2 Cheat Sheets for Incident Handling

"People only see what they are prepared to see." -- Ralph Waldo Emerson

Maybe your system just got hacked. You don't know for sure yet, but you need to quickly qualify the potential incident. You also need to ask questions to make sense of the situation and determine how to proceed. It's easy to make mistakes in the heat of the moment; it's hard to find time to prepare in advance. Here are two cheat sheets that may help.

In each case, I link to the HTML version cheat sheet. That page includes the printable 1-page PDF version, and the Word version of the file you can edit for your needs.

Security Incident Survey Cheat Sheet for Server Administrators

This cheat sheet captures tips for examining a suspect server to decide whether to escalate for formal incident response. Its steps attempt to minimize the adverse effect that the initial survey will have on the system, to decrease the likelihood that the attacker's footprints will be inadvertently erased.

 Security Incident Survey Cheat Sheet - Preview

Initial Security Incident Questionnaire for Responders

This cheat sheet lists the questions the incident handler should consider asking when taking control of a qualified incident. It's too easy to forget an important question when trying to think on your feet.

Initial Security Incident Questionnaire - Preview

How Else to Make Incident Response Less Stressful?

Thanks to everyone who already offered feedback on these cheat sheets. If you have suggestions for improving them, please let us know.

For additional tips on incident handling, see the summary of the suggestions we published in October. Yeah, I should have written this diary last month.

 -- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.

Lenny teaches a SANS course on analyzing malware.


216 Posts
Nov 19th 2008

Sign Up for Free or Log In to start participating in the conversation!