Professional Documents
Culture Documents
Acquired
v0.1
Contact Information for team members and others within and outside the organization (primary and backup contacts), such as law enforcement and other incident response teams; information may include phone numbers, email addresses, public encryption keys (if necessary and applicable), and instructions for verifying the contacts identity On-call information for other teams within the organization, including escalation information Incident reporting mechanisms, such as phone numbers, email addresses, and forms that users can utilize to report suspected incidents; at least one mechanism should permit people to report incidents anonymously Pagers or cell phones to be carried by team members for off-hour support; onsite communications Encryption software War room for central communication and coordination; if permanent war room is not necessary, the team should create a procedure for procuring a temporary war room when needed Secure storage facility for securing evidence and other sensitive materials
DRAFT
5/5/2011 1:54 PM
v0.1
DRAFT
v0.1
This checklist serves to validate that an incident has occurred. It should be used in conjunction with the Incident Precursors and Indications Guideline and the Security Incident Declaration Guideline. Initial Incident Handling Checklist Action Detection and Analysis Determine whether an incident has occurred Analyze the precursors and indications Look for correlating information Perform research (e.g., search engines, knowledge base) As soon as the handler believes an incident has occurred or an incident is declared, begin documenting the investigation and gathering evidence Classify the incident (e.g., DoS, malicious code, violation of policy, unauthorized access, multiple components) Follow the appropriate incident category checklist; if the incident does not fit into any of the categories, follow the generic checklist Completed
2. 3.
DRAFT
5/5/2011 1:54 PM
v0.1
DRAFT
v0.1
This checklist is a continuation of the Initial Incident Handling Checklist. Note that the sequence of steps may vary based on the nature of individual incidents. Generic Incident Handling Checklist Action Detection and Analysis Prioritize handling the incident based on the business impact Identify which resources have been affected and forecast which resources will be affected Estimate the current and potential technical affect of the incident Utilize the prioritization guideline, based on technical affect, affected resources, and criticality Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery Acquire, preserve, secure, and document evidence Contain the incident Eradicate the incident Identify and mitigate all vulnerabilities that were exploited Remove malicious code, inappropriate materials, and other components Recover from the incident Return affected systems to an operationally ready state Confirm that the affected systems are functioning normally If necessary, implement additional monitoring to look for future related activity Follow-up Activity Create a follow-up report Hold a lessons learned meeting
Completed
7. 8.
DRAFT
5/5/2011 1:54 PM
v0.1
DRAFT
v0.1
This checklist is a continuation of the Initial Incident Handling Checklist. Note that the sequence of steps may vary based on the nature of individual incidents. Disruption or Denial of Service Incident Handling Checklist Action Detection and Analysis Prioritize handling the incident based on the business impact Identify which resources have been affected and forecast which resources will be affected Estimate the current and potential technical affect of the incident Utilize the prioritization guideline, based on technical affect, affected resources, and criticality Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery Acquire, preserve, secure, and document evidence Contain the incident halt the DoS if it has not already stopped Identify and mitigate all vulnerabilities that were used If not yet contained, implement filtering based on the characteristics of the attack, if feasible If not yet contained, contact the ISP for assistance in filtering the attack If not yet contained, relocate the target Eradicate the incident; if step 4 was not performed, identify and mitigate all vulnerabilities that were used Recover from the incident Return affected systems to an operationally ready state Confirm that the affected systems are functioning normally If necessary and feasible, implement additional monitoring to look for future related activity Follow-up Activity Create a follow-up report Hold a lessons learned meeting
Completed
7. 8.
DRAFT
5/5/2011 1:54 PM
v0.1
DRAFT
v0.1
This checklist is a continuation of the Initial Incident Handling Checklist. Note that the sequence of steps may vary based on the nature of individual incidents. Malicious Code Incident Handling Checklist Action Detection and Analysis Prioritize handling the incident based on the business impact Identify which resources have been affected and forecast which resources will be affected Estimate the current and potential technical affect of the incident Utilize the prioritization guideline, based on technical affect, affected resources, and criticality Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery Contain the incident Identify infected systems Disconnect infected systems from the network Mitigate vulnerabilities that were exploited by the malicious code If necessary, block the transmission mechanisms for the malicious code Eradicate the incident Disinfect, quarantine, delete, and replace infected files Mitigate the exploited vulnerabilities for other hosts within the organization Recover from the incident Confirm that the affected systems are functioning normally If necessary, implement additional monitoring to look for future related activity Follow-up Activity Create a follow-up report Hold a lessons learned meeting
Completed
6. 7.
DRAFT
5/5/2011 1:55 PM
v0.1
DRAFT
v0.1
This checklist is a continuation of the Initial Incident Handling Checklist. Note that the sequence of steps may vary based on the nature of individual incidents. Unauthorized Access or Modification Incident Handling Checklist Action Detection and Analysis Prioritize handling the incident based on the business impact Identify which resources have been affected and forecast which resources will be affected Estimate the current and potential technical affect of the incident Utilize the prioritization guideline, based on technical affect, affected resources, and criticality Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery Perform an initial containment of the incident Acquire, preserve, secure, and document evidence Confirm the containment of the incident Further analyze the incident and determine if containment was sufficient (including checking other systems for signs of intrusion) Implement additional containment measures if necessary Eradicate the incident Identify and mitigate all vulnerabilities that were exploited Remove components of the incident from systems Recover from the incident Return affected systems to an operationally ready state Confirm that the affected systems are functioning normally If necessary, implement additional monitoring to look for future related activity Follow-up Activity Create a follow-up report Hold a lessons learned meeting
Completed
8. 9.
DRAFT
5/5/2011 1:55 PM
v0.1
DRAFT
v0.21
This checklist is a continuation of the Initial Incident Handling Checklist. Note that the sequence of steps may vary based on the nature of individual incidents. Violation of IT Policy Incident Handling Checklist Action Detection and Analysis Prioritize handling the incident based on the business impact Determine whether the activity seems criminal in nature Forecast hoe how severely the agencys reputation may be damaged Utilize the prioritization guideline Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery Acquire, preserve, secure, and document evidence If necessary, contain and eradicate the incident (e.g., remove inappropriate materials) Follow-up Activity Create a follow-up report Hold a lessons learned meeting
Completed
3. 4.
5. 6.
DRAFT
5/5/2011 1:55 PM
v0.1
DRAFT
v0.1
This checklist is a continuation of the Initial Incident Handling Checklist. Note that the sequence of steps may vary based on the nature of individual incidents. Multiple Component Incident Handling Checklist Action Detection and Analysis Prioritize handling the incident based on the business impact Follow the step 1 instructions for each applicable incident category Determine the proper course of action for each incident component Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery Follow the Containment, Eradication, and Recovery steps for each component, based on the results of step 1 Follow-up Activity Create a follow-up report Hold a lessons learned meeting
Completed
1. 1.1 1.2 2.
3.
4. 5.
DRAFT
5/5/2011 1:55 PM
v0.1