For all of you who have replied requesting a sample, I will be more than happy to respond. I am receiving hundreds of requests at the moment. We are short of staff due to the holidays and it make take a few days to respond to you all, please be patient. All I ask in return for the samples are, if you use anything from them, please credit me and my co-author and remember us if we are ever in need of assistance. We are not charging for the document or information contained therein so we would appreciate it if no one else reaps any monetary benefits for the document (i.e. consultants, etc.).
Basically we set down the whos and communication flows in documents along with their responsibilities. It allows people to understand their role and others roles and who to talk to instead of running around. Remember, we took an aspect of it as a process. In separate docs I have some suggestions on say e-mail tracing, spoofing, etc. It is almost impossible to document responses to particular types of attacks since there are 1000's. The idea is to make the response PROCESS or CIRT the same no matter WHO or WHAT initiates the initial alarm. So whether it is an admin saying I have a problem or and IDS saying hey there's this IP, the response process and escalation should be the same. If, when performing any investigation, I am stumped about a particular issue or detailed procedure/hack/analysis and don't have any hints in my archives, docs, etc. I throw out my questions to others for assistance. Anyone should be able to pick up your CIRT document and be able to know what is going on and who to talk to. They should not have to read through 100 pages. Each expert that you involve in response should know what to look fo rthemselves respective to their areas, of course guidance and consultation will be imperative especially in the forensic collection of evidence/data. I did a similar thing for virus. I have a 4 page detailed flow chart for that and a two page text doc to accompany it. The standards and responsibilities doc is separate and probably about 15? pages since it covers server & workstation configs as well. > -----Original Message----- > From: Robinson, Sonja > Sent: Friday, December 27, 2002 2:33 PM > To: 'John Smithson'; '[EMAIL PROTECTED]'; > '[EMAIL PROTECTED]' > Subject: RE: Incident Response Guidelines > > > After preparing numerous incident response teams and plans, > may I make the following suggestions (which of course will be > liked by some and not by > others): > > Incident Response does not have to be a HUGE project. Think > of it as a process and a workflow. How do I get notified, > who gets notified, when do they get notified, how are things > evaluated, what kind of response, what kind of reporting, am > I doing this forensically (and am I trained to do so), are we > preparing for LEO or not?, post mortem. > > This can be accomplished in less than 5-10 pages - with > flowcharts. It must be easy for your people to pick up and > understand immediately. If it is a 100 page manual, it is > unworkable. Might I suggest, that in the WHAT KIND OF > RESPONSE/HOW DO I INVESTIGATE sections, that you have > separate areas that you have listed below as suggestions on > how to proceed. If you right anything likethat in stone and > it goes to court, that's discovery and can be used against > you if you didn't follow it to the letter. So I would call > those GUIDELINES or somehting similar. > > If you would like asample of something I've done. E-mail me > offline and I will send it to you Monday. I'm leaving for the day. > > > -----Original Message----- > > From: John Smithson [mailto:[EMAIL PROTECTED]] > > Sent: Friday, December 27, 2002 11:42 AM > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > > Subject: Incident Response Guidelines > > > > > > Hello, > > > > I'm about to start huge documentation phase on creating > > Incident Response > > Guidelines / Handling - including creating the structure, > > creating the > > Incident Response Team, documenting the guidelines per > > incidents - such as > > web server hacked, DOS attack, Virus Outbreak > > > > I need your help on pointing me to few good documents / > > books. Obviously, I > > have googled, and found good info. However, I may be missing > > some good > > information that you gurus have collected over time. > > > > Please any help would be greatly appreciated. > > > > Thanks, > > > > John Smithson > > > > > > > > > > > > _________________________________________________________________ > > MSN 8 limited-time offer: Join now and get 3 months FREE*. > > http://join.msn.com/?page=dept/dialup&xAPID=42&PS=47575&PI=732 > 4&DI=7474&SU= > http://www.hotmail.msn.com/cgi-bin/getmsg&HL=1216hotmailtaglin es_newmsn8ishe re_3mf ********************************************************************** This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email. ********************************************************************** ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com