cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
lmsaeb
Newcomer I

Incident Response Checklist

I was wondering if anyone had a good security incident checklist they would be willing to share? I am a one person shop where I work and assistance would be greatly appreciated. Thanks.

11 Replies
rslade
Influencer II

> lmsaeb (Newcomer I) posted a new topic in Tech Talk on 03-05-2019 11:04 AM in

> I was wondering if anyone had a good security incident checklist they would be
> willing to share? I am a one person shop where I work and assistance would be
> greatly appreciated.

The Vancouver Chapter/Vancouver Security SIG was once asked to draw up one
such. We worked on it for some time before determining that we simply could not
cover all possible contigencies.

(I *do* have a one-page incident response *planning* chart that I use as a
handout for a seminar on the subject ...)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
When cryptography is outlawed, bayl bhgynjf jvyy unir rapelcgvba.
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
emb021
Advocate I

A couple of good resources:

 

Blue Team Handbook.  Can get off Amazon.  You'll want vol1, as vol2 is about SOCs.  Website for it http://www.blueteamhandbook.com/  (hope this link works)

 

From NIST, the Computer Security Incident Handling Guide, SP800-61R2, which you can find here:  https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final   

 

The BTH may be more useful.  Gives checklists and the like for the 6 steps of incident response from SANS and most other groups.  NIST basically compresses three of the steps as 1.

 

    

 

 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
lmsaeb
Newcomer I

Thank you. 

lmsaeb
Newcomer I

Thanks. I ordered the book. 

DLegault
Viewer II

I created a checklist using a randomware attack vector that i can share.

Gijs
Newcomer I

Hi DLegault,

Yes, I would be interested in a Ransonware attack IR checklist. Would appreciate if you can share it, if you don't mind. Thank you in advance.

rslade
Influencer II

> Gijs (Viewer III) posted a new reply in Tech Talk on 06-26-2020 03:54 AM in the

> Yes, I would be interested in a Ransonware attack IR checklist.

Incident Response Checklist for Ransomware:

1) Make a backup.
2) Make multiple types of backup.
3) Check your backups occasionally.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
La madre degli imbecilli e' sempre incinta.
The moron's mother is always pregnant.
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
CraginS
Defender I

Over a year ago Lisa @lmsaeb asked, "I was wondering if anyone had a good security incident checklist they would be willing to share? I am a one person shop where I work and assistance would be greatly appreciated. Thanks."

 

I apologize for being late to the party, but reviewing the responses I saw a very important resource missing.

 

Be sure to mine the resources of both SANS https://www.sans.org/  and the SANS Technology Institute https://www.sans.edu/ ,

 

Search the following resources for "incident response."

 

SANS Reading Room

SANS Security Policy Templates

SANS Technology Institute Cybersecurity Research Papers

 

Craig

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
denbesten
Community Champion

@rslade wrote:
Incident Response Checklist for Ransomware:
1) Make a backup.
2) Make multiple types of backup.
3) Check your backups occasionally.

Rob's list is how one mitigates risk regarding ransomware.  To it, I would add:

 

  1. You will need backups that were made prior to infection. Understand the difference between off-line backups, on-line backups and synchronization. Also, understand how your synchronization provider does snapshots (example).
  2. Design processes so you can recreate data that is younger than the most recent backup (or three).  For example, if you are in the payment processing business, you might keep the remittance stubs for a week before throwing them out.  
  3. Document RPO for everything.  If you can only afford to lose 2 hours of work, you need to back up at least every 2 hours, which can be expensive.  The generic "I can't afford to lose anything" is even more expensive. 
  4. Document RTO and business impact for everything. Prior to its detection/containment, malware tends to impact multiple services.  You will need to triage.
  5. Leverage standard system images and data backup/recovery/sync in your daily life (e.g. PC refresh). Once restoring a PC to "yesterday" becomes a non-event, incident response procedures naturally mature.
  6. Understand how to horizontally scale recovery efforts to not be dependent on one smart person or a single "tape drive".
  7. Practice (tabletop and parallel recovery) so that when the rubber hits the road, you can respond instead of react/panic.

The corresponding incident response is pretty much the same as any malware:

  1. Stop the spread. Isolate impacted machines.  Consider increased prophylactic actions to protect at-risk critical machines.
  2. Prevent future infection. Understand what you missed (e.g. how the malware works, what patches might be missing; what you are failing to ingress filter, etc) and fix it.  Force password changes on any impacted accounts.
  3. Clean the mess.  There may be recovery scripts for well-known infections, but re-imaging infected machines is the only way to be "sure", and even then it may not get boot-loader malware.
  4. Restore corporate data from backup.
  5. Recollect everything you did not backup.
  6. Live without that which you can not recollect.
  7. If recollection is insufficient, polish your resume and reflect on the value of backups.

 

Additional items that should be considered:

  1. The trolls got in somehow and compromised your machines.  Was there any hidden damage, persistence or exfiltration?  Can you prove it?
  2. If there is evidential value in the compromised equipment, you might need to recover onto new hardware. 
  3. Involve legal early to understand any contractual and legal notification requirements.
  4. Involve public-relations early to understand how to meet/manage customer expectations as you recover.