Info that would be helpful for 1st responders

Viewing 6 reply threads
  • Author
    Posts
    • #3330
      neteng33
      Participant

      Hello,

      I am in the early stages of looking at putting together an IR program, and I am being asked to put together a template for all sys admins to begin pulling together the information that they might need during an incident.

      I have a few thoughts (system passwords, network diagrams, etc.), but I am wondering what other things should I add to this template.

      I guess basically the question I am asking is what information would you absolutely want to have readily available once you are notified that there is an incident of some sort occuring.

      Thanks a bunch

    • #22080
      Jhaddix
      Participant

      SANS 504 has an excellent checklist, let me see if i can find it for you, i have it somewhere written down =)

      Also i believe there was a thread here on useful things to have also, let me look.

    • #22081
      Jhaddix
      Participant

      Neophasis has some good ideas for a kit (from 504) here:

      http://archives.neohapsis.com/archives/fulldisclosure/2003-q3/1579.html

        * Use a duffel bag and keep it permanently stocked.
        * Never steal from your own bag.
        * Hardware:
        * Blank, unused (or at least wiped) SCSI disk.
        * Blank, unused (or at least wiped) IDE disk.
        * Small 8-port hub (NOT A SWITCH!). Get a really old one with AUI &
           coax.
        * Cat5, Cross-over Cat5, AUI, Coax cables.
        * Laptop, dual OS. Use whatever OS’s are best for your situation.
        * Tx-neutered Cat5 (snip one wire, it’s receive-only!)
        * PCMCIA WiFi card
        * USB Thumb drive.
        * Serial cable w/ Cisco router connection.
        * Flashlight
        * Screwdrivers (but TSA might confiscate them — you might have to buy
           new ones each trip.)
        * Female-to-Female RJ45.
        * Tape recorder, mini-disk, or equiv.
        * Camera (depending upon your requirements, digital, 35mm, or polaroid
           in that order of legal admissibility).
        * Video Camera, if your plan includes one. Consider the pitfalls of
           too much info.
      * Software:
        * Copying software: dd, windd, ghost, etc.
        * Sniffer software: ethereal, etc.
        * Forensic software: Coroner’s Toolkit, etc.
        * Statically linked binaries: ls, ps, etc.
        * Bootable OS on floppy or CD.
        * Windows Resource Kit.
        * Supplies:
        * Lots of media for tape recorder.
        * Lots of new, unused backup media (floppies, tapes, CD-R, etc.)
        * Team phone list & company phone book
        * Cell phone & LOTS of batteries (say, 3 or 4).
        * Plastic baggies with ties for evidence.
        * Extra notebooks (bound, with numbered pages)
        * Extra copies of all of your forms.
        * Pens (not pencils!)
        * Business Cards

      You should also consider budget for a a “War Room”, a windowless office
      (or closet) that you can meet in, tape evidence up on the wall, etc. It
      has to have comm (net, phone, fax), TV/VCR, paper, whiteboards, etc.

      You also need a slush fund. You need to be able spend money instantly
      during an incident. If you need to cut a PO at 3:00AM to get an extra
      SCSI drive, or some extra baggies, you are screwed. If you need to
      consult the corp travel adviser before you fly to the location of an
      incident, you are screwed.

      The official SANS site has this good outline:

      http://www.giac.org/resources/whitepaper/network/17.php

      and this section detailing IR (whitepapers)

      http://www.sans.org/reading_room/whitepapers/incident/

      Maybe some non SANS IRs have some additional insight too =P

      I consider it part of my job to read the Handlers Diary’s everyday!

      http://isc.sans.org/diaryarchive.html

    • #22082
      Jhaddix
      Participant

      oops almost forgot Lenny Zeltser’s good cheatsheets!

      Security Incident Survey Cheat Sheet for Server Administrators

      http://www.zeltser.com/network-os-security/security-incident-survey-cheat-sheet.html

      Initial Security Incident Questionnaire for Responders

      http://www.zeltser.com/network-os-security/security-incident-questionnaire-cheat-sheet.html

      Network DDoS Incident Response Cheat Sheet

      http://www.zeltser.com/network-os-security/ddos-incident-cheat-sheet.html

      Reverse-Engineering Cheat Sheet

      http://www.zeltser.com/reverse-malware/reverse-malware-cheat-sheet.html

    • #22083
      neteng33
      Participant

      Thanks a bunch Jhaddix – you have pointed me in the direction to a bunch of info that I will most certainly look through. 

      At first glance, it looks like you definitely have given me a ton of info with regards to how to stock my toolkit, but I think I am still missing a head start on information that I want to make sure I have all system admins pull together.  Like I said, I know obviously IP addresses and root/admin credentials to go in a software vault, network diagrams, but I am trying to round that list out. 

      Can you think of any other information that I would probably want them to document?

      Thanks again – I really appreciate the response.

    • #22084
      Jhaddix
      Participant

      I would create an internal document for each sys admin that contains spots for the systems they administer, description of those systems, a business risk analysis rating (are they critical?), IP/sysinfo, physical location, and a blank lined section for credentials and signatures.

      Hand one out to each sysadmin, then have them fill it out and take take it your companies C-level executive who is the chief data owner. Have the admin write down the credentials, sign it, then have the CEO/CIO sign it and lock it away in a binder with a copy of your IR policy (once you draft it), up to date physical topology, toolkit/checklist, host inventory (including roaming laptops), etc. I would also use a data integrity program your systems periodically for comparison (a-la tripwire etc.)

      The SANS IR reading room has more info than this above, hope this was closer to your answer =) Maybe someone else can chime in if they have more experience, gotta love the EH.net community!

    • #22085
      neteng33
      Participant

      Good deal Jhaddix – I appreciate the input.  You’ve definitely given me a few more things to consider.

Viewing 6 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?