[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Incident response kit? Really OT, but need some help.

To: "'Alan Kloster'" <akloster@spp.org>, <full-disclosure@lists.netsys.com>
Subject: RE: [Full-Disclosure] Incident response kit? Really OT, but need some help.
From: "Rob Adams" <robadam@cisco.com>
Date: Thu, 7 Aug 2003 17:27:26 -0400

Ed Skoudis did a really excellent job covering up-front costs in the
Sans Track4 course I took recently. If you can get a copy of the SANS
4.1 book (by tomorrow :), it will fill in a lot of details for you. He
used 30 slides covering preparedness in depth. In addition to a "Jump
Bag", he also stressed the importance of having a war room and a slush
fund.

You might want to include (ideas but not words stolen directly from Ed
Skoudis & SANS):

 * Use a duffel bag and keep it permanently stocked.
 * Never steal from your own bag.
 * Hardware:
  * Blank, unused (or at least wiped) SCSI disk.
  * Blank, unused (or at least wiped) IDE disk.
  * Small 8-port hub (NOT A SWITCH!). Get a really old one with AUI &
coax.
  * Cat5, Cross-over Cat5, AUI, Coax cables.
  * Laptop, dual OS. Use whatever OS's are best for your situation.
  * Tx-neutered Cat5 (snip one wire, it's receive-only!)
  * PCMCIA WiFi card
  * USB Thumb drive.
  * Serial cable w/ Cisco router connection.
  * Flashlight
  * Screwdrivers (but TSA might confiscate them -- you might have to buy
new ones each trip.)
  * Female-to-Female RJ45.
  * Tape recorder, mini-disk, or equiv.
  * Camera (depending upon your requirements, digital, 35mm, or polaroid
in that order of legal admissibility).
  * Video Camera, if your plan includes one. Consider the pitfalls of
too much info.
 * Software:
  * Copying software: dd, windd, ghost, etc.
  * Sniffer software: ethereal, etc.
  * Forensic software: Coroner's Toolkit, etc.
  * Statically linked binaries: ls, ps, etc.
  * Bootable OS on floppy or CD.
  * Windows Resource Kit.
 * Supplies:
  * Lots of media for tape recorder.
  * Lots of new, unused backup media (floppies, tapes, CD-R, etc.)
  * Team phone list & company phone book
  * Cell phone & LOTS of batteries (say, 3 or 4).
  * Plastic baggies with ties for evidence.
  * Extra notebooks (bound, with numbered pages)
  * Extra copies of all of your forms.
  * Pens (not pencils!)
  * Business Cards

You should also consider budget for a a "War Room", a windowless office
(or closet) that you can meet in, tape evidence up on the wall, etc. It
has to have comm (net, phone, fax), TV/VCR, paper, whiteboards, etc.

You also need a slush fund. You need to be able spend money instantly
during an incident. If you need to cut a PO at 3:00AM to get an extra
SCSI drive, or some extra baggies, you are screwed. If you need to
consult the corp travel adviser before you fly to the location of an
incident, you are screwed.

Rob Adams

Disclaimers:
* I am not a professional incident handler, but I did stay awake during
(most of) the SANS course.
* You should take the course yourself, if you can. The course design &
execution are really top-notch. It is prepartory to the GCIH(?) cert.
* Even though my return address is "@cisco.com", I do not speak for
Cisco Systems in any way. I speak only for myself, I am not their
spokesperson.

-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Alan
Kloster
Sent: Thursday, August 07, 2003 3:30 PM
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] Incident response kit? Really OT, but need
some help.


We are in the midst of preparing a budget for next year and trying to
justify money for incident response handling.  Since the higher ups
don't like the idea of just putting money in the budget "in case" of an
incident (they've never heard of insurance apparently), we have decided
to put together an "Incident Response Kit" of tools, hardware and
software for discovery, recovery and forensics.  What tools, hardware or
software would you put in this kit?  Don't worry about cost at this
point.  And if you can't respond today, don't, the budget is due in
tomorrow.  Thanks.

Alan Kloster

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [Full-Disclosure] Incident response kit? Really OT, but needsome help.
  - From: Akatosh <akatosh@rains.net>

References:
- [Full-Disclosure] Incident response kit? Really OT, but need some help.
  - From: "Alan Kloster" <akloster@spp.org>

Prev by Date: RE: [Full-Disclosure] Blink IDS?
Next by Date: [Full-Disclosure] 4nk1t F4d14 4nd B1ll G4yt3s T0rn 4p4rt 53r135 p4rt 0n3 1
Prev by thread: [Full-Disclosure] Incident response kit? Really OT, but need some help.
Next by thread: RE: [Full-Disclosure] Incident response kit? Really OT, but needsome help.
Index(es):
- Date
- Thread