SIRT Incident Report

The SIRT Team is responsible for timely and accurate documentation of every step in the security incident investigation. This documentation can best be organized using the following sample SIRT Team Incident Report Format.

Security Incident Response Report Format

Report Date:______________

Report Time:____________

Trouble Ticket #:____________

Reported By:____________

Incident Severity Definition:____________
 

(Note: Critical and major incidents require paging the SIRT Team Leader immediately.)

A. Incident Response Data Collection

This portion of the security incident documentation is concerned with documenting the "when" and "what" for the particular incident. Critical and Major security breaches or incidents will require SIRT Team Leader involvement.

  1. State the date and time when the incident was first discovered.

  2. State who first discovered the incident.

Name:____________

Organization:____________

Email:____________

Phone:_________________
 
  1. State how the incident was discovered and describe any symptoms or abnormalities that were identified.

  2. Describe the security incident and any immediate threats that it poses and classify the Security Incident as Critical, Major, or Minor based on its Incident Severity Definition as defined by the organization.

  3. Did the security incident involve unauthorized access to a production system (for example, web server, LAN application server, network device, or mainframe-based system)? If yes, state the data-classification level that was compromised based on the custodian's data classification definition.

  4. Specify the systems, servers, applications, and data that may have been compromised during the security incident.

  5. Specify the hardware, software, applications, and other systems that were involved in the security incident. Provide as much detail as possible and obtain a copy of the system's log or audit files of all systems affected (for example, IDS/IPS, routers, switches, hubs, servers, systems, and so on).

  6. Determine whether the security incident was conducted internally or externally to the IT infrastructure. Provide detail and supporting evidence to confirm.

B. Incident Response Forensics

This portion of the security incident documentation is concerned with documenting the "where," "why," and "what" for the particular incident. Critical and Major incidents will require SIRT Leader involvement in an effort to capture data and information that may be used as evidence in a court of law if a violation of a law, mandate, or regulation occurred.

  1. Identify the source IP address or source IP network that the security incident came from, if possible. By examining the source IP address of the IP packets that the security incident originated from, information about the source of the attack may be provided.

  2. For the systems and applications that are being compromised (real-time) or that were compromised, the SIRT Team Leader must make the following decisions:

    1. If the security incident is occurring in real-time, the SIRT Team Leader may decide to monitor the security incident rather than remove the system from the production environment to capture more data and determine the source of the perpetrator. This must be done under careful scrutiny to monitor the system access and maintain the integrity of the system's log files.

    2. For non-real-time security incidents, the SIRT Team Leader may decide to remove the system from the production environment in an effort to preserve and document the affected systems and any unauthorized manipulation or violations of the organization's policies.

  3. Preserving in its original, compromised state the audit and log files for all systems, application, data manipulation or loss, and other pertinent damage that may have occurred is critical. Under the guidance of the SIRT Team Leader, document the steps and actions that were taken, such as the following:

    1. What actions were taken to preserve the affected systems, applications, and data?

    2. What actions were taken to preserve the affected system log files? Specify whether these were tampered with or left in their original condition.

    3. What other information about unauthorized access, systems compromised, and violations of the organization's security policies were identified? Identify and document all known violations.

    4. Which systems in any of the seven areas of information security responsibility were taken offline in an effort to preserve the affected systems, applications, and data?

    5. For enterprisewide systems and applications that were compromised, which services and processes were removed from the production network environment?

    6. Which systems and servers were physically or logically disconnected from the production network environment?

    7. For systems and servers that were compromised via a User or System Administrative level account, isolate the login ID and password that was compromised and delete or make an immediate change to the login ID and password.

    8. Systems, resources, and data that have been compromised should be taken offline so that a thorough investigation of the affected systems and data can be conducted to assess any damage or tainting of data. This may require the system, resource, or data to be recovered as per the organization's backup and recovery procedures.

    9. Prepare the Security Incident Response Report and keep all information and the details of the investigation confidential between the SIRT and the organization's executive management (CEO, CIO, CSO) prior to informing any other party. The SIRT Leader will decide who needs to be informed of this security incident based on the nature of the incident.

The purpose of a SIRT is to carry out the procedures and guidelines for an appropriate response to a security breach or incident for the organization. This appropriate response is part of an overall data and information collection task so that forensic data and evidence can be analyzed and evidence can be used in a court of law if criminal charges are warranted. In many cases, the organization must assess whether it wants to file criminal charges should the perpetrator who violated the organization's IT infrastructure and assets be found. This would become public domain information and would be part of the public record, which some organizations prefer not to do.

Tip

Proper data and information collection techniques must be followed and the integrity of collected data and information pertaining to a security breach or incident must be maintained in accordance with local, state, provincial, and federal law enforcement guidelines. Organizations should contact their legal counsel to define guidelines pertaining to the collection of forensic data used for security breaches or incident investigations if this data or physical evidence is to be used in a criminal case.

Related

Категории