Cheat Sheets For Responders and Server Administrators

It's not uncommon that organizations experience security breaches during the holidays. Malicious attackers who are determined to get in aren't going to take time off. They also know that there is most likely a skeleton crew, or less, manning the operations, so their activities have a greater chance of going unnoticed. Hopefully, none of you returned to work this morning to find your users complaining of strange behavior on their desktops, unexplainable network slowdowns, or other odd occurrences.Since many of us enjoyed a long weekend away from the office to enjoy the Thanksgiving holiday, and we're entering into the Christmas season when thoughts may shift from what's going on with my servers to what should I be getting for my spouse, I thought it would be a good time to pass along two nice gifts from Lenny Zeltser. They are the "Security Incident Survey Cheat Sheet for Server Administrators" and "Initial Security Incident Questionnaire for Responders."

Lenny's cheat sheets are excellent. He has gone above and beyond by providing PDF and Word document versions so they can be printed out to carry with you during investigations, and the Word version can be easily modified to fit the needs of your environment. The steps in the server administrator cheat sheet should be followed carefully, and the initial warning should be taken to heart as to not trample potential evidence.

The steps presented in this cheat sheet aim at minimizing the adverse effect that the initial survey will have on the system, to decrease the likelihood that the attacker's footprints will be inadvertently erased.

I think the real gem of the two documents lies in the questionnaire for responders. During security incidents I typically see a lack of proper communication that is either a result of improper preparation or emotions running high, which could be due to a number of reasons (such as fear of job loss and management wanting results NOW). Lenny has included an entire section on communication, which I think helps the responder step back and take on a clearer, more level-headed approach to the incident.

A good number of you probably already have solid incident response plans put together, but do you have a document for your server administrators to review and follow when they think something suspicious is going on? Take a look at these early stocking stuffers, compare them to what you already have in place, and see if you can't adopt some of Lenny's hard work.

John H. Sawyer is a Senior Security Engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.