Incident Response

Incident Handlers Checklist

1. Preparation

a. Are all members aware of the security policies of the organization?
b. Do all members of the Computer Incident Response Team know whom to contact?
c. Do all incident responders have access to journals and access to incident response
toolkits to perform the actual incident response process?
d. Have all members participated in incident response drills to practice the incident
response process and to improve overall proficiency on a regularly established basis?

2. Identification

a. Where did the incident occur?
b. Who reported or discovered the incident?
c. How was it discovered?
d. Are there any other areas that have been compromised by the incident? If so what are
they and when were they discovered?
e. What is the scope of the impact?
f. What is the business impact?
g. Have the source(s) of the incident been located? If so, where, when, and what are

3. Containment

a. Short-term containment
i. Can the problem be isolated?
1. If so, then proceed to isolate the affected systems.
2. If not, then work with system owners and/or managers to determine
further action necessary to contain the problem.
ii. Are all affected systems isolated from non-affected systems?
1. If so, then continue to the next step.
2. If not, then continue to isolate affected systems until short-term
containment has been accomplished to prevent the incident from
escalating any further.

b. System-backup

i. Have forensic copies of affected systems been created for further analysis?
ii. Have all commands and other documentation since the incident has occurred
been kept up to date so far?
1. If not, document all actions taken as soon as possible to ensure all
evidence are retained for either prosecution and/or lessons learned.
2. Are the forensic copies stored in a secure location?
a. If so, then continue onto the next step.
b. If not, then place the forensic images into a secure location to
prevent accidental damage and/or tampering.

c. Long-term containment

i. If the system can be taken offline, then proceed to the Eradication phase.
ii. If the system must remain in production proceed with long-term containment
by removing all malware and other artifacts from affected systems, and harden
the affected systems from further attacks until an ideal circumstance will
allow the affected systems to be reimaged.
4. Eradication
a. If possible can the system be reimaged and then hardened with patches and/or other
countermeasures to prevent or reduce the risk of attacks?
i. If not, then please state why?
b. Have all malware and other artifacts left behind by the attackers been removed and
the affected systems hardened against further attacks?
i. If not, then please explain why?
5. Recovery
a. Has the affected system(s) been patched and hardened against the recent attack, as
well as possible future ones?
b. What day and time would be feasible to restore the affected systems back into
c. What tools are you going to use to test, monitor, and verify that the systems being
restored to productions are not compromised by the same methods that cause the
original incident?
d. How long are you planning to monitor the restored systems and what are you going to
look for?
e. Are there any prior benchmarks that can be used as a baseline to compare monitoring
results of the restored systems against those of the baseline?

6. Lessons Learned

a. Has all necessary documentation from the incident been written?
i. If so, then generate the incident response report for the lessons learned
ii. If not, then have documentation written as soon as possible before anything is
forgotten and left out of the report.
b. Assuming the incident response report has been completed, does it document and
answer the following questions of each phase of the incident response process: (Who?
What? Where? Why? And How?)?
c. Can a lessons learned meeting be scheduled within two weeks after the incident has
been resolved?
i. If not, then please explain why and when is the next convenient time to hold
d. Lessons Learned Meeting
i. Review the incident response process of the incident that had occurred with all
CIRT members.
ii. Did the meeting discuss any mistake or areas where the response process
could have been handled better?
1. If no such conversations occurred, then please explain why?