SANS - Incident Handlers Checklist

This playbook follows the "Incident Handler's Checklist" described in the SANS Institute ‘Incident Handler’s Handbook’ by Patrick Kral. https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 ***Disclaimer: This playbook does not ensure compliance to SANS regulations.

SANS · 55 tasks · 2 inputs · 0 outputs

Inputs

  • DataCollection — Use a data collection task to answer lessons learned questions based on SANS. Specify 'True' to automatically send the communication task, and 'False' to prevent it.
  • Email — Email address to which to send the questions.

Flowchart

Yes no Yes no no yes no yes no yes no yes no yes Yes no no yes no yes no yes no yes no yes no yes Start Start Preparation Preparation Are all members aware of the security policies of the organization? Are all members aware of ... Do all members of the Computer Incident Response Team know whom to contact? Do all members of the Com... Do all incident responders have access to journals and access to incident response toolkits to perform the actual incident response process? Do all incident responder... Have all members participated in incident response drills to practice the incident response process and to improve overall proficiency on a regularly established basis? Have all members particip... Identification Identification Where did the incident occur? Where did the incident oc... Who reported or discovered the incident? Who reported or discovere... How was it discovered? How was it discovered? Are there any other areas that have been compromised by the incident? If so what are they and when were they discovered? Are there any other areas... What is the scope of the impact? What is the scope of the ... What is the business impact? What is the business impact? Have the source(s) of the incident been located? If so, where, when, and what are they? Have the source(s) of the... Containment Containment Short-term containment Short-term containment Can the problem be isolated? Can the problem be isolated? Isolate the affected systems Isolate the affected systems Work with system owners and/or managers to determine further action necessary to contain the problem. Work with system owners a... Are all affected systems isolated from non-affected systems? Are all affected systems ... Continue to isolate affected systems until short-term containment has been accomplished to prevent the incident from escalating any further. Continue to isolate affec... System-backup System-backup Have forensic copies of affected systems been created for further analysis? Have forensic copies of a... Have all commands and other documentation since the incident has occurred been kept up to date so far? Have all commands and oth... Document all actions taken as soon as possible to ensure all evidence are retained for either prosecution and/or lessons learned. Document all actions take... Are the forensic copies stored in a secure location? Are the forensic copies s... place the forensic images into a secure location to prevent accidental damage and/or tampering. place the forensic images... Long-term containment Long-term containment Can the system be taken offline? Can the system be taken o... Remove all malware and other artifacts from affected systems Remove all malware and ot... Harden the affected systems from further attacks until an ideal circumstance will allow the affected systems to be reimaged. Harden the affected syste... Take the system offline Take the system offline Eradication Eradication Can the system be reimaged and then hardened with patches and/or other countermeasures to prevent or reduce the risk of attacks? Can the system be reimage... State why. State why. Have all malware and other artifacts left behind by the attackers been removed and the affected systems hardened against further attacks? Have all malware and othe... Explain why. Explain why. Recovery Recovery Has the affected system(s) been patched and hardened against the recent attack, as well as possible future ones? Has the affected system(s... What day and time would be feasible to restore the affected systems back into production? What day and time would b... What tools are you going to use to test, monitor, and verify that the systems being restored to productions are not compromised by the same methods that cause the original incident? What tools are you going ... How long are you planning to monitor the restored systems and what are you going to look for? How long are you planning... Are there any prior benchmarks that can be used as a baseline to compare monitoring results of the restored systems against those of the baseline? Are there any prior bench... Lessons Learned Lessons Learned SANS - Lessons Learned - SANS - Lessons Learned SANS - Lessons Learned SANS - Lessons Learned Has all necessary documentation from the incident been written? Has all necessary documen... Generate the incident response report for the lessons learned meeting - GenerateInvestigationSummaryReport Generate the incident res... GenerateInvestigationSummaryR... Have documentation written as soon as possible before anything is forgotten and left out of the report. Have documentation writte... Done Done Perform task Perform task Perform task Perform task Perform task Perform task Perform task Perform task Perform task Perform task Perform task Perform task