Incident response cycle
Even a well-protected computer system may be compromised. System administrators may find this six-step incident response cycle useful in preparing, handling, and recovering from a security incident.
Preparation
-
Define:
- Your "team" -- roles, responsibilities
- Policies (e.g., account use, passwords, punishments)
- Procedures (e.g., system integrity checks, account expiration, patch application, investigation)
- Have (and know how to use) security tools
- Make good backups
- See: Unix Configuration Guidelines and UW Technology's Unix System Security Checklist
Detection
- Assess type and extent of problem
- As soon as you know this is a real incident, do a full backup ASAP!
- Start documenting everything in a notebook (with time/date)
- Keep track of time spent (a good open source tool is TimeTracker)
- Capture audit information, accounting data, etc. for evidence
- Realize that the intruders may have installed Trojan horse programs that hide things
- Initiate notification process (at least report the security incident)
- See: CERT's Intruder Detection Checklist
Containment
- Continue to document your actions and track time spent
- Notify departmental administration
- Decide whether to shut the system down or keep it running
- Decide when/how to notify users
Eradication
- Continue to document your actions and track time spent
- Determine whether you need to check binaries for tampering or just re-install the entire operating system
- Determine whether you should clean/reformat discs
- Make sure the backups are OK
Recovery
- Follow your recovery procedures (determine them now if you didn't before)
- Continue to document your actions and track time spent
- Determine whether you need to restore user files/data from backups
- See: CERT's Steps for Recovering from a UNIX Root Compromise
Follow-up
- Review what has been done; were your procedures adequate?
- Write a summary report of the incident and "lessons learned"
- Use the logs you've been keeping to assess time/cost of handling this incident; law enforcement will need damage estimates to pursue prosecution. For more information, read Developing an Effective Incident Cost Analysis Mechanism.
