Cybersecurity Incident Response Planner

For auditors and assessors: maps each CIS Control and CISSP Domain 7 requirement to the plan section(s) that fulfill it. Update Status after each plan review.

Select the incident type and affected data categories to determine regulatory notification obligations, deadlines, and filing methods. Updates the Notification Status tracker below. (GDPR Art.33 / HIPAA §164.412 / NYDFS 500.17 / CIRCIA)

• IR policy formally documented and approved by leadership
• IR team roles and responsibilities clearly defined
• Emergency contact list maintained and tested
• SIEM / logging deployed and tuned with alerts
• EDR deployed on all endpoints (>95% coverage)
• Out-of-band communication channel established
• Network segmentation implemented (CIS Control 12)
• Backup systems tested and verified air-gapped copy exists
• Threat intelligence feeds integrated
• IR retainer agreement with external IR firm in place
• Cyber liability insurance policy active and reviewed
• Legal counsel briefed on breach notification requirements
• Asset inventory (CIS Control 1) up to date
• Privileged Access Management (PAM) deployed
• Multi-factor authentication enforced organization-wide
• Annual tabletop exercise conducted
• Purple team / penetration test completed in last 12 months

Define and enforce triage SLAs per alert type. Review quarterly. Target false-positive rate below 15% per category. High FP rates signal rule-tuning gaps that increase analyst fatigue and dwell time.

• Review SIEM alerts and correlate events across time range
• Collect endpoint forensic data (memory dump, disk image if needed)
• Identify affected systems and user accounts
• Conduct IOC search across environment using XDR/EDR
• Perform URL / IP reputation checks (VirusTotal, Shodan, AbuseIPDB)
• Submit suspicious files to sandbox (Any.run, Hybrid Analysis, Joe Sandbox)
• Map to MITRE ATT&CK framework (TTPs identified)
• Determine lateral movement paths
• Identify data accessed, modified, or exfiltrated
• Establish timeline of events (UTC timestamps)
• Engage threat intelligence for attribution (if applicable)
• Document all new IOCs discovered
• Perform adversary attribution analysis (nation-state? cybercriminal group?)
• Assess if regulatory thresholds are met (breach notification triggers)

• Remove all identified malware, tools, and backdoors from affected systems
• Patch all vulnerabilities exploited during the incident
• Verify no persistent mechanisms remain (scheduled tasks, registry keys, services)
• Reset all potentially compromised credentials
• Revoke and reissue all SSL/TLS certificates on affected systems
• Rebuild or restore affected systems from known-good images
• Validate IOC search shows clean results across environment
• Block all identified C2 infrastructure
• Notify affected third parties / partners if their systems may be impacted
• Confirm no re-infection occurs within 24-hour monitoring period
• IOC sweep shows zero hits across all monitored endpoints (EDR / XDR verified)
• Technical Lead attestation: all malicious artifacts removed and confirmed clean
• 30–90 day enhanced monitoring plan activated on all affected systems
• Forensic examiner sign-off: evidence preservation integrity confirmed

• Confirm eradication is complete and verified by at least two team members
• Restore systems from verified clean backups or rebuild from hardened image
• Validate data integrity of restored systems
• Implement additional monitoring on previously affected systems (30-90 days enhanced)
• Re-enable services gradually — monitor for anomalies at each step
• Perform vulnerability scan on all restored systems before reconnecting to network
• Confirm backups are intact and untouched (verify backup integrity)
• Test business-critical applications after restoration
• Brief end users on any security changes / new procedures
• Confirm all logging / monitoring is restored and functional
• Obtain executive sign-off before declaring incident closed
• Notify relevant parties that systems are restored (if downtime was communicated)

Each playbook must have a designated owner responsible for keeping it current. Conduct tabletop exercises annually per playbook. Review after every real-world activation.

• Identify encrypted files and ransom note location
• Identify patient-zero (first infected system)
• Determine ransomware family (submit sample to ID Ransomware: id-ransomware.malwarehunterteam.com)
• Assess scope: how many systems are affected?
• Check for available decryptors (No More Ransom Project: nomoreransom.org)
• Identify initial infection vector (phishing, RDP brute force, vulnerability?)
• Check for data exfiltration BEFORE encryption (double extortion)
• Identify compromised accounts used for lateral movement
• Determine if domain controllers / AD are compromised

• Network isolate ALL suspected/confirmed affected systems immediately
• Disable all unnecessary network shares and remote access
• Reset ALL domain admin and privileged account credentials
• Take offline snapshots of critical systems (before further damage)
• Block all known C2 IPs/domains at firewall and DNS
• Engage Cyber Insurance carrier — ransomware is typically covered
• Notify FBI / CISA (do NOT pay without doing this)
• Establish clean, isolated war room environment for IR team
• Activate out-of-band communications (corporate email may be compromised)

• Rebuild from verified clean backups (verify backup integrity FIRST)
• Restore systems in priority order (critical → high → medium → low)
• Patch ALL vulnerabilities before restoring to network
• Fully audit and rebuild Active Directory if compromised
• Implement network segmentation before reconnecting systems
• Deploy enhanced EDR coverage across all endpoints
• Rotate all credentials, API keys, certificates
• Monitor for 30+ days post-recovery for re-infection

1. Call FBI local field office immediately — do not wait to gather more evidence first
2. File report at ic3.gov — include ransom note, cryptocurrency wallet addresses, sample encrypted files
3. Notify CISA: cisa.gov/report or 1-888-282-0870 (24/7 Operations Center)
4. Check OFAC SDN list: sanctionssearch.ofac.treas.gov
5. Notify cyber insurance carrier — most policies require pre-payment authorization
6. Obtain written legal counsel sign-off before any payment
7. If paying: engage blockchain forensics firm (Chainalysis, Elliptic) to trace the wallet

• Confirm receipt of phishing email via SIEM or user report
• Determine if targeted (spear phishing) or mass campaign
• Identify all recipients in organization
• Check if any users clicked links or opened attachments
• Execute attachments / URLs in sandbox for IOC extraction
• For BEC: determine if unauthorized financial transactions occurred
• Check email header for spoofing indicators
• Review inbox rules for suspicious mail forwarding
• Check for OAuth app consent grants (account takeover indicator)
• Review audit logs for sign-ins from unusual locations/IPs

• Purge phishing email from all user mailboxes (admin search & purge)
• Block sender domain at email gateway (DNS, DMARC enforcement)
• DNS blackhole malicious URLs and C2 domains
• Reset credentials + MFA for all compromised accounts
• Revoke all active sessions and OAuth tokens for affected accounts
• Remove suspicious inbox rules and forwarding
• If wire fraud: contact bank immediately (24-hr clawback window)
• Report BEC to FBI IC3 and relevant financial authorities
• Notify all recipients — security awareness communication

• Assess whether detection was by endpoint security or network monitoring
• Conduct in-depth forensic analysis of affected systems
• Gather file hashes, IP addresses, domains related to C2
• Submit suspicious files to VirusTotal, Hybrid Analysis
• Use XDR to search for presence of IOCs across all endpoints
• Conduct URL/IP reputation checks via threat intelligence
• Determine attack vector used for initial access
• Map TTPs to MITRE ATT&CK framework
• Escalate severity based on multi-system indicators
• Engage threat intelligence for threat actor attribution
• Share IOCs with FS-ISAC, MS-ISAC, or sector ISAC

• Implement network-wide IP blocking for C2 infrastructure
• Execute remediation: patch, update configs, remove malicious files
• Disable compromised user accounts associated with the attack
• Isolate device from network to prevent lateral spread
• Monitor environment for delayed alerts / persistence mechanisms
• Perform targeted investigation on assets associated with IOCs
• Review for unauthorized accounts, scheduled tasks, registry changes
• Conduct final review, document findings and root causes
• Share IOCs with law enforcement and industry peers

• Confirm suspicious activity via SIEM alerts (UEBA if available)
• Determine specific user accounts involved — add to monitoring list
• Identify specific devices associated with the user
• Review login history for unusual patterns, times, or failures
• Investigate if unauthorized data transfer occurred (USB, email, cloud)
• Determine if malware is involved vs. intentional insider action
• Collect and preserve evidence without alerting the suspect
• Engage HR, Legal, and manager of employee (need-to-know basis)
• Check DLP alerts and email monitoring data

• Temporarily disable account (coordinate timing with HR for potential termination)
• Secure and seize devices associated with the user
• Create full forensic disk image before any access or changes
• Apply containment measures based on identified IOCs
• Continue monitoring — respond to any new alerts or activities
• Prepare for potential legal action / HR disciplinary process
• Engage law enforcement if criminal activity is suspected
• Preserve chain of custody for all forensic evidence

• Identify the data classification of exfiltrated data (PII, PHI, PCI, IP)
• Determine exfiltration channel (web upload, email, USB, cloud sync, DNS tunneling)
• Quantify approximate volume of data exfiltrated
• Identify destination of exfiltrated data
• Identify accounts used for exfiltration
• Check for staging areas (attacker may have aggregated data before exfil)
• Review DLP alerts and data classification systems
• Check dark web / paste sites for leaked data (threat intelligence)

• Determine if breach notification thresholds are met
• Identify applicable regulations (HIPAA / PCI / GDPR / State)
• Engage legal counsel immediately for notification guidance
• Document all affected individuals and data types
• Prepare regulatory notifications (see Section 2)
• Engage PR/Communications for potential public disclosure
• Offer credit monitoring / identity protection to affected individuals

• Confirm DDoS attack (vs. organic traffic spike or system failure)
• Classify attack type: Volumetric, Protocol (SYN flood), Application layer (L7)
• Identify attack source IP ranges / ASNs
• Determine attack vector and target services
• Assess impact on business services
• Contact ISP / upstream provider for upstream blocking

• Activate DDoS mitigation service (Cloudflare, Akamai, AWS Shield)
• Enable BGP route advertisement to scrubbing centers if available
• Apply rate limiting and geo-blocking if applicable
• Enable CAPTCHA or bot challenge for web applications
• Scale CDN and load balancer capacity
• Block attack source IPs at firewall (temporary ACLs)
• Monitor for attack pattern shifts (attackers often change vectors)
• Check if DDoS is a distraction for another simultaneous attack
• Report to FBI and CISA if infrastructure attack

• Review endpoint detection logs (EDR/AV) for compromise indicators
• Use forensic tools to investigate for artifacts, malware, IOCs
• Check for beaconing connections to C2 servers
• Identify signs of lateral movement to other hosts
• Analyze which user accounts are active on compromised host
• Execute suspicious samples in sandbox environment
• Collect and document new IOCs (IPs, hashes, domains)
• Record IOCs in SIEM for ongoing detection

• Use gathered IOCs to contain threat across network
• Remove malicious files, patch vulnerabilities
• Disable accounts associated with the compromise
• Seize asset for forensic analysis if needed
• Completely disconnect affected system from network
• Confirm containment — no further spread or C2 communication
• Rebuild system from clean image or restore from verified backup

• Identify the compromised vendor, software, or update mechanism
• Determine if/how the organization was affected
• Immediately isolate systems running the affected software/component
• Contact vendor for remediation guidance and patches
• Review all activity from affected systems in past 90 days
• Assess if attacker pivoted from affected system to other internal systems
• Remove or rollback affected software to pre-compromise version
• Monitor all third-party integrations for anomalous behavior
• Review and re-evaluate vendor access privileges
• Share threat intelligence with relevant ISACs and CISA

• Identify compromised cloud accounts, services, and APIs
• Review cloud audit logs (CloudTrail, Azure Monitor, GCP Audit)
• Revoke all compromised API keys, access tokens, OAuth grants
• Reset credentials for all affected cloud identities
• Enforce MFA on all cloud accounts immediately
• Check for misconfigured public buckets / storage exposures
• Assess data access: what cloud resources were accessed?
• Contact cloud provider security team (AWS Security, Azure Defender)
• Review IAM policies — implement least privilege remediation
• Check for persistence: new IAM users/roles created by attacker
• Enable cloud-native threat detection (GuardDuty, Defender for Cloud)

• Immediately notify plant/operations manager and safety officer
• Do NOT isolate or shut down systems without safety assessment
• Implement IT/OT network segmentation (if not already in place)
• Contact ICS-CERT / CISA immediately (cisa.gov/ics-cert)
• Notify sector regulator (NERC for energy, EPA for water, etc.)
• Engage OT-specialized IR firm (Dragos, Claroty, Nozomi)
• Assess if attack caused physical process manipulation
• Preserve historian and SCADA logs for investigation
• Switch to manual operations if feasible during investigation
• Identify entry point: IT-to-OT pivot, remote access, USB media

• CISA Tabletop Exercise Packages: cisa.gov/CTEP
• FEMA Exercise Program: training.fema.gov/hseep
• NIST SP 800-84 — Testing IT Contingency Plans
• Intelligent Automation Custom Tabletop Templates (request from IA team)

• Preserve all digital evidence in forensically sound manner (write blockers)
• Document chain of custody for all evidence
• Do NOT modify or delete logs during an active investigation
• Issue litigation hold for all potentially relevant data
• Preserve evidence for minimum 7 years (longer if litigation expected)
• Engage outside counsel before communicating with regulators
• Attorney-client privilege: mark sensitive IR communications accordingly

Pre-define roles and responsibilities for each vendor category during an incident. Forensic responsibility and data access authorizations must be agreed upon before an incident occurs.