Last month, CISA (Cybersecurity and Infrastructure Security Agency) published its Cybersecurity Incident

& Vulnerability Response Playbooks: Operational Procedures for Planning and Conducting Cybersecurity Incident and Vulnerability

Response Activities in FCEB Information Systems . An appendix to this guide provides a checklist to use in responding to a security breach incident.

A bare description of the checklist can be boiled down to these steps:

1. Report the incident (to CISA) within one hour

2. Assess the operational and information impact.

3. Collect data about the incident.

4. Identify the technical basis of the incident - the IOC (indicators of compromise - such as a file hash or IP address) and the TTPs (tactics, techniques, and procedures - which describe why and how the attack took place).

5. Use a third party for intrusion detection.

6. Tune tools to mitigate the attack.

7. Implement a containment strategy - system backups; close ports and servers; prevent domain name resolution for attackers.

8. Eradication - reimage systems from backups.

9. Reset passwords and install updates and patches.

10. Post-Incident action - after action hotwash to evaluate the incident response.

11. Coordinate with the CISA and receive a CISA National Cyber Incident Scoring System (NCISS) priority level.