-
A sample Incident report
This is a sample Incident Response report that I recently completed. I thought people might be interested in seeing what a report *might* look like. I've cleaned it quite a bit so that I could post it here, so there are some details missing.
enjoy
-hog
-
Hey Hey,
Very Nice Hog..
I find it kinda humerous that it was on that because that's the extact virus that we're having issues with at the college I work at ... I've identified about 40 variants of the virus so far and have created a custom cleaner for all of them.... I'm still discovering more every day and none of the virus companies are doing anything... Some of them are detecting it but none of them we'll clean it.. They all recognize it (depending on the vendor) as SpyBot/SDBot/Forbot...
I'm going to be working on ClamWin Defs for them all weekend.
Peace,
HT
-
HT: Yeah I actually thought it was funny because I have seen you talking a bit about it elsewhere on the forums..I have to rely on others to submit these things to me since my environment is pretty controlled and we don't see a lot of malware (unless I bring it in purposely).
-
So how did you get the kids picture? I know it's probably a minor detail but I'm just curious. And he just left you an easy trail to follow?
-
It was a fairly simple trail to follow in this case, and fun.
-
Hey Hey,
Here's a link for those of you using IE.. hog's posted text file isn't IE/Notepad friendly
http://www.seeminglyrandom.info/incident-093004.html
Peace,
HT
-
HogFly, a couple of tools such as Retina and SSS create really nice reports after the scan is completed. Take a look at those. They're not exactly forensics tools, but they are pretty good vulnerability checkers. I put em here for the sake of the reporting, not their intended usage.
Cybr1d.
-
Are there any standards for writing an incident report, or is it just made per incident?
-
Soda: Various agencies and governments have standards for reporting. We have a SOP(standard operating procedure) for reporting of security incidents, in fact it's a policy. This was a little different than what's defined by our policy though. It all depends on where you work, and how developed a policy/program they have.
-
is this something you would just keep on file or is it submitted somewhere?