If you have a plan for managing security incidents, initiate it now.
Define & delegate roles
Define an Incident Manager with overall responsibility.
Delegate roles. Examples of key roles are: Information Manager, Troubleshooting Team Manager and Logkeeper
Define responsibility and objectives
Gather information & tools
Call all information on the incident (see initial data collection below)
Gather all the tools necessary for managing the incident
Initiate countermeasures
Set up countermeasures for your network, systems and clients to limit damage. Examples include: isolation, segmentation, or limitation within a firewall
Communicate
Draw up a communications strategy for internal and external contacts
Report in accordance with internal and mandatory requirements
Consult legal advice or the police if relevant
Initial data collection
Find or produce an overview of network topology for relevant networks
Collect and analyse relevant log information, including:
DNS and DHCP logs
Netflow data from routers and switches
Proxy and Firewall logs
Antivirus and IDS/IPS logs
Windows system logs
Syslog
Host-based IDS logs
Application logs
If possible: establish visibility (real-time information) from relevant systems
If you have the in-house competencies: collect evidence from relevant systems.
