Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
lmsaeb
Newcomer I
‎03-05-2019 11:04 AM
‎03-05-2019 11:04 AM

Incident Response Checklist

I was wondering if anyone had a good security incident checklist they would be willing to share? I am a one person shop where I work and assistance would be greatly appreciated. Thanks.

Reply
0 Kudos
11 Replies
rslade
Influencer II
‎03-05-2019 12:42 PM
‎03-05-2019 12:42 PM

> lmsaeb (Newcomer I) posted a new topic in Tech Talk on 03-05-2019 11:04 AM in

> I was wondering if anyone had a good security incident checklist they would be
> willing to share? I am a one person shop where I work and assistance would be
> greatly appreciated.

The Vancouver Chapter/Vancouver Security SIG was once asked to draw up one
such. We worked on it for some time before determining that we simply could not
cover all possible contigencies.

(I *do* have a one-page incident response *planning* chart that I use as a
handout for a seminar on the subject ...)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
When cryptography is outlawed, bayl bhgynjf jvyy unir rapelcgvba.
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Reply
0 Kudos
emb021
Advocate I
‎03-05-2019 02:01 PM
‎03-05-2019 02:01 PM

A couple of good resources:

 

Blue Team Handbook.  Can get off Amazon.  You'll want vol1, as vol2 is about SOCs.  Website for it http://www.blueteamhandbook.com/  (hope this link works)

 

From NIST, the Computer Security Incident Handling Guide, SP800-61R2, which you can find here:  https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final   

 

The BTH may be more useful.  Gives checklists and the like for the 6 steps of incident response from SANS and most other groups.  NIST basically compresses three of the steps as 1.

 

    

 

 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
Reply
lmsaeb
Newcomer I
‎03-19-2019 09:17 AM
‎03-19-2019 09:17 AM

Thank you. 

Reply
0 Kudos
lmsaeb
Newcomer I
‎03-19-2019 09:18 AM
‎03-19-2019 09:18 AM

Thanks. I ordered the book. 

Reply
0 Kudos
DLegault
Viewer II
‎04-30-2020 01:17 PM
‎04-30-2020 01:17 PM

I created a checklist using a randomware attack vector that i can share.

Reply
0 Kudos
Gijs
Newcomer I
‎06-26-2020 03:54 AM
‎06-26-2020 03:54 AM

Hi DLegault,

Yes, I would be interested in a Ransonware attack IR checklist. Would appreciate if you can share it, if you don't mind. Thank you in advance.

Reply
0 Kudos
rslade
Influencer II
‎06-26-2020 01:09 PM
‎06-26-2020 01:09 PM

> Gijs (Viewer III) posted a new reply in Tech Talk on 06-26-2020 03:54 AM in the

> Yes, I would be interested in a Ransonware attack IR checklist.

Incident Response Checklist for Ransomware:

1) Make a backup.
2) Make multiple types of backup.
3) Check your backups occasionally.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
La madre degli imbecilli e' sempre incinta.
The moron's mother is always pregnant.
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Reply
0 Kudos
CraginS
Defender I
‎06-27-2020 10:34 AM
‎06-27-2020 10:34 AM

Over a year ago Lisa @lmsaeb asked, "I was wondering if anyone had a good security incident checklist they would be willing to share? I am a one person shop where I work and assistance would be greatly appreciated. Thanks."

 

I apologize for being late to the party, but reviewing the responses I saw a very important resource missing.

 

Be sure to mine the resources of both SANS https://www.sans.org/  and the SANS Technology Institute https://www.sans.edu/ ,

 

Search the following resources for "incident response."

 

SANS Reading Room

SANS Security Policy Templates

SANS Technology Institute Cybersecurity Research Papers

 

Craig

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Reply
denbesten
Community Champion
‎06-30-2020 01:55 PM
‎06-30-2020 01:55 PM

@rslade wrote:
Incident Response Checklist for Ransomware:
1) Make a backup.
2) Make multiple types of backup.
3) Check your backups occasionally.

Rob's list is how one mitigates risk regarding ransomware.  To it, I would add:

 

  1. You will need backups that were made prior to infection. Understand the difference between off-line backups, on-line backups and synchronization. Also, understand how your synchronization provider does snapshots (example).
  2. Design processes so you can recreate data that is younger than the most recent backup (or three).  For example, if you are in the payment processing business, you might keep the remittance stubs for a week before throwing them out.  
  3. Document RPO for everything.  If you can only afford to lose 2 hours of work, you need to back up at least every 2 hours, which can be expensive.  The generic "I can't afford to lose anything" is even more expensive. 
  4. Document RTO and business impact for everything. Prior to its detection/containment, malware tends to impact multiple services.  You will need to triage.
  5. Leverage standard system images and data backup/recovery/sync in your daily life (e.g. PC refresh). Once restoring a PC to "yesterday" becomes a non-event, incident response procedures naturally mature.
  6. Understand how to horizontally scale recovery efforts to not be dependent on one smart person or a single "tape drive".
  7. Practice (tabletop and parallel recovery) so that when the rubber hits the road, you can respond instead of react/panic.

The corresponding incident response is pretty much the same as any malware:

  1. Stop the spread. Isolate impacted machines.  Consider increased prophylactic actions to protect at-risk critical machines.
  2. Prevent future infection. Understand what you missed (e.g. how the malware works, what patches might be missing; what you are failing to ingress filter, etc) and fix it.  Force password changes on any impacted accounts.
  3. Clean the mess.  There may be recovery scripts for well-known infections, but re-imaging infected machines is the only way to be "sure", and even then it may not get boot-loader malware.
  4. Restore corporate data from backup.
  5. Recollect everything you did not backup.
  6. Live without that which you can not recollect.
  7. If recollection is insufficient, polish your resume and reflect on the value of backups.

 

Additional items that should be considered:

  1. The trolls got in somehow and compromised your machines.  Was there any hidden damage, persistence or exfiltration?  Can you prove it?
  2. If there is evidential value in the compromised equipment, you might need to recover onto new hardware. 
  3. Involve legal early to understand any contractual and legal notification requirements.
  4. Involve public-relations early to understand how to meet/manage customer expectations as you recover.
Reply