A cyber security incident response "go bag"
I've heard this concept discussed before yet have failed to actually put one together. I started drafting this post back in October, when the concept came up again at a talk during (ISC)² Security Congress 2022 (day one, during "Incident Response Ready - Key Steps of a Ransomware Incident Response Plan") so I figured I ought to find out the cost of such a bag.
Note that I'd still need to grab my work laptop, as I can't justify purchasing an additional laptop.
Why an incident response "go bag"?
Much like a prepper might have a "bug out bag" to help them stay safe in the event of an emergency, I could see the benefit in having a go-bag one for the incident response part of my job. Both a "go bag" and a "bug out bag" have the goal of being a bag you can grab quickly when a big problem happens [1] as every second counts in such situations. When it comes to cyber security incident response, I could be faced with ransomware ravaging a network or a need to contain a breach. In any significant incident I could be looking at the need to be operational quickly, including leaving the house at short notice.
Catered scenarios
I'm assuming that there's some on-prem servers or equipment that I'll need to connect to - we're not fully remote. For a cloud only environment a lot of the need for this setup goes away (no hardware to boot into recovery mode or similar, no switch to connect to), although I could still end up needing to review client devices.
Goals
My goals for this "go bag" were:
- To not cost too much - I'm paying for this to make my life easier, rather than my employer funding it
- Be portable and reasonably light - I'll almost certainly be carrying a laptop too
- Contain useful items
- Not require items to be sourced from multiple locations at point of need - it needs to be ready to go
- Not require much maintenance
Touching on the point about maintenance first, I'd expect to have to review the contents annually, perhaps every six months, unless the bag was used. I'm aiming to make my life easier and save time (grab and go), rather than to add lots of maintenance tasks to my life. To be low maintenance, therefore, means any food needs to have a long use by date, and any equipment needs to not require regular updates.
There is a risk when putting such a bag together [2] that items aren't included because "I can just grab my existing one from over there". Having to rebuild the bag at the time of need causes delays that I'm trying to avoid. A related risk is the "I'll just grab this from my go bag" because it's the nearest location for a particular tool. I'll need to be disciplined to avoid that.
Where is the bag stored?
Given the office could be inaccessible (the proverbial "smoking hole in the ground"), it's important to keep the go bag at home or with you, depending on your threat model. I'm not going to be carrying this with me wherever I go, so at home is fine.
What would I include?
A disclaimer: This list is provided as is, without any form of warranties. This doesn't mean that having a similar bag will help you or your organisation to respond well to an incident and doesn't guarantee or imply it'll reduce the impact you suffer.
For each item I've provided a reason. Where relevant, I'll cover some items in more detail.
- Printed copies of my organisation's incident response policies and procedures
In a worst-case scenario, these documents may not be available if only held digitally - USB memory sticks x3
For getting log files off devices or creating emergency boot media - Live DVDs
Select bootable Linux OS disks to provide a known good environment (the DVDs are read only) - Bootable recovery media (DVDs)
For booting servers into OS recovery environments, or backup software bare-metal restore mode - Reusable water bottle (empty)
Fill when needed, but make sure knocking it over doesn't cause a flood - Snack food
You could be in for long sessions, and having some snack food can help you get through. I'd include chocolate, some flavour of pot noodle (and a fork) [3], and other foods that require little preparation - Chargers
Having a spare charger that can power your laptop and phone is useful for the "ah, I left that on my desk" moment. With more equipment using USB-C we could be approaching a single charger - USB-A to Lightning cable
Apple don't use USB, so having the ability to charge an iPhone / iPad, even if it's via a laptop, is necessary - Mouse (wired)
Because laptop track pads are horrible, and we could all do without extra stress mid-incident as the track pad clicks in the wrong place / moves the cursor (or the mouse battery going flat) - Roll up keyboard
Not for using to type on your laptop (they're horrible), but for when you just need to press F1 on a server... - 10 metre network cable (purple)
The Wi-Fi could be down, and the extra length means you don't have to be stood right next to the switch! Being a purple cable means it's easily identifiable (don't unplug the wrong one!), although adjust the colour to suit your environment! - Notepad and pens
For taking quick notes, writing signs / labels, etc. I've opted for an A4 refill pad (means pages can be removed later, or paper given to others) and a pack of ball point pens [4] in multiple colours - Sticky tape / blue tack
For attaching the signs or labels. There's no point making a sign that says "do not power on your computer" if you cannot make it visible to colleagues - Multi-tipped screwdriver
Better to have it and not need it, than need it and not have it - USB chargeable head torch
Using your phone is fine, until you run out of power - then you're cut off from comms too. Being a head torch keeps both hands free, but you could also hold the torch if necessary. (I added this item after researching other people's suggestions)
Obviously you'll need a rucksack or bag that will fit all of this in too.
Policy and procedure printouts
First and foremost: check with your organisation that it's acceptable for you to have a copy of these documents a) printed and b) at home. These documents often contain sensitive information, at the very least names and contact details for key staff.
Given digital copies might become inaccessible so having these on paper is a must. Ensure the documents are kept up to date (reprint each time there's a change) and securely dispose of old copies. If your organisation won't allow a printed copy, consider having key contact details on paper, with an encrypted memory stick holding the digital copies - a half-way house that hopefully the organisation approves.
USB sticks and bootable (live) media
Many servers and laptops don't come with an optical drive (CD / DVD) these days. In fact, when was the last time you used optical data media? As a result we'll need to make sure we have some bootable USB sticks to give us either a recovery environment or an OS installation environment. It's possible your OS build image won't fit on a DVD anymore too, so having some 16 GB memory sticks to hand is a must. Ensure these are pre-loaded with whatever is needed, but also aim to keep one stick blank for transferring files to during the incident.
Optical media still very much has a place, not least because you can ensure it's read only. I'd much rather boot a questionable device from read only boot media, so I've included a slimline DVD drive in this kit. We'll carry DVDs with Linux live environments on them, plus any boot media to do a bare metal restore using the backup system. Again, ensure these are ready to go.
After the incident, if you've copied any files to USB sticks you'll need to dispose of the files / sticks securely. From a cost perspective, this kit list is not using hardware encrypted memory sticks but you may choose to include one.
Estimated cost and weight
Having quickly thrown together a basket on Amazon, and rounding to the nearest pound sterling, to buy everything new (i.e. not re-allocate what I have in stock) this totals around £200. That's quite an outlay for something I may never need. I'd need to think carefully before putting this together.
Weight wise, apparently and amazingly, this totals around 3.6 KG (as much as my gaming laptop). That's ignoring any additional equipment (mobile phone, work laptop). Let's hope I'd have to travel to any incident by car!
What else could be included?
I've not included these due to the extra cost or additional maintenance burden, but you could include:
- Spare laptop
Requires regular patching, and isn't cheap. Taking "the spare old unit from the cupboard" wouldn't be wise, as you want this unit to be reliable! - Spare mobile phone
Similar considerations to the laptop - Forensics tools
Not included because it's not my target use case, but write blockers, external drive bays / adapters etc. - Hardware encrypted memory sticks
For copying off sensitive files / logs - "Crash cart adapter"
A handy gadget that connects to the VGA (screen) and USB of a server on one side, and to your laptop on the other. This allows you to view the screen, and control the keyboard and mouse, of the server meaning you don't have to carry an extra screen. Startech make these, in case you're interested but they're definitely out of my budget... - Fishing stool
Provides a foldable seat, for long datacentre usage
Maintaining readiness
It's important to not dip into the bag to borrow something, as chances are you'll forget to put it back. Murphy's law also says that the moment you take something out of the bag you'll have an incident too. Perhaps cable tie the rucksack's zips together. This allows you to see if the bag has been used and also stops tools being borrowed by others. If you do cable tie the zips though, make sure there are scissors or a knife in an externally accessible pocket of the bag - you don't want to cause a denial of service against yourself.
Next we need to keep the bag in usable condition:
Six monthly maintenance
- Check food is still in date
- Check batteries haven't leaked and are still in date. I'm aiming to only use rechargeable batteries, so make sure they're charged
- Update boot media to latest versions, test
Yearly maintenance
- Update policies, procedures and contacts
- Check everything works
Conclusion
Putting something together like this is like insurance - you pay your premiums and hope nothing happens, in the knowledge that if something happens you should be covered. I say "should" because anecdotally insurance companies are very good at getting out of their obligations. Additionally, I should be OK with this setup but there's always going to be something I don't realise that I need. Something is better than nothing though.
Given the current cost-of-living pressures I'm not going to rush to put this together. I'll take a look in charity shops / second hand for some components too (e.g. rucksack, cables) as that will affect the cost.
Hopefully this is interesting to some of you though!
Additional resources & acknowledgments
After I'd made my initial decisions about what I'd include, I did a Google search to see what others would include. I then adjusted my list accordingly to add the things I'd missed. For interest, I've linked to some of the posts I read below:
- The Cyber Security Incident Handler's jump bag (Jean-Francois Stenuit on LinkedIn)
- What’s in Your Incident Response Go-Bag? (Shelly Giesbrecht of Cisco Security)
- Computer security jump bag (Edmands)
Thanks also go to "P" and Andee for suggesting some additional items after I'd hit publish. "P" also measured a King Pot Noodle for me while out shopping, so I include it in my bag dimensions. 13.7cm x 9.7cm x 9.7cm by the way.
Banner image: Remix by me using images from OpenClipart.org:
* Cyber Security Lock Gold by GDJ
* Emergency management woman by Juhele
[1] Colloquially "when the shit hits the fan".
[2] The same is true for "bug out bags" and similar.
[3] Other instant noodles are available. What's the best flavour of Pot Noodle, and why is it original curry?
[4] Many of you know that I'm an avid fountain pen user, but in a disaster situation anyone could end up picking up / stealing a pen, so let's not use the good ones eh?