Checklists are one of the most important things for first responders to have access to when responding to an incident. The reasons are many, and most of them tend to fall back on the human nature of the first responder. Incident response can impose a lot of stress on an individual, whether from management or the sheer criticality of the potentially hacked resource, it can be easy to miss a step or remember a command incorrectly when under fire. I've written about some of the cheat sheets from Lenny Zeltser in the past. The latest is a "Critical Log Review Checklist for Security Incidents" co-authored by Lenny and Anton Chuvakin.

Lenny and Anton's new checklist takes an incident handler, or system administrator with a potentially hacked system, through where and what to look for. The first part of the checklist lays out the general approach that should be taken followed by potential security log sources, typical log locations, and what to look for on a variety of systems like Windows, Linux, network devices and Web servers.

There are slew of options of how to adapt the checklist to your environment, but the most important incident response process is the preparation stage where you actually prepare by training and outfitting your responders and handlers with a checklist and the tools they need so they are ready.

From: Log Review Checklist For Responders Under Fire in Dark Reading's Evil Bytes Weblog by John Sawyer