Last month, CISA (Cybersecurity and Infrastructure Security Agency) published its Cybersecurity Incident
& Vulnerability Response Playbooks: Operational Procedures for Planning and Conducting Cybersecurity Incident and Vulnerability
Response Activities in FCEB Information Systems . An appendix to this guide provides a checklist to use in responding to a security breach incident.
A bare description of the checklist can be boiled down to these steps:
Report the incident (to CISA) within one hour
Assess the operational and information impact.
Collect data about the incident.
Identify the technical basis of the incident - the IOC (indicators of compromise - such as a file hash or IP address) and the TTPs (tactics, techniques, and procedures - which describe why and how the attack took place).
Use a third party for intrusion detection.
Tune tools to mitigate the attack.
Implement a containment strategy - system backups; close ports and servers; prevent domain name resolution for attackers.
Eradication - reimage systems from backups.
Reset passwords and install updates and patches.
Post-Incident action - after action hotwash to evaluate the incident response.
Coordinate with the CISA and receive a CISA National Cyber Incident Scoring System (NCISS) priority level.