IR Teams Questionnaire

 Background Questionnaire

  • What is the nature of the problem, as it has been observed so far?
  • How the problem was initially detected? When was it detected and by whom?
  • What security infrastructure components exist in the affected environment? (e.g., firewall, anti-virus, etc.)
  • What is the security posture of the affected IT infrastructure components? How recently, if ever, was it assessed for vulnerabilities?
  • What groups or organizations were affected by the incident? Are they aware of the incident?
  • Were other security incidents observed on the affected environment or the organization recently?

Define Communication Parameters

  • Which individuals are aware of the incident? What are their names and group or company affiliations?
  • Who is designated as the primary incident response coordinator?
  • Who is authorized to make business decisions regarding the affected operations? (This is often an executive.)
  • What mechanisms will the team to communicate when handling the incident? (e.g., email, phone conference, etc.) What encryption capabilities should be used?
  • What is the schedule of internal regular progress updates? Who is responsible for them?
  • What is the schedule of external regular progress updates? Who is responsible for leading them?
  • Who will conduct “in the field” examination of the affected IT infrastructure? Note their name, title, phone (mobile and office), and email details.
  • Who will interface with legal, executive, public relations, and other relevant internal teams?

Assess the Incident’s Scope

  • What IT infrastructure components (servers, websites, networks, etc.) are directly affected by the incident?
  • What applications and data processes make use of the affected IT infrastructure components?
  • Are we aware of compliance or legal obligations tied to the incident? (e.g., PCI, breach notification laws, etc.)
  • What are the possible ingress and egress points for the affected environment?
  • What theories exist for how the initial compromise occurred?
  • Does the affected IT infrastructure pose any risk to other organizations?

Review the Initial Incident Survey’s Results

  • What analysis actions were taken to during the initial survey when qualifying the incident?
  • What commands or tools were executed on the affected systems as part of the initial survey?
  • What measures were taken to contain the scope of the incident? (e.g., disconnected from the network)
  • What alerts were generated by the existing security infrastructure components? (e.g., IDS, anti-virus, etc.)
  • If logs were reviewed, what suspicious entries were found? What additional suspicious events or state information, was observed?

Prepare for Next Incident Response Steps

  • Does the affected group or organization have specific incident response instructions or guidelines?
  • Does the affected group or organization wish to proceed with live analysis, or does it wish to start formal forensic examination?
  • What tools are available to us for monitoring network or host-based activities in the affected environment?
  • What mechanisms exist to transfer files to and from the affected IT infrastructure components during the analysis? (e.g., network, USB, CD-ROM, etc.)
  • Where are the affected IT infrastructure components physically located?
  • What backup-restore capabilities are in place to assist in recovering from the incident?
  • What are the next steps for responding to this incident? (Who will do what and when?)