw a very important resource missing.

Be sure to mine the resources of both SANS https://www.sans.org/ and the SANS Technology Institute https://www.sans.edu/ ,

Search the following resources for "incident response."

SANS Reading Room

SANS Security Policy Templates

SANS Technology Institute Cybersecurity Research Papers

Craig

Re: Incident Response Checklist

denbesten — Tue, 30 Jun 2020 17:55:10 GMT

@rslade wrote:
Incident Response Checklist for Ransomware:
1) Make a backup.
2) Make multiple types of backup.
3) Check your backups occasionally.

Rob's list is how one mitigates risk regarding ransomware. To it, I would add:

You will need backups that were made prior to infection. Understand the difference between off-line backups, on-line backups and synchronization. Also, understand how your synchronization provider does snapshots (example).
Design processes so you can recreate data that is younger than the most recent backup (or three). For example, if you are in the payment processing business, you might keep the remittance stubs for a week before throwing them out.
Document RPO for everything. If you can only afford to lose 2 hours of work, you need to back up at least every 2 hours, which can be expensive. The generic "I can't afford to lose anything" is even more expensive.
Document RTO and business impact for everything. Prior to its detection/containment, malware tends to impact multiple services. You will need to triage.
Leverage standard system images and data backup/recovery/sync in your daily life (e.g. PC refresh). Once restoring a PC to "yesterday" becomes a non-event, incident response procedures naturally mature.
Understand how to horizontally scale recovery efforts to not be dependent on one smart person or a single "tape drive".
Practice (tabletop and parallel recovery) so that when the rubber hits the road, you can respond instead of react/panic.

The corresponding incident response is pretty much the same as any malware:

Stop the spread. Isolate impacted machines. Consider increased prophylactic actions to protect at-risk critical machines.
Prevent future infection. Understand what you missed (e.g. how the malware works, what patches might be missing; what you are failing to ingress filter, etc) and fix it. Force password changes on any impacted accounts.
Clean the mess. There may be recovery scripts for well-known infections, but re-imaging infected machines is the only way to be "sure", and even then it may not get boot-loader malware.
Restore corporate data from backup.
Recollect everything you did not backup.
Live without that which you can not recollect.
If recollection is insufficient, polish your resume and reflect on the value of backups.

Additional items that should be considered:

The trolls got in somehow and compromised your machines. Was there any hidden damage, persistence or exfiltration? Can you prove it?
If there is evidential value in the compromised equipment, you might need to recover onto new hardware.
Involve legal early to understand any contractual and legal notification requirements.
Involve public-relations early to understand how to meet/manage customer expectations as you recover.

Re: Incident Response Checklist

crycos — Fri, 06 May 2022 15:49:54 GMT

If it helps, I don't mind sharing (of course after removing everything that's confidential to my organization) the Incident Response Checklist that I specifically built for when a Ransomware attack is observed on the network. It has been tested, reviewed and vetted by large consulting firms.

Re: Incident Response Checklist

Caute_cautim — Sat, 07 May 2022 05:52:05 GMT

@crycosGreat Idea, everyone could certainly appreciate your check list, and experience.

Regards

Caute_Cautim