Lenny's cheat sheets are excellent. He has gone above and beyond by providing PDF and Word document versions so they can be printed out to carry with you during investigations, and the Word version can be easily modified to fit the needs of your environment. The steps in the server administrator cheat sheet should be followed carefully, and the initial warning should be taken to heart as to not trample potential evidence.
The steps presented in this cheat sheet aim at minimizing the adverse effect that the initial survey will have on the system, to decrease the likelihood that the attacker's footprints will be inadvertently erased.
I think the real gem of the two documents lies in the questionnaire for responders. During security incidents I typically see a lack of proper communication that is either a result of improper preparation or emotions running high, which could be due to a number of reasons (such as fear of job loss and management wanting results NOW). Lenny has included an entire section on communication, which I think helps the responder step back and take on a clearer, more level-headed approach to the incident.
A good number of you probably already have solid incident response plans put together, but do you have a document for your server administrators to review and follow when they think something suspicious is going on? Take a look at these early stocking stuffers, compare them to what you already have in place, and see if you can't adopt some of Lenny's hard work.
John H. Sawyer is a Senior Security Engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.