Purpose
This checklist provides a structured guide for the first 30 minutes of any security incident, reducing panic-driven decisions and ensuring consistent response.
Phase 1: Situation Control (0–10 minutes)
-
Identify incident type (access, malware, DoS, data exposure)
-
Identify affected systems
-
Assign incident lead
-
Start activity log (who/what/when)
Phase 2: Containment (10–20 minutes)
-
Block malicious IPs or accounts
-
Isolate affected hosts if required
-
Preserve volatile data where possible
-
Avoid system reboots unless required
Phase 3: Evidence Preservation (20–30 minutes)
-
Export relevant logs
-
Capture timestamps and indicators
-
Secure backups/snapshots
-
Decide escalation path
Usage Notes
-
Do not remediate before evidence is secured
-
Do not attribute cause prematurely
-
Escalate based on impact, not assumptions
Reuse Guidance
This checklist is designed to be:
-
Printed
-
Embedded in runbooks
-
Used during tabletop exercises
-
Adapted per environment
Leave a Reply