CISA checklist

Last month, CISA (Cybersecurity and Infrastructure Security Agency) published its Cybersecurity Incident

& Vulnerability Response Playbooks: Operational Procedures for Planning and Conducting Cybersecurity Incident and Vulnerability

Response Activities in FCEB Information Systems . An appendix to this guide provides a checklist to use in responding to a security breach incident.



A bare description of the checklist can be boiled down to these steps:

  1. Report the incident (to CISA) within one hour

  2. Assess the operational and information impact.

  3. Collect data about the incident.

  4. Identify the technical basis of the incident - the IOC (indicators of compromise - such as a file hash or IP address) and the TTPs (tactics, techniques, and procedures - which describe why and how the attack took place).

  5. Use a third party for intrusion detection.

  6. Tune tools to mitigate the attack.

  7. Implement a containment strategy - system backups; close ports and servers; prevent domain name resolution for attackers.

  8. Eradication - reimage systems from backups.

  9. Reset passwords and install updates and patches.

  10. Post-Incident action - after action hotwash to evaluate the incident response.

  11. Coordinate with the CISA and receive a CISA National Cyber Incident Scoring System (NCISS) priority level.