4.3. Security Team Lead

As the security team lead it is your responsibility to continue the investigation once it has been escellated to you. Work with those already on the contact list as well as your own team members. Below are the priorities, in order, of your responsibilities. Any or all can be delegated, but it is your responsibility to ensure that everything on this list gets completed in a resonable time.

Security Team Priorities

Complete	Priority
	Determine what has happened with this machine after it was compromised. This includes looking for trojans, and anything that would be phoning home.
	Determine if any other machines on your network have been compromised. Devise an automated plan for this if possible.
	Determine exactly how initial access to the machine was granted and, if relevent, how privileges were escellated.
	Get a copy of the disk images and memory images that were created prior to you being contacted.
	Keep a running list of people who have been contacted about this issue until such a time that the issue has been made public by you or your management chain.
	Keep a running timeline of all events that have happened. Check with the initial contact or team lead as they may have this already. Let them know that you will be taking over the responsibiltiy of the timeline.
	Complete the investigation checklist (below)

4.3.1. Investigation Checklist

Please print a copy of this and keep updates on it until such a time comes that you have verified that shared storage or email mediums are safe for communication. Alternatively keep an encrypted up to date copy of this. If multiple machines have been compromised it is essential that the attacker not know what you know.

Investigation Checklist

Complete	List Item
	Timeline Created.
	Disk images / snapshots are stored in a safe location.
	Notified those who are aware of the issue that it is to remain private and that all communications should now go through To be filled out or security team.
	Initial damage assessment sent to management and legal department for review.
	To be filled out notified that at least one announcement will go out once formulated.
	To be filled out, To be filled out, and management have agreed on language of each communication.
	Forensics script created that can scan machines remotely and/or locally for attacks similar or identical to that of the host(s) in question.
	Comprehensive scan of all relevant hosts using the forensics script complete.
	Once root attack vector has been fixed, final comprehensive scan of all relevent hosts using forensics script complete.