Cyber Incident Checklists
Contents
Cyber Incident Checklists#
When responding to an incident, the first checklist you should complete is the Incident Summary Checklist, which is designed to collect the essential vitals of an incident. This checklist’s objective is to capture high-level information regarding the occurrence. The information gathered should provide you a rough picture of what transpired and assist you in identifying areas where your response process may require revision.
• The date and time of the occurrence - Record the date and time when a person or automated system first brought the issue to the notice of the IR team.
• The time and date the event was discovered - Typically, the time an occurrence is reported is more recent than the time it was discovered. Make a note of when the problem was discovered and when it was fixed.
After you’ve finished the Incident Summary Checklist, you can go on to learn more about individual categories. The following checklists should be completed in the sequence specified by the circumstance. You may also hire support and work on many tasks at once.
Incident Detection Checklist#
The following checklist is used to collect further information on how the event was noticed as well as the detection systems themselves. In our experience, taking the extra effort to confirm the detection is time well spent.
• Was the detection done automatically or manually? - Was the event detected by a human or an automated system? It’s worth noting that this identification may have come from somewhere else, thus determining whether it was the result of an automatic system or manual analysis is critical for determining its validity.
• What data was included in the first detection? - Keep a record of the information found in the initial detection. Do you have a copy of the first detection, if there was an alert? Have you talked with the individual who made the detection to document what they saw? Use healthy scepticism and make sure you get raw facts to validate what you are told or given. Ensure that all data you acquire is correctly stored. If the data is small enough, the IR team should be in charge of storing it.
• What sources gave the data used in the detection? - If the source was a person or people, make a note of their contact information. If the source was one or more automated systems, describe how each one contributed to the detection. Take note of the time zone saved by the automatic system.
• Has anyone obtained and verified that the source data is correct? If so, who is it? - Has anyone validated the methodology and data that were evaluated whether a person was engaged in the detection? Has someone reviewed both the raw data and the criteria that the detection was based on if it was an automatic system?
• Is the original data being preserved? - The data connected to the detection may not be automatically saved depending on the system or method employed. Alternatively, it may be removed from the systems after a specified number of hours or days. Take cautious not to lose any information important to the detection.
• How long have the detection sources been operational, and who is in charge of them? - Sometimes we discover that a detection system was recently deployed and is producing false positives, or that the data is being misconstrued owing to inexperience. Keep track of how long each system has been in existence and who is in charge of maintaining and reviewing it.
• What are the rates of detection and error? - Speak with the system administrators and go over the notifications. Determine how frequently this sort of detection happens. Acquire a sense of the mistake rate.
• Is there anything new about the data sources? - In certain circumstances, we discover that an administrator recently made changes or modifications to a system. You should speak with the people in charge of the data source systems to find out whether any maintenance has been done recently. There might have been some unintended consequences.
Gather Additional Information#
If your detection details appear to be accurate and consistent, the next step is to gather further information about specific factors linked to the detection. You should descend one step and gather information on specific computers, networks, and possibly dangerous files.
See also
Want to learn practical Digital Forensics and Incident Response skills? Enrol in MDFIR - Certified DFIR Specialist