Last Updated: 2008-11-25 13:31:14 UTC
by Lenny Zeltser (Version: 3)
"People only see what they are prepared to see." -- Ralph Waldo Emerson
Maybe your system just got hacked. You don't know for sure yet, but you need to quickly qualify the potential incident. You also need to ask questions to make sense of the situation and determine how to proceed. It's easy to make mistakes in the heat of the moment; it's hard to find time to prepare in advance. Here are two cheat sheets that may help.
In each case, I link to the HTML version cheat sheet. That page includes the printable 1-page PDF version, and the Word version of the file you can edit for your needs.
Security Incident Survey Cheat Sheet for Server Administrators
This cheat sheet captures tips for examining a suspect server to decide whether to escalate for formal incident response. Its steps attempt to minimize the adverse effect that the initial survey will have on the system, to decrease the likelihood that the attacker's footprints will be inadvertently erased.
Initial Security Incident Questionnaire for Responders
This cheat sheet lists the questions the incident handler should consider asking when taking control of a qualified incident. It's too easy to forget an important question when trying to think on your feet.
How Else to Make Incident Response Less Stressful?
Thanks to everyone who already offered feedback on these cheat sheets. If you have suggestions for improving them, please let us know.
For additional tips on incident handling, see the summary of the suggestions we published in October. Yeah, I should have written this diary last month.
Update: ISC reader Tor Vigesdal shared the following tip for surveying a potentially compromised Windows server:
xcopy \\server\share$\*.* /S /L /H /D:mm-dd-yyyy | more
/L is "Displays files that would be copied."
/H is "Copies hidden and system files also."
"Use todays date to get a list of all files modified today. Run it remotely to avoid logging on to a system that doesn't feel right. If you proactively run the report daily you can compare with yesterday's file to identify file changes that are not 'normal'.
One could have hoped they allowed you to use %date% in the /D parameter, but that does not work for all of us. It fails if your regional date format is not identical to the US format."
Update: A related diary offers tips on responding to a DDoS incident.
Security Consulting - SAVVIS, Inc.
Lenny teaches a SANS course on analyzing malware.