Data breaches have become an unfortunate reality for most companies. If you haven’t already experienced one, just wait. Whether state-sponsored or committed by an individual, hacking and the resulting loss of data, reputation and business profit must be a top priority for all organizations. And while it’s important to keep up with the latest technologies to mitigate breach potential, it’s equally as important to be ready to handle a breach once it occurs. A good way to do that is with incident response checklists.
When a security breach occurs, IT teams that are armed with incident response checklists will be better prepared to execute a fast and effective response. Good incident response checklists address particular scenarios and break down critical tasks into smaller pieces. They also help responders document everything that happens in an accurate, standard, and repeatable way. In this slideshow, AlienVault has identified the top five checklists that IT teams should have ready to go.
Top Five Incident Response Checklists
Click through for the top five response checklists every organization should have ready to go (and up to date) when a security incident occurs, as identified by AlienVault.
Forensic Analysis
A forensic analysis checklist provides common commands to use when analyzing individual systems to determine what happened, and should also indicate the most likely places to look for peculiar behavior. These lists should be customized depending on the operating system, as well as on a given system’s function, i.e., file server, database, web server, domain controller, DNS, etc. They should help responders identify what type of security incident has happened by gathering evidence from log files, intrusion detection systems and other sources, and prompt them to move forward through a specific process for containment and eradication of the issue.
Emergency Contact Communications
A detailed communication plan will ensure that the entire incident response team knows whom to contact, when it is appropriate to contact them, and for what purposes. This checklist should also include what information to convey to those people, based on the specific information that they are likely to need. In addition, it should help them identify the employees who can help get critical systems back online, if needed. Organizations should be sure to get overall consensus on their communications plan, since this is the most important element of a fast and effective response.
System Backup and Recovery
Every system should have its own checklist of tasks — based on its distinct configurations and operating systems — that can help responders confirm when it is no longer compromised and can return to normal operation. It’s important to document in this list the time it will take for each step required to restore operations, and also to test and document, in advance, the full system backup and full system recovery processes.
The ‘Jump Bag’
The SANS Institute, a leading source of information for incident responders, recommends that each team member keep a “jump bag” of important tools on hand. In the event of a security incident, this will enable them to initiate a “grab-and-go” response at any time. This checklist should contain all the tools needed for rapid response, including USB drives, up-to-date anti-malware applications, Forensic Toolkits (FTK) or software like EnCase, network cables, hard drive duplicators and more. One of the most important tools to keep in this bag is an incident handler’s journal, which should be used to document the who, what, where, when and why of an incident.
Post-Incident Security Policy Review
In order to prevent similar incidents from happening in the future, this checklist should cover when and how the problem was first detected, the scope of the incident, how it was contained, which controls failed, and finally, the steps that will be necessary to prevent future incidents. It should also prompt responders to make notes about which elements of the response were particularly effective. This information can be used to update security awareness programs as necessary, since many incidents result from a lack of user education around basic security best practices. This stage is all about learning from our failures and using these lessons to become better prepared for tomorrow.
