Overview
This checklist follows the NIST SP 800-61 Computer Security Incident Handling Guide framework. Use it during active incidents to ensure no critical steps are missed.
Important: Document everything. Every action taken, every decision made, and every timeline entry matters for post-incident review and potential legal proceedings.
Phase 1: Preparation (Before Incidents)
- Incident response plan documented and approved — Current version accessible to all team members
- IR team roles and contact info current — Include after-hours escalation paths
- Communication templates prepared — Pre-written notifications for stakeholders, customers, legal
- Forensic toolkit ready — Jump bag with write blockers, bootable USB, imaging tools
- Logging infrastructure verified — SIEM ingesting from all critical systems
- Backup integrity confirmed — Recent restore test completed successfully
- Legal counsel identified — Know when to engage legal (breach notification laws)
- Third-party contacts listed — ISP, cloud provider, cyber insurance, law enforcement
Phase 2: Detection & Analysis
Initial Triage
-
Alert received and acknowledged — Record source, time, and initial indicators
Timestamp: _______________ Alert Source: _______________ Initial IOCs: _______________ Severity Assessment: [ ] Critical [ ] High [ ] Medium [ ] Low -
Validate the alert — Confirm this is a true positive, not a false alarm
-
Assign incident ID and severity — Use your classification matrix
-
Notify IR team lead — Escalate based on severity threshold
-
Begin incident timeline — Chronological log of all events and actions
Investigation
-
Identify affected systems — Scope the blast radius
Affected Hosts: _______________ Affected Services: _______________ Affected Users: _______________ -
Collect volatile evidence first — Memory dumps before shutdown
# Linux memory capture sudo dd if=/dev/mem of=/forensics/memory.dump bs=1M # Network connections ss -tulpn > /forensics/netstat.txt # Running processes ps auxef > /forensics/processes.txt -
Preserve log data — Copy logs before rotation
-
Identify attack vector — How did the attacker get in?
-
Determine data exposure — What data was accessed/exfiltrated?
-
Check for lateral movement — Are other systems compromised?
Phase 3: Containment
Short-Term Containment
-
Isolate affected systems — Network segmentation, not shutdown
# Block at firewall level iptables -A INPUT -s <attacker-ip> -j DROP # Or isolate VLAN -
Disable compromised accounts — Revoke access immediately
-
Block malicious IPs/domains — Update firewall and DNS blackhole
-
Capture forensic images — Before making changes
dd if=/dev/sda of=/forensics/disk.img bs=4M status=progress
Long-Term Containment
- Apply temporary fixes — Patch vulnerability, update rules
- Increase monitoring — Enhanced logging on affected and adjacent systems
- Rotate credentials — All credentials on affected systems
- Verify containment effective — Confirm no new IOCs appearing
Phase 4: Eradication
- Remove malware/backdoors — Clean all affected systems
- Patch exploited vulnerability — Close the attack vector
- Remove unauthorized accounts — Check for persistence mechanisms
- Scan all systems for IOCs — Ensure no other systems compromised
- Update detection signatures — Add new IOCs to SIEM/EDR
- Verify clean state — Rescan after eradication
Phase 5: Recovery
- Restore from clean backups — Use verified pre-incident backups
- Rebuild if necessary — Fresh OS install for severely compromised systems
- Gradually restore services — Monitor closely during each phase
- Verify system integrity — Compare against known-good baselines
- Confirm business operations normal — All services functioning correctly
- Maintain heightened monitoring — 30-day elevated watch period
Phase 6: Post-Incident
- Conduct lessons learned meeting — Within 1 week of resolution
- Update incident response plan — Incorporate improvements
- Submit final incident report — Include timeline, impact, root cause, recommendations
- Update detection rules — Prevent recurrence
- Brief stakeholders — Executive summary of incident and improvements
- Fulfill notification obligations — Regulatory and contractual requirements
Severity Classification Matrix
| Severity | Description | Response Time | Examples |
|---|---|---|---|
| Critical | Active data breach, ransomware | Immediate | Data exfiltration, active attacker |
| High | Confirmed compromise, no data loss yet | 1 hour | Malware on server, unauthorized access |
| Medium | Suspicious activity, potential threat | 4 hours | Anomalous login, policy violation |
| Low | Informational, minor policy violation | 24 hours | Failed login attempts, scan detected |
Key Contacts Template
| Role | Name | Phone | |
|---|---|---|---|
| IR Lead | |||
| Security Analyst | |||
| IT Operations | |||
| Legal Counsel | |||
| Communications | |||
| Executive Sponsor | |||
| Cyber Insurance | |||
| Law Enforcement |