Incident response checklists are an essential part of responding to security incidents. With the right kinds of checklists, personnel can take prompt and consistent action when the worst case scenario occurs. The best types of incident response checklists are those that apply to particular scenarios and break down a specific task or activity into smaller pieces.
In this blog we’ll go over the following incident response checklists:
- Forensic Analysis Checklists (customized for all critical systems)
- Emergency Contact Communications Checklist
- System backup and recovery checklists (for all OSes in use, including databases)
- "Jumpbag" checklists
- Security Policy Review Checklist (Post-incident)
Forensic Analysis Checklists (customized for all critical systems)
When investigating an incident you’ll likely need to look deeper at individual systems. A checklist that provides useful commands and areas to look for peculiar behavior will be invaluable. And if your company is like most, you’ll have a mix of Windows and Unix flavors. Customize each checklist on an OS basis, as well as on a functional basis (file server vs. database vs. webserver vs. domain controller vs. DNS).
Some useful references: SANS Incident Handling Handbook and Lenny Zeltser's Security Checklists.
Emergency Contact Communications Checklist
It’s important to create a detailed communication plan with the specifics of when to put it into place, that way you’ll know who to call, why you need to contact them, how you can contact them, and what to say once they are on the phone. It’s also very important to get overall consensus on your approach. The entire incident response team should know whom to contact, when it is appropriate to contact them, and why. In particular, review the potential worst case scenarios (e.g. an online ordering system going down right in the middle of Cyber Monday) and identify the necessary staff who can get these critical systems back online, as well as the management team who will need to remain updated throughout the crisis.
System backup and recovery checklists (for all OSes in use, including databases)
Every system will have a different set of checklist tasks based on its distinct configurations and operating system. It’s also important to document the time it takes for each step required to restore operations, and also test full system backup and full system recovery while you’re documenting each checklist. You also need to include specific steps recorded for testing and verifying that any compromised systems are completely clean and fully functional.
"Jumpbag" checklists
It’s recommended by SANS, one of the leading sources of information for the incident responder, that each incident response team member have an planned and protected “jump bag” all ready to go that contains the important tools needed for a quick “grab-and-go” type of response. Their suggested items include:
- Documenting the who, what, where, why, and how during an incident in an Incident Handler’s Journal
- A contact list of incident response team members
- USB drives
- A bootable USB drive or Live CD with up-to-date anti-malware and other software that can read and/or write to file systems of your computing environment (and test this, please)
- A laptop with forensic software (e.g. FTK or EnCase)
- Anti Malware utilities
- Computer and network toolkits to add/remove components, wire network cables, etc. and hard duplicators with write-block capabilities to create forensically sound copies of hard drive images
Security Policy Review Checklist (Post-incident)
Understanding how to prevent a similar incident from happening in the future is one of the most important lessons to learn after an incident has been resolved. In addition to potential updates to your security policy, expect incidents to result in updates to your security awareness program because invariably, most incidents result from a lack of user education around basic security best practices. At the very least, this checklist should capture:
- When the problem was first detected, by whom, and by which method
- The scope of the incident
- How it was contained and eradicated
- The work performed during recovery
- Areas where the incident response team was effective
- Areas that need improvement
- Which security controls failed (including monitoring tools)?
- How can we improve those controls?
- How can we improve our security awareness programs?
The Need for Incident Response Forms & Surveys
You’ll need to document many things during your job as an incident responder. In addition to incident response checklists, one of the best ways to capture an accurate, standard, and repeatable set of information is to do it with a form. And, thankfully, SANS has provided a form for every kind of security incident piece you’ll need, from contacts to activity logs with specific forms for handling intellectual property incidents.
Hopefully with these checklists and forms in place, you’ll be better prepared to act and respond to difficult situations when they arise, even if you’re caught off-guard. To learn more tips on incident response, take a look at our Insider’s Guide to Incident Response eBook.