42 lines
2.7 KiB
Markdown
42 lines
2.7 KiB
Markdown
# Security Incident Response Cheatsheet
|
|
|
|
| Phase | Actions | Tools/Commands | Documentation |
|
|
|-------|---------|----------------|--------------|
|
|
| **Preparation** ||||
|
|
| Asset inventory | Document critical systems | `nmap -sP 192.168.1.0/24` | Asset register |
|
|
| Baseline establishment | Record normal behavior | `top`, `netstat -tuln` | Baseline document |
|
|
| IRT contacts | Establish escalation paths | N/A | Contact sheet |
|
|
| Response kit | Prepare forensic tools | FTK, volatility, wireshark | Kit checklist |
|
|
| **Detection & Analysis** ||||
|
|
| Initial triage | Verify incident occurrence | `grep 'Failed password' /var/log/auth.log` | Incident ticket |
|
|
| Scope determination | Identify affected systems | `lsof -i`, `netstat -antp` | Scope document |
|
|
| Evidence collection | Capture volatile data | `memory_dump.sh`, `dd if=/dev/sda of=disk.img` | Evidence log |
|
|
| Timeline creation | Establish sequence of events | `log2timeline.py` | Timeline document |
|
|
| **Containment** ||||
|
|
| Short-term containment | Isolate affected systems | Network segregation, `iptables -A INPUT -s malicious_ip -j DROP` | Containment log |
|
|
| System backup | Create forensic copies | `dd`, FTK Imager | Backup verification |
|
|
| Long-term remediation | Patch vulnerabilities | `apt update && apt upgrade` | Patch log |
|
|
| **Eradication** ||||
|
|
| Malware removal | Eliminate persistence | `find / -name "suspicious_file"`, AV scan | Cleanup report |
|
|
| Vulnerability patching | Address security gaps | `yum update package`, `apt install security-patch` | Patch verification |
|
|
| System hardening | Strengthen security posture | `chmod 600 /etc/shadow`, `ufw enable` | Hardening checklist |
|
|
| **Recovery** ||||
|
|
| System restoration | Return to operation | Restore from backup, `service start` | Recovery log |
|
|
| Monitoring | Watch for repeat incidents | SIEM alerts, `tail -f /var/log/syslog` | Monitoring plan |
|
|
| Validation testing | Verify system integrity | Penetration test, `tripwire --check` | Test results |
|
|
| **Lessons Learned** ||||
|
|
| Documentation | Complete incident report | N/A | Final report |
|
|
| Process improvement | Update response procedures | N/A | Updated playbooks |
|
|
| Team debrief | Review response effectiveness | N/A | Debrief minutes |
|
|
|
|
## Key Evidence Collection Commands
|
|
|
|
| Data Type | Linux | Windows | macOS |
|
|
|-----------|-------|---------|-------|
|
|
| Running processes | `ps aux` | `tasklist /v` | `ps aux` |
|
|
| Network connections | `netstat -antup` | `netstat -ano` | `netstat -anv` |
|
|
| Open files | `lsof` | `handle.exe` | `lsof` |
|
|
| Users logged in | `who` | `query user` | `who` |
|
|
| Scheduled tasks | `crontab -l` | `schtasks /query` | `crontab -l` |
|
|
| Process tree | `pstree` | `tasklist /v /fi "username eq system"` | `pstree` |
|
|
| Loaded modules | `lsmod` | `driverquery` | `kextstat` |
|