Chapter 28 Incident Documentation

record keeping required for prosecution & review of quality of response & actual response.

Incident source information:
--incident logbooks per involved person
--help desk logs: most security incidents identified by help desk.
--network logs: from, to, type, amount connections. route of attcker. central management system accumulates & consolidates this info.
--system logs: logon/off, shutdown/restart, boot-up messages, failure messages. target of hacker.
--administrator logs: activities of admin
--physical access logs: potentially most devastating security breach.
--accounting logs: create user profiles
--auditing logs: fine-grain info. trigger alarms
--security logs: changes to security settings, eg. privileges
--backups: when files were first altered. when incident discovered, make image backup of all disks to search for hacker tools.

Incident timeline: detailed description of events during the security incident.
--discovery of suspected incident
--determination that it's an incident. response plan invoked.
--investigation of cause, who, how, when
--recovery process: containment, deny access to attacker, regain control, disable malware, restoration of info & systems
--attacker's activities: when, which systems, where gain access & authorizations, what damage, what tools used

Technical summary so that others in organization & outside (eg. CERT) can apply to their environments.
--cause: who (what ability hacker), what, how, from where
--impact: systems, data, downtime, recovery, people
--resolution: diagnosis, containment, restoration
--improvement: remove vulnerabilities, increase safeguards, improve detection, automate response