IT KORR Knowledge Center
Incident Response Checklist
A checklist organized by incident response phase — Detection, Containment, Eradication, Recovery, and Post-Incident Review.
Detection
- Confirm the incident is real and not a false positive before escalating further.
- Determine the scope and affected systems — what is confirmed impacted vs. what is still unknown.
- Record the time the incident was first detected and by what means (alert, report, monitoring).
- Notify the incident response lead and activate the incident response plan.
Containment
- Isolate affected systems from the network to prevent further spread, without powering them off if evidence preservation is needed.
- Preserve evidence (logs, memory captures, disk images) before remediation actions overwrite it.
- Disable compromised credentials or accounts identified during the initial assessment.
- Implement short-term containment measures (e.g., firewall rules, network segmentation) distinct from long-term fixes.
Eradication
- Identify and remove the root cause (malware, unauthorized access, vulnerability) from affected systems.
- Patch or reconfigure the vulnerability that allowed the incident, not just the immediate symptom.
- Reset credentials for all accounts confirmed or suspected to be compromised.
- Scan related and connected systems for signs of lateral movement before considering eradication complete.
Recovery
- Restore affected systems from known-clean backups, not from potentially compromised current state.
- Verify no reinfection or residual compromise before reconnecting systems to production.
- Monitor restored systems closely for a defined period following reconnection.
- Confirm business functions are operating normally before formally closing the recovery phase.
Post-Incident Review
- Document a full timeline of the incident: detection, containment, eradication, and recovery.
- Identify what worked, what did not, and specific gaps in tooling, process, or training.
- Assign owners and target dates for remediation of identified gaps.
- Update the incident response plan and related runbooks based on lessons learned.
Related Resources
- Ransomware Recovery Planning — /knowledge-center/business-continuity/business-continuity-disaster-recovery/ransomware-recovery-planning
- Disaster Recovery Planning — /knowledge-center/business-continuity/business-continuity-disaster-recovery/disaster-recovery-planning