Incident response cycle in a nutshell
- Assess type and extent of problem
- As soon as you know this is a real incident, do a full
- Start documenting everything in a notebook (with time/date)
- Keep track of time spent (a good open source tool is TimeTracker)
- Capture audit information, accounting data, etc. for evidence
- Realize that the intruders may have installed trojan horse programs that hide things
- Initiate notification process (at least send email to firstname.lastname@example.org)
- See: CERT's Intruder Detection Checklist
- Continue to document your actions and track time spent
- Notify departmental administration
- Decide whether to shut the system down or keep it running
- Decide when/how to notify users
- Don't stop documenting what you are doing (and tracking time)
- Should you check binaries for tampering or just re-install the
entire operating system?
- Should you clean/reformat discs?
- Are backups OK, or do they need to be checked as well?
- Review what has been done; were your procedures adequate?
- Write a summary report of the incident and "lessons learned"
- Use the logs you've been keeping to assess time/cost of handling
this incident; law enforcement will need damage estimates to
Dave Dittrich <email@example.com>
Last modified: Wed Mar 24 10:08:33 1999