Hello,
I am in the early stages of looking at putting together an IR program, and I am being asked to put together a template for all sys admins to begin pulling together the information that they might need during an incident.
I have a few thoughts (system passwords, network diagrams, etc.), but I am wondering what other things should I add to this template.
I guess basically the question I am asking is what information would you absolutely want to have readily available once you are notified that there is an incident of some sort occuring.
Thanks a bunch
Have you looked at the SANS First Responder Guide or the DOJ/NIJ Electronic Crime Scene Investigation - A Guide for First Responders?
We have a triage worksheet for all of our responders to use as a guideline when receiving a call.
I think that the best way to look at this is to ask yourself what you would need when you're called to a new environment for the first time…do they have a network diagram of some kind, where are the application managers and DBAs, etc? I also ask for a general description of what was the first indicator of the incident, when they were notified, and what they've done since that time…specifically. It's odd a lot of times how "nothing" really means logged in, rebooted systems, run AV scans, deleted files, etc.
As a consultant, I generally have to walk a fine line with this kind of thing, as many times, the customer is calling in a panic, and needs answers quickly. Asking a lot of questions while not actually doing much tends to upset them further.
Thanks a bunch for the tips guys; I really appreciate it.