UPDATE ......From Tuesday 8 April 2025 we have changed the way that Single Sign-on works on this wiki. Please see here for more information:
Update
1. Introduction
This runbook is the TU Oeucumene IT Operations guide to handling security incidents, where it is a matter of finding ongoing attacks that give rise to (or might be expected to give an) operational impact on systems.
...
It is implicit in several decision points that a given decision can be GO / NO-GO for initiating measures to counter ongoing threats. However, in case of doubt, the document should always be reviewed completely so that the incident is 360 degrees covered in terms of emergency preparedness.
2. Phase 1: Overview
In this phase, the attack is detected and the emergency preparedness is activated. The roles are defined.
...
Appendix 8.3 must be completed here.
3. Phase 2: Mitigation
This phase aims to mitigate, minimize or eliminate the threat and its consequences.
3.1 Virus / Malware, Ransomware or Mailspoofing:
Step 1: Disable lanman server
...
Appendix 8.4 must be completed here.
4. Phase 3: Restore
In this phase, the systems are restored to their original state.
...
Appendix 8.5 must be completed here.
5. Reporting the incident
Before the incident ends, it must be reported in the normal reporting of the operation. It must be assessed whether there is a security incident which should be reported in a security report and registration in Service Desk System (SDS).
Appendix 8.6 must be completed here.
6 Protection (preventive measures)
The purpose of this phase is to secure the business in the future against similar attacks.
...
- Elderberry umbrella?
- SPF
- NAC?
- 802 1x?
7. Closing of the incident
The incident must be closed and it must be acknowledged that the incident has been mitigated and that the root cause has been identified. Reports from external stakeholders may be included as part of the reporting to the customer and relevant authorities or organizations must be contacted.
Appendix 8.7 must be completed here.
8 Appendix 1 - Checklist
The following serves as a logbook for use in documenting the activities of the event. Relevant decisions must be documented at each incident, as the decisions are subsequently used to report the incident and for learning in connection with the prevention of similar incidents in the future.
8.1 Identification of threat type
- Decision point 1: What type of attack is this?
- Decision point 2: Has the attack been verified and must it be combated?
- Decision point 3: Who are the contact persons at the customer?
- Decision point 4: Is the case created as a security incident in the Service Desk System and with which id?
- Decision point 5: What has been done to stop infection in the initial phase?
...
Step | Documentation |
Decision point 1 | |
Decision point 2 | |
Decision point 3 | |
Decision point 4 | |
Decision point 5 |
8.2 Impact
- Decision point 1: Has the extent of the affected environment been identified? To what extent are we affected? Number of files, immediate criticality
- Decision point 2: Is the attack still ongoing?
...
Step | Documentation |
Decision point 1 | |
Decision point 2 |
8.3 Identification of Ground Zero
- Decision point 1: What / who is ground zero?
- Decision point 2: Are there other users infected?
...
Step | Documentation |
Decision point 1 | |
Decision point 2 |
8.4 Mitigation
- Decision point 1: Is LANman server disabled (enter name)
- Decision point 2: Are relevant Accounts disabled (specify which)
- Decision point 3: AV installed and scanning and cleaning is performed
- Decision point 4: Is Ground Zero identified (specify where / what)
- Decision point 5: Scan all mailboxes (documents who we have spoken to and attach any email as an attachment)
...
Step | Documentation |
Decision point 1 | |
Decision point 2 | |
Decision point 3 | |
Decision point 4 | |
Decision point 5 |
8.5 Restore
- Decision 1: What type of backup?
- Decision 2: Contact person for backup
- Decision 3: Schedule for recovery
- Decision 4: Are there any concerns? (Plan B) ??)
...
Step | Documentation |
Decision point 1 | |
Decision point 2 | |
Decision point 3 | |
Decision point 4 |
8.6 Reporting
- Decision 1: Has there been raised an Event in the Service Desk System?
- Decision 2: Do we have a security incident and is it reported to Service Desk and Security dep. if necessary?
- Decision 3: Does the incident give rise to the implementation of further initiatives internally?
...
Step | Documentation |
Decision point 1 | |
Decision point 2 | |
Decision point 3 |
8.7 Closing
- Decision point 1: Can root cause be identified?
- Decision point 2: Have reports been received from external collaborators?
- Decision point 3: Which external parties must be informed - Authorities (CERT), the Police, others?
- Decision point 4: Can the case be closed?
...