Incident source information:
--incident logbooks per involved person
--help desk logs: most security incidents identified by help desk.
--network logs: from, to, type, amount connections. route of
attcker. central management system accumulates & consolidates this
info.
--system logs: logon/off, shutdown/restart, boot-up messages, failure
messages. target of hacker.
--administrator logs: activities of admin
--physical access logs: potentially most devastating security
breach.
--accounting logs: create user profiles
--auditing logs: fine-grain info. trigger alarms
--security logs: changes to security settings, eg. privileges
--backups: when files were first altered. when incident discovered,
make image backup of all disks to search for hacker tools.
Incident timeline: detailed description of events during the security
incident.
--discovery of suspected incident
--determination that it's an incident. response plan invoked.
--investigation of cause, who, how, when
--recovery process: containment, deny access to attacker, regain control, disable malware, restoration of info & systems
--attacker's activities: when, which systems, where gain access & authorizations, what damage, what tools used
Technical summary so that others in organization & outside (eg. CERT)
can apply to their environments.
--cause: who (what ability hacker), what, how, from where
--impact: systems, data, downtime, recovery, people
--resolution: diagnosis, containment, restoration
--improvement: remove vulnerabilities, increase safeguards, improve detection, automate response