DRAFT

Acquired

Policy 191 Incident Response Tools & Resources Checklist

Tool / Resource Incident Handler Communications and Facilities

v0.1

Contact Information for team members and others within and outside the organization (primary and backup contacts), such as law enforcement and other incident response teams; information may include phone numbers, email addresses, public encryption keys (if necessary and applicable), and instructions for verifying the contacts identity On-call information for other teams within the organization, including escalation information Incident reporting mechanisms, such as phone numbers, email addresses, and forms that users can utilize to report suspected incidents; at least one mechanism should permit people to report incidents anonymously Pagers or cell phones to be carried by team members for off-hour support; onsite communications Encryption software War room for central communication and coordination; if permanent war room is not necessary, the team should create a procedure for procuring a temporary war room when needed Secure storage facility for securing evidence and other sensitive materials

Incident Analysis Hardware and Software

Computer forensic workstations and/or backup devices to create disk images, preserve log files, and save other relevant incident data Laptops, which provide easily portable workstations for activities such as analyzing data, sniffing packets, and writing reports Spare workstations, servers, and networking equipment, which may be used for many purposes, such as restoring backup and trying out malicious code; if the team cannot justify the expense of additional equipment, perhaps equipment in an existing lab could be used, or a virtual lab could be established using operating system (OS) emulation software Blank media, such as floppy diskettes, CD-Rs, DVD-Rs, and flash drives Easily portable printer to print copies of log files and other evidence from non-networked systems Packet sniffers and protocol analyzers to capture and analyze network traffic that may contain evidence of an incident Computer forensic software to analyze disk images for evidence of an incident Floppies and CDs with trusted versions of programs to be used to gather evidence from systems Evidence gathering accessories, including hard-bound notebooks, digital cameras, audio recorders, chain-of-custody forms, evidence storage bags and tags, and evidence tape, to preserve evidence for possible legal actions

Incident Analysis Resources

Port list, including commonly used ports and Trojan horse ports Documentation for OSs, applications, protocols, and intrusion detection and anti-virus signatures Network diagrams and lists of critical assets, such as Web, email, and FTP servers Baselines of expected network, system and application activity Cryptographic hashes of critical files to speed the analysis, verification, and eradication of incidents

Incident Mitigation Software

Media, including OS boot disks and CD-ROMs, OS media, and application media Security patches from OS and application vendors Backup images of OS, applications, and data stored on secondary media

DRAFT

5/5/2011 1:54 PM

v0.1

DRAFT

Policy 191 Initial Incident Handling Checklist

v0.1

This checklist serves to validate that an incident has occurred. It should be used in conjunction with the Incident Precursors and Indications Guideline and the Security Incident Declaration Guideline. Initial Incident Handling Checklist Action Detection and Analysis Determine whether an incident has occurred Analyze the precursors and indications Look for correlating information Perform research (e.g., search engines, knowledge base) As soon as the handler believes an incident has occurred or an incident is declared, begin documenting the investigation and gathering evidence Classify the incident (e.g., DoS, malicious code, violation of policy, unauthorized access, multiple components) Follow the appropriate incident category checklist; if the incident does not fit into any of the categories, follow the generic checklist Completed

1. 1.1 1.2 1.3 1.4

2. 3.

DRAFT

5/5/2011 1:54 PM

v0.1

DRAFT

Policy 191 Generic Incident Handling Checklist

v0.1

This checklist is a continuation of the Initial Incident Handling Checklist. Note that the sequence of steps may vary based on the nature of individual incidents. Generic Incident Handling Checklist Action Detection and Analysis Prioritize handling the incident based on the business impact Identify which resources have been affected and forecast which resources will be affected Estimate the current and potential technical affect of the incident Utilize the prioritization guideline, based on technical affect, affected resources, and criticality Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery Acquire, preserve, secure, and document evidence Contain the incident Eradicate the incident Identify and mitigate all vulnerabilities that were exploited Remove malicious code, inappropriate materials, and other components Recover from the incident Return affected systems to an operationally ready state Confirm that the affected systems are functioning normally If necessary, implement additional monitoring to look for future related activity Follow-up Activity Create a follow-up report Hold a lessons learned meeting

Completed

1. 1.1 1.2 1.3 2.

3. 4. 5. 5.1 5.2 6. 6.1 6.2 6.3

7. 8.

DRAFT

5/5/2011 1:54 PM

v0.1

DRAFT

Policy 191 DoS Incident Handling Checklist

v0.1

This checklist is a continuation of the Initial Incident Handling Checklist. Note that the sequence of steps may vary based on the nature of individual incidents. Disruption or Denial of Service Incident Handling Checklist Action Detection and Analysis Prioritize handling the incident based on the business impact Identify which resources have been affected and forecast which resources will be affected Estimate the current and potential technical affect of the incident Utilize the prioritization guideline, based on technical affect, affected resources, and criticality Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery Acquire, preserve, secure, and document evidence Contain the incident halt the DoS if it has not already stopped Identify and mitigate all vulnerabilities that were used If not yet contained, implement filtering based on the characteristics of the attack, if feasible If not yet contained, contact the ISP for assistance in filtering the attack If not yet contained, relocate the target Eradicate the incident; if step 4 was not performed, identify and mitigate all vulnerabilities that were used Recover from the incident Return affected systems to an operationally ready state Confirm that the affected systems are functioning normally If necessary and feasible, implement additional monitoring to look for future related activity Follow-up Activity Create a follow-up report Hold a lessons learned meeting

Completed

1. 1.1 1.2 1.3 2.

3. 4. 4.1 4.2 4.3 4.4 5. 6. 6.1 6.2 6.3

7. 8.

DRAFT

5/5/2011 1:54 PM

v0.1

DRAFT

Policy 191 Malicious Code Incident Handling Checklist

v0.1

This checklist is a continuation of the Initial Incident Handling Checklist. Note that the sequence of steps may vary based on the nature of individual incidents. Malicious Code Incident Handling Checklist Action Detection and Analysis Prioritize handling the incident based on the business impact Identify which resources have been affected and forecast which resources will be affected Estimate the current and potential technical affect of the incident Utilize the prioritization guideline, based on technical affect, affected resources, and criticality Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery Contain the incident Identify infected systems Disconnect infected systems from the network Mitigate vulnerabilities that were exploited by the malicious code If necessary, block the transmission mechanisms for the malicious code Eradicate the incident Disinfect, quarantine, delete, and replace infected files Mitigate the exploited vulnerabilities for other hosts within the organization Recover from the incident Confirm that the affected systems are functioning normally If necessary, implement additional monitoring to look for future related activity Follow-up Activity Create a follow-up report Hold a lessons learned meeting

Completed

1. 1.1 1.2 1.3 2.

3. 3.1 3.2 3.3 3.4 4. 4.1 4.2 5. 5.1 5.2

6. 7.

DRAFT

5/5/2011 1:55 PM

v0.1

DRAFT

Policy 191 Unauthorized Access or Modification Incident Handling Checklist

v0.1

This checklist is a continuation of the Initial Incident Handling Checklist. Note that the sequence of steps may vary based on the nature of individual incidents. Unauthorized Access or Modification Incident Handling Checklist Action Detection and Analysis Prioritize handling the incident based on the business impact Identify which resources have been affected and forecast which resources will be affected Estimate the current and potential technical affect of the incident Utilize the prioritization guideline, based on technical affect, affected resources, and criticality Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery Perform an initial containment of the incident Acquire, preserve, secure, and document evidence Confirm the containment of the incident Further analyze the incident and determine if containment was sufficient (including checking other systems for signs of intrusion) Implement additional containment measures if necessary Eradicate the incident Identify and mitigate all vulnerabilities that were exploited Remove components of the incident from systems Recover from the incident Return affected systems to an operationally ready state Confirm that the affected systems are functioning normally If necessary, implement additional monitoring to look for future related activity Follow-up Activity Create a follow-up report Hold a lessons learned meeting

Completed

1. 1.1 1.2 1.3 2.

3. 4. 5. 5.1 5.2 6. 6.1 6.2 7. 7.1 7.2 7.3

8. 9.

DRAFT

5/5/2011 1:55 PM

v0.1

DRAFT

Policy 191 Violation of IT Policy Incident Handling Checklist

v0.21

This checklist is a continuation of the Initial Incident Handling Checklist. Note that the sequence of steps may vary based on the nature of individual incidents. Violation of IT Policy Incident Handling Checklist Action Detection and Analysis Prioritize handling the incident based on the business impact Determine whether the activity seems criminal in nature Forecast hoe how severely the agencys reputation may be damaged Utilize the prioritization guideline Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery Acquire, preserve, secure, and document evidence If necessary, contain and eradicate the incident (e.g., remove inappropriate materials) Follow-up Activity Create a follow-up report Hold a lessons learned meeting

Completed

1. 1.1 1.2 1.3 2.

3. 4.

5. 6.

DRAFT

5/5/2011 1:55 PM

v0.1

DRAFT

Policy 191 Multiple Component Incident Handling Checklist

v0.1

This checklist is a continuation of the Initial Incident Handling Checklist. Note that the sequence of steps may vary based on the nature of individual incidents. Multiple Component Incident Handling Checklist Action Detection and Analysis Prioritize handling the incident based on the business impact Follow the step 1 instructions for each applicable incident category Determine the proper course of action for each incident component Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery Follow the Containment, Eradication, and Recovery steps for each component, based on the results of step 1 Follow-up Activity Create a follow-up report Hold a lessons learned meeting

Completed

1. 1.1 1.2 2.

3.

4. 5.

DRAFT

5/5/2011 1:55 PM

v0.1