Preparation Phase
Documentation & Planning
- [ ] Incident Response Playbook created with role assignments, workflows, and decision trees
- [ ] Contact lists maintained with 24/7 availability for key personnel
- [ ] Communication templates prepared for stakeholders, customers, and regulators
- [ ] Legal and regulatory requirements documented for your industry/region
- [ ] Escalation thresholds defined for severity classification
Technical Capabilities
- [ ] Logging enabled on all critical systems (authentication, network, endpoints, cloud)
- [ ] Log retention policy implemented with appropriate storage and protection
- [ ] Baseline behaviors documented for normal network traffic and user activity
- [ ] SIEM or log aggregation tool deployed and configured
- [ ] Backup systems tested and verified to be separate from production
- [ ] Forensic tools identified and access arranged (memory capture, disk imaging)
Team Readiness
- [ ] Incident response team identified with clear roles and responsibilities
- [ ] Technical skills assessed and training gaps addressed
- [ ] After-hours coverage established with on-call rotation schedule
- [ ] Access credentials documented for emergency system access
- [ ] External partners identified (forensics firms, legal counsel, PR specialists)
Detection & Analysis
When an Incident Occurs
- [ ] Initial alert received and logged with timestamp and source
- [ ] Incident commander assigned to coordinate response
- [ ] Preliminary scope assessment completed (affected systems, data, users)
- [ ] Severity classification determined using predefined criteria
- [ ] Stakeholders notified according to escalation policy
- [ ] Evidence preservation initiated (logs, memory, disk images)
Investigation Steps
- [ ] Timeline constructed of attacker activities and system events
- [ ] Entry point identified (how attacker gained initial access)
- [ ] Lateral movement tracked across your environment
- [ ] Data exfiltration assessed (what data was accessed or stolen)
- [ ] Persistence mechanisms discovered (backdoors, scheduled tasks, accounts)
- [ ] Indicators of Compromise (IoCs) documented for detection and blocking
Containment & Eradication
Short-term Containment
- [ ] Affected systems isolated from network (if appropriate)
- [ ] Compromised credentials disabled or reset
- [ ] Malicious network connections blocked at firewall/proxy
- [ ] Critical services prioritized for protection and monitoring
Long-term Containment
- [ ] Patches applied to close exploited vulnerabilities
- [ ] Security controls enhanced based on lessons learned
- [ ] Monitoring intensified on affected and related systems
- [ ] Temporary workarounds implemented for unavailable systems
Eradication
- [ ] Malware removed from all infected systems
- [ ] Unauthorized access eliminated (backdoors, rogue accounts)
- [ ] Vulnerabilities remediated that enabled the attack
- [ ] Systems hardened to prevent similar attacks
Recovery & Post-Incident
System Recovery
- [ ] Systems rebuilt or restored from clean backups
- [ ] Functionality validated before returning to production
- [ ] Enhanced monitoring deployed for affected systems
- [ ] Users notified of recovery and any required actions
Post-Incident Activities
- [ ] Post-mortem meeting conducted with all response participants
- [ ] Incident timeline documented in detail for records
- [ ] Root cause analysis completed identifying how incident occurred
- [ ] Lessons learned captured for playbook improvement
- [ ] Metrics recorded (MTTD, MTTR, systems affected, downtime)
- [ ] Legal/regulatory notifications filed if required
- [ ] Playbook updated with improvements from this incident
- [ ] Training needs identified based on response gaps
Ongoing Improvement
Regular Activities
- [ ] Tabletop exercises conducted quarterly with varied scenarios
- [ ] Playbook reviewed and updated quarterly
- [ ] Contact lists verified monthly
- [ ] Logs reviewed for completeness and quality
- [ ] Baselines refreshed as environment changes
- [ ] Automation workflows tested for continued functionality
- [ ] Threat intelligence reviewed for emerging risks
- [ ] Metrics tracked showing improvement over time
Severity Classification Guide
Critical (P1): Confirmed breach of sensitive data, ransomware on critical systems, active data exfiltration, complete service outage
High (P2): Suspected breach, malware on important systems, significant service degradation, credential compromise of privileged accounts
Medium (P3): Isolated malware infection, suspicious activity requiring investigation, minor service impact, attempted attacks blocked
Low (P4): Policy violations, failed attack attempts with no impact, routine security alerts requiring review
Print this checklist and keep it accessible. When an incident strikes, you won’t have time to search for it.
Leave a Reply