9400-191-IncidentManagementChecklists

8/6/2019 9400-191-IncidentManagementChecklists

1/8

DRAFT Policy 191 Incident Response Tools & Resources Checklist v0.1

DRAFT 5/5/2011 1:54 PM v0.1

Acquired Tool / ResourceIncident Handler Communications and Facilities

Contact Information for team members and others within and outside the organization (primary andbackup contacts), such as law enforcement and other incident response teams; information mayinclude phone numbers, email addresses, public encryption keys (if necessary and applicable), andinstructions for verifying the contacts identityOn-call information for other teams within the organization, including escalation information

Incident reporting mechanisms , such as phone numbers, email addresses, and forms that userscan utilize to report suspected incidents; at least one mechanism should permit people to reportincidents anonymouslyPagers or cell phones to be carried by team members for off-hour support; onsite communications

Encryption software

War room for central communication and coordination; if permanent war room is not necessary, theteam should create a procedure for procuring a temporary war room when neededSecure storage facility for securing evidence and other sensitive materials

Incident Analysis Hardware and SoftwareComputer forensic workstations and/or backup devices to create disk images, preserve logfiles, and save other relevant incident dataLaptops , which provide easily portable workstations for activities such as analyzing data, sniffingpackets, and writing reports

Spare workstations, servers, and networking equipment , which may be used for manypurposes, such as restoring backup and trying out malicious code; if the team cannot justify theexpense of additional equipment, perhaps equipment in an existing lab could be used, or a virtuallab could be established using operating system (OS) emulation softwareBlank media , such as floppy diskettes, CD-Rs, DVD-Rs, and flash drivesEasily portable printer to print copies of log files and other evidence from non-networked systems

Packet sniffers and protocol analyzers to capture and analyze network traffic that may containevidence of an incidentComputer forensic software to analyze disk images for evidence of an incidentFloppies and CDs with trusted versions of programs to be used to gather evidence from systemsEvidence gathering accessories , including hard-bound notebooks, digital cameras, audiorecorders, chain-of-custody forms, evidence storage bags and tags, and evidence tape, to preserveevidence for possible legal actions

Incident Analysis ResourcesPort list , including commonly used ports and Trojan horse portsDocumentation for OSs, applications, protocols, and intrusion detection and anti-virus signatures

Network diagrams and lists of critical assets , such as Web, email, and FTP serversBaselines of expected network, system and application activity

Cryptographic hashes of critical files to speed the analysis, verification, and eradication ofincidents

Incident Mitigation SoftwareMedia , including OS boot disks and CD-ROMs, OS media, and application media

Security patches from OS and application vendorsBackup images of OS, applications, and data stored on secondary media


2/8

DRAFT Policy 191 Initial Incident Handling Checklist v0.1

DRAFT 5/5/2011 1:54 PM v0.1

This checklist serves to validate that an incident has occurred. It should be used in conjunction with theIncident Precursors and Indications Guideline and the Security Incident Declaration Guideline.

Initial Incident Handling ChecklistAction Completed

Detection and Analysis1. Determine whether an incident has occurred1.1 Analyze the precursors and indications1.2 Look for correlating information1.3 Perform research (e.g., search engines, knowledge base)1.4 As soon as the handler believes an incident has occurred or an

incident is declared, begin documenting the investigation andgathering evidence

2. Classify the incident (e.g., DoS, malicious code, violation of policy,unauthorized access, multiple components)

3. Follow the appropriate incident category checklist; if the incident does not fitinto any of the categories, follow the generic checklist


3/8

DRAFT Policy 191 Generic Incident Handling Checklist v0.1

DRAFT 5/5/2011 1:54 PM v0.1

This checklist is a continuation of the Initial Incident Handling Checklist. Note that the sequence of steps may vary based on the nature of individual incidents.

Generic Incident Handling ChecklistAction Completed

Detection and Analysis1. Prioritize handling the incident based on the business impact1.1 Identify which resources have been affected and forecast which

resources will be affected1.2 Estimate the current and potential technical affect of the incident1.3 Utilize the prioritization guideline, based on technical affect, affected

resources, and criticality2. Report the incident to the appropriate internal personnel and external

organizationsContainment, Eradication, and Recovery

3. Acquire, preserve, secure, and document evidence4. Contain the incident5. Eradicate the incident

5.1 Identify and mitigate all vulnerabilities that were exploited5.2 Remove malicious code, inappropriate materials, and other

components6. Recover from the incident

6.1 Return affected systems to an operationally ready state6.2 Confirm that the affected systems are functioning normally6.3 If necessary, implement additional monitoring to look for future

related activityFollow-up Activity

7. Create a follow-up report8. Hold a lessons learned meeting


4/8

DRAFT Policy 191 DoS Incident Handling Checklist v0.1

DRAFT 5/5/2011 1:54 PM v0.1


Disruption or Denial of Service Incident Handling ChecklistAction Completed





3. Acquire, preserve, secure, and document evidence4. Contain the incident halt the DoS if it has not already stopped

4.1 Identify and mitigate all vulnerabilities that were used4.2 If not yet contained, implement filtering based on the characteristics

of the attack, if feasible4.3 If not yet contained, contact the ISP for assistance in filtering the

attack4.4 If not yet contained, relocate the target5. Eradicate the incident; if step 4 was not performed, identify and mitigate all

vulnerabilities that were used6. Recover from the incident

6.1 Return affected systems to an operationally ready state6.2 Confirm that the affected systems are functioning normally6.3 If necessary and feasible, implement additional monitoring to look for

future related activityFollow-up Activity



5/8

DRAFT Policy 191 Malicious Code Incident Handling Checklist v0.1

DRAFT 5/5/2011 1:55 PM v0.1


Malicious Code Incident Handling ChecklistAction Completed





3. Contain the incident3.1 Identify infected systems3.2 Disconnect infected systems from the network3.3 Mitigate vulnerabilities that were exploited by the malicious code3.4 If necessary, block the transmission mechanisms for the malicious

code4. Eradicate the incident

4.1 Disinfect, quarantine, delete, and replace infected files4.2 Mitigate the exploited vulnerabilities for other hosts within the

organization5. Recover from the incident

5.1 Confirm that the affected systems are functioning normally5.2 If necessary, implement additional monitoring to look for future




6/8

DRAFT Policy 191 Unauthorized Access or Modification Incident Handling Checklist v0.1

DRAFT 5/5/2011 1:55 PM v0.1


Unauthorized Access or Modification Incident Handling ChecklistAction Completed





3. Perform an initial containment of the incident4. Acquire, preserve, secure, and document evidence5. Confirm the containment of the incident

5.1 Further analyze the incident and determine if containment wassufficient (including checking other systems for signs of intrusion)

5.2 Implement additional containment measures if necessary6. Eradicate the incident

6.1 Identify and mitigate all vulnerabilities that were exploited6.2 Remove components of the incident from systems7. Recover from the incident

7.1 Return affected systems to an operationally ready state7.2 Confirm that the affected systems are functioning normally7.3 If necessary, implement additional monitoring to look for future




7/8

DRAFT Policy 191 Violation of IT Policy Incident Handling Checklist v0.21

DRAFT 5/5/2011 1:55 PM v0.1


Violation of IT Policy Incident Handling ChecklistAction Completed

Detection and Analysis1. Prioritize handling the incident based on the business impact1.1 Determine whether the activity seems criminal in nature1.2 Forecast hoe how severely the agencys reputation may be damaged1.3 Utilize the prioritization guideline2. Report the incident to the appropriate internal personnel and external


3. Acquire, preserve, secure, and document evidence4. If necessary, contain and eradicate the incident (e.g., remove inappropriate

materials)Follow-up Activity



8/8

DRAFT Policy 191 Multiple Component Incident Handling Checklist v0.1

DRAFT 5/5/2011 1:55 PM v0.1


Multiple Component Incident Handling ChecklistAction Completed

Detection and Analysis1. Prioritize handling the incident based on the business impact1.1 Follow the step 1 instructions for each applicable incident category1.2 Determine the proper course of action for each incident component2. Report the incident to the appropriate internal personnel and external


3. Follow the Containment, Eradication, and Recovery steps for eachcomponent, based on the results of step 1

Follow-up Activity4. Create a follow-up report5. Hold a lessons learned meeting

Documents

9400-191-IncidentManagementChecklists