Professional Documents
Culture Documents
Initial Security Incident Questionnaire For Responders PDF
Initial Security Incident Questionnaire For Responders PDF
relations, and other relevant internal teams? affected IT infrastructure components during the
QUESTIONNAIRE FOR RESPONDERS analysis? (e.g., network, USB, CD‐ROM, etc.)
Tips for assisting incident handlers in assessing the Assess the Incident’s Scope
Where are the affected IT infrastructure components
situation when responding to a qualified incident. What IT infrastructure components (servers, websites,
physically located?
networks, etc.) are directly affected by the incident?
Understand the Incident’s Background What backup‐restore capabilities are in place to assist
What applications and data processes make use of the
What is the nature of the problem, as it has been affected IT infrastructure components? in recovering from the incident?
observed so far? What are the next steps for responding to this incident?
Are we aware of compliance or legal obligations tied to
How was the problem initially detected? When was it the incident? (e.g., PCI, breach notification laws, etc.) (Who will do what and when?)
detected and by whom? Key Incident Response Steps
What are the possible ingress and egress points for the
What security infrastructure components exist in the affected environment? 1. Preparation: Gather and learn the necessary tools,
affected environment? (e.g., firewall, anti‐virus, etc.) become familiar with your environment.
What theories exist for how the initial compromise
What is the security posture of the affected IT occurred? 2. Identification: Detect the incident, determine its
infrastructure components? How recently, if ever, was scope, and involve the appropriate parties.
it assessed for vulnerabilities? Does the affected IT infrastructure pose any risk to
other organizations? 3. Containment: Contain the incident to minimize its
What groups or organizations were affected by the effect on neighboring IT resources.
incident? Are they aware of the incident? Review the Initial Incident Survey’s Results
4. Eradication: Eliminate compromise artifacts, if
Were other security incidents observed on the affected What analysis actions were taken to during the initial
necessary, on the path to recovery.
environment or the organization recently? survey when qualifying the incident?
5. Recovery: Restore the system to normal
What commands or tools were executed on the
Define Communication Parameters operations, possibly via reinstall or backup.
affected systems as part of the initial survey?
Which individuals are aware of the incident? What are 6. Wrap‐up: Document the incident’s details, retail
their names and group or company affiliations? What measures were taken to contain the scope of the
collected data, and discuss lessons learned.
incident? (e.g., disconnected from the network)
Who is designated as the primary incident response Additional Incident Response References
coordinator? What alerts were generated by the existing security
infrastructure components? (e.g., IDS, anti‐virus, etc.) Incident Survey Cheat Sheet for Server Administrators
Who is authorized to make business decisions regarding http://zeltser.com/network‐os‐security/security‐
the affected operations? (This is often an executive.) If logs were reviewed, what suspicious entries were incident‐survey‐cheat‐sheet.html
found? What additional suspicious events or state
What mechanisms will the team to communicate when information, was observed? Windows Intrusion Discovery Cheat Sheet
handling the incident? (e.g., email, phone conference, http://sans.org/resources/winsacheatsheet.pdf
etc.) What encryption capabilities should be used? Prepare for Next Incident Response Steps
Checking Windows for Signs of Compromise
What is the schedule of internal regular progress Does the affected group or organization have specific http://www.ucl.ac.uk/cert/win_intrusion.pdf
updates? Who is responsible for them? incident response instructions or guidelines?
Linux Intrusion Discovery Cheat Sheet
What is the schedule of external regular progress Does the affected group or organization wish to
http://sans.org/resources/linsacheatsheet.pdf
updates? Who is responsible for leading them? proceed with live analysis, or does it wish to start
formal forensic examination? Checking Unix/Linux for Signs of Compromise
Who will conduct “in the field” examination of the http://www.ucl.ac.uk/cert/nix_intrusion.pdf
affected IT infrastructure? Note their name, title, phone What tools are available to us for monitoring network
(mobile and office), and email details. or host‐based activities in the affected environment?
Authored by Lenny Zeltser, who leads a security consulting team at SAVVIS, and teaches malware analysis at SANS Institute. Special thanks for feedback to Jack McCarthy and Patrick Nolan.
Creative Commons v3 “Attribution” License for this cheat sheet v. 1.2. More cheat sheets?