Security incident checklist

Topic: Security basics

When a security incident is declared, use this checklist: contain impact, preserve evidence, notify, eradicate, recover, and document. Ensures nothing is missed during a high-stress response. Use this in parallel with incident response basics.

Intent: Checklist

Quick answer

  • Contain: revoke compromised credentials, isolate affected systems, block malicious IPs or domains. Do not destroy evidence; capture logs and snapshots before reimaging.
  • Preserve: collect logs, timelines, and artifacts; store in a safe place. Document every action and the time it was taken so the timeline is clear for analysis and legal.
  • Eradicate and recover: remove cause (malware, backdoor, weak config); patch and harden; restore from clean backup if needed. Post-incident: document cause, response, and lessons; update runbooks and controls.

Prerequisites

Steps

  1. Detect and declare

    Confirm it is a security incident; classify severity. Assign incident lead; start timeline log. Notify stakeholders per policy (internal, legal, regulatory as required).

  2. Contain and preserve

    Revoke credentials; isolate systems; block malicious traffic. Capture logs, memory, disk images if needed; do not alter evidence before capture. Store evidence securely; document chain of custody.

  3. Eradicate and recover

    Remove malware, backdoors, weak config; patch and harden. Restore from known-good backup if necessary. Verify systems are clean and monitoring is in place before returning to normal.

  4. Post-incident

    Document root cause, timeline, actions taken, and lessons. Update runbooks, detection rules, and controls. Share learnings (blameless where appropriate); schedule follow-up to close gaps.

Summary

Checklist for security incidents: contain and preserve, then eradicate and recover, then document and improve. Use this so nothing is missed during response.

Prerequisites

Steps

Step 1: Detect and declare

Confirm incident; classify; assign lead; start timeline. Notify per policy.

Step 2: Contain and preserve

Revoke, isolate, block. Capture evidence without altering it; store and document.

Step 3: Eradicate and recover

Remove cause; patch and harden; restore if needed. Verify before resuming normal operations.

Step 4: Post-incident

Document cause, response, lessons. Update runbooks and controls; share learnings.

Verification

Incident is contained and resolved; evidence is preserved; cause is addressed; runbooks and controls are updated.

Troubleshooting

Scope unclear — Assume broader until proven otherwise; contain broadly then narrow. No runbook — Follow this checklist and write a runbook from the outcome.

Next steps

Continue to