"People only see what they are prepared to see." -- Ralph Waldo Emerson
Maybe your system just got hacked. You don't know for sure yet, but you need to quickly qualify the potential incident. You also need to ask questions to make sense of the situation and determine how to proceed. It's easy to make mistakes in the heat of the moment; it's hard to find time to prepare in advance. Here are two cheat sheets that may help.
In each case, I link to the HTML version cheat sheet. That page includes the printable 1-page PDF version, and the Word version of the file you can edit for your needs.
Security Incident Survey Cheat Sheet for Server Administrators
This cheat sheet captures tips for examining a suspect server to decide whether to escalate for formal incident response. Its steps attempt to minimize the adverse effect that the initial survey will have on the system, to decrease the likelihood that the attacker's footprints will be inadvertently erased.
Initial Security Incident Questionnaire for Responders
This cheat sheet lists the questions the incident handler should consider asking when taking control of a qualified incident. It's too easy to forget an important question when trying to think on your feet.
How Else to Make Incident Response Less Stressful?
Thanks to everyone who already offered feedback on these cheat sheets. If you have suggestions for improving them, please let us know.
For additional tips on incident handling, see the summary of the suggestions we published in October. Yeah, I should have written this diary last month.
Lenny teaches a SANS course on analyzing malware.
Nov 19th 2008
1 decade ago