I would create an internal document for each sys admin that contains spots for the systems they administer, description of those systems, a business risk analysis rating (are they critical?), IP/sysinfo, physical location, and a blank lined section for credentials and signatures.
Hand one out to each sysadmin, then have them fill it out and take take it your companies C-level executive who is the chief data owner. Have the admin write down the credentials, sign it, then have the CEO/CIO sign it and lock it away in a binder with a copy of your IR policy (once you draft it), up to date physical topology, toolkit/checklist, host inventory (including roaming laptops), etc. I would also use a data integrity program your systems periodically for comparison (a-la tripwire etc.)
Neophasis has some good ideas for a IH kit (from SANS 504) here:
http://archives.neohapsis.com/archives/fulldisclosure/2003-q3/1579.html
* Use a duffel bag and keep it permanently stocked.
* Never steal from your own bag.
* Hardware:
* Blank, unused (or at least wiped) SCSI disk.
* Blank, unused (or at least wiped) IDE disk.
* Small 8-port hub (NOT A SWITCH!). Get a really old one with AUI &
coax.
* Cat5, Cross-over Cat5, AUI, Coax cables.
* Laptop, dual OS. Use whatever OS's are best for your situation.
* Tx-neutered Cat5 (snip one wire, it's receive-only!)
* PCMCIA WiFi card
* USB Thumb drive.
* Serial cable w/ Cisco router connection.
* Flashlight
* Screwdrivers (but TSA might confiscate them -- you might have to buy
new ones each trip.)
* Female-to-Female RJ45.
* Tape recorder, mini-disk, or equiv.
* Camera (depending upon your requirements, digital, 35mm, or polaroid
in that order of legal admissibility).
* Video Camera, if your plan includes one. Consider the pitfalls of
too much info.
* Software:
* Copying software: dd, windd, ghost, etc.
* Sniffer software: ethereal, etc.
* Forensic software: Coroner's Toolkit, etc.
* Statically linked binaries: ls, ps, etc.
* Bootable OS on floppy or CD.
* Windows Resource Kit.
* Supplies:
* Lots of media for tape recorder.
* Lots of new, unused backup media (floppies, tapes, CD-R, etc.)
* Team phone list & company phone book
* Cell phone & LOTS of batteries (say, 3 or 4).
* Plastic baggies with ties for evidence.
* Extra notebooks (bound, with numbered pages)
* Extra copies of all of your forms.
* Pens (not pencils!)
* Business Cards
You should also consider budget for a a "War Room", a windowless office
(or closet) that you can meet in, tape evidence up on the wall, etc. It
has to have comm (net, phone, fax), TV/VCR, paper, whiteboards, etc.
You also need a slush fund. You need to be able spend money instantly
during an incident. If you need to cut a PO at 3:00AM to get an extra
SCSI drive, or some extra baggies, you are screwed. If you need to
consult the corp travel adviser before you fly to the location of an
incident, you are screwed.
The official SANS site has this good outline:
http://www.giac.org/resources/whitepaper/network/17.php
and this section detailing IR (whitepapers)
http://www.sans.org/reading_room/whitepapers/incident/
read the Handlers Diary's everyday!
http://isc.sans.org/diaryarchive.html
Additional Links:
Security Incident Survey Cheat Sheet for Server Administrators
http://www.zeltser.com/network-os-security/security-incident-survey-cheat-sheet.html
Initial Security Incident Questionnaire for Responders
http://www.zeltser.com/network-os-security/security-incident-questionnaire-cheat-sheet.html
Network DDoS Incident Response Cheat Sheet
http://www.zeltser.com/network-os-security/ddos-incident-cheat-sheet.html
Reverse-Engineering Cheat Sheet
http://www.zeltser.com/reverse-malware/reverse-malware-cheat-sheet.html
0 comments:
Post a Comment