Security Incident Response Cheat Sheet
Covers the standard incident response lifecycle, containment strategies, and evidence handling for effectively managing security incidents.
2 PagesIntermediateFeb 8, 2026
Incident Response Lifecycle (NIST SP 800-61)
The standard phases of handling a security incident.
- 1. Preparation- Build IR plan, playbooks, tooling, and trained team before an incident occurs
- 2. Detection & analysis- Identify indicators, confirm the incident, determine scope and severity
- 3. Containment- Limit damage: short-term (isolate host) and long-term (patch, rotate creds)
- 4. Eradication- Remove the root cause: malware, backdoors, compromised accounts
- 5. Recovery- Restore systems to normal operation, monitor closely for recurrence
- 6. Post-incident (lessons learned)- Document timeline, root cause, and improvements to prevent recurrence
Quick Triage Commands (Linux Host)
Commands to gather volatile evidence early in an investigation.
bash
# Active network connections and listening portsss -tulnp# Running processes with full command linesps auxww# Recently modified files (last 24 hours)find / -mtime -1 -type f 2>/dev/null# Logged-in users and login historywlast -20# Scheduled tasks (common persistence mechanism)crontab -lls -la /etc/cron.d/
Containment Strategies
Common approaches to stop an incident from spreading.
- Network isolation- Move affected host to a quarantine VLAN instead of full power-off, to preserve volatile evidence
- Disable compromised accounts- Force password reset and revoke active sessions/tokens
- Block indicators of compromise- Deny known malicious IPs/domains/hashes at firewall, proxy, and EDR
- Preserve evidence first- Capture memory/disk images before remediation actions overwrite evidence
Key IR Team Roles
Typical responsibilities during an active incident.
- Incident commander- Coordinates the response, makes final decisions, manages communication
- Security analyst- Performs technical investigation, log analysis, and containment actions
- Legal/compliance- Advises on breach notification obligations and regulatory requirements
- Communications/PR- Manages internal and external messaging about the incident
Pro Tip
Never power off a compromised machine as your first action — it destroys volatile evidence in memory (running processes, network connections, encryption keys); isolate it from the network first, then image memory before shutdown.
Was this cheat sheet helpful?
Explore Topics
#SecurityIncidentResponse#SecurityIncidentResponseCheatSheet#Cybersecurity#Intermediate#Incident#Response#Lifecycle#NIST#Security#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance