◼️
General Knowledge
  • Introduction
  • Building a Home Lab
  • Certification Roadmap
  • Basics
    • Basic Networking
    • Basic Gigamon Configuration
  • Firewalls
    • PFSense
    • Cisco ASA
  • Hardware Setup and Device Networking
    • Cisco Device
    • MaxVision Servers
    • Gigamon
  • Reporting
    • Network Activity Report (NAR)
    • Network Change Request (NCR)
    • Redmine
  • DCO Tools
    • Splunk
      • Threat Hunting with Splunk
    • Security Onion 2.4
      • Threat Hunting with Security Onion
    • OsQuery
  • Methodology
    • Gather Information
    • Gather Documents
    • Prepare Equipment and Team Procedures
    • Conduct Network Reconnaissance
    • MITTRE ATT&CK Framework
    • Considerations when Recommending Remedial Action
    • Document Everything
    • Defensive Cyber Operations Checklist
  • Requirements
    • Power Requirements
    • Port Density Requirements
    • Opened Port Requirements
  • Building a Virtual Testing Environment
    • Identify Requirements
    • Gather Equipment and tools
    • Initial Draft
    • Building the Environment
    • Example
Powered by GitBook
On this page
  • Introduction
  • What is being done?
  • Why is it being done?
  • What is the impact on the network?
  • What is the impact on the users?
  • What is the impact on VIPs?
  • What is your rollback plan?
  1. Reporting

Network Change Request (NCR)

Outlines what a NCR is and how to fill one out.

PreviousNetwork Activity Report (NAR)NextRedmine

Last updated 2 years ago

Introduction

A Network Change Request (NCR) is a request given to a customer whenever an Analyst Team wants to make a change to the customer's network. This can be associated with a Network Activity Report (NAR) or it can be standalone and unrelated to a threat. A common NCR is for the addition of tools to a network in operation. Here we will go over the different important parts of an NCR and what details should be provided. Below is a link to a template NCR.

SHA256 Checksum of the below document

4CC8BBBC76E877F618B2B6A2D7201EE1EE0C7F2B6750CB26B9EA9519BAA634A4

What is being done?

This is where you would describe the action being taken on a network. Make sure to go into great detail about the steps of what you are doing. Be as technical as possible as typically these are approved by more technical individuals such as a network or systems chief.

Why is it being done?

Describe why the team is making the request. Remember that the Analyst team is there to serve the customer so "Because we need to install our tools" is not a reasonable "why". Be specific, go into detail about mission requirements, or link a Network Activity Report (NAR) if it is linked to a specific incident.

What is the impact on the network?

This is where you will go into detail about any downtime in the network or affected devices, good or bad. Again, reference a NAR if it is necessary for the situation.

What is the impact on the users?

This only typically applies if users need to be removed from a machine in order to make a change, such as an incident response on a specific machine.

What is the impact on VIPs?

This only typically applies if VIPs need to be removed from a machine in order to make a change, such as an incident response on a specific machine.

What is your rollback plan?

Describe what will be done if you need to roll back for any reason. A common NCR is for putting DCO tools on machines such as Splunk or Beats. A rollback plan for that would be what is being put in place to take the tools off when deemed necessary such as at the end of a mission or exercise.

13KB
NCR_Template.xls