Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

CISA Releases Incident and Vulnerability Response Playbooks

In response to an executive order signed by President Biden in May, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released two cybersecurity playbooks focusing on incident response and vulnerability response.

In response to an executive order signed by President Biden in May, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released two cybersecurity playbooks focusing on incident response and vulnerability response.

The executive order on improving the nation’s cybersecurity tasked CISA with developing playbooks for federal civilian agencies to help them plan and conduct vulnerability and incident response. While the playbooks have been created for federal civilian agencies and their contractors, CISA says the information could also be useful to critical infrastructure organizations and private sector companies.

The new playbooks are designed to provide agencies with a standard set of procedures for identifying, coordinating, remediating, recovering and tracking mitigations from incidents and vulnerabilities affecting their systems, data and networks.

The incident response playbook covers the steps that agencies need to take in case of a confirmed malicious cyber activity that could have significant consequences, including lateral movement, data exfiltration, network intrusions involving multiple users or systems, and compromised accounts.

The first phase in the incident response plan is the preparation phase, which includes documenting incident response policies and procedures, implementing systems for detecting suspicious and malicious activity, establishing staffing plans, educating users on cyber threats and notification procedures, and leveraging threat intelligence to proactively identify potential malicious activity.

In the detection and analysis phase, the steps that organizations need to take include declaring an incident by reporting it to CISA and IT leadership, determining the scope of the investigation, collecting and preserving data, and performing a technical analysis.

In the containment phase, organizations must isolate impacted systems and network segments, capture forensic images for legal purposes, update firewall filtering, block unauthorized access, close ports and relevant servers or services, change passwords and rotate cryptographic keys, and, in the case of advanced SOCs with mature capabilities, monitor the threat actor’s activities.

Eradication and recovery includes remediating compromised IT systems, reimaging impacted systems, rebuilding hardware, replacing compromised files with clean ones, installing patches, resetting passwords, looking for signs of attacker response to containment activities, reconnecting systems to networks, tightening perimeter security, testing systems, and monitoring operations for abnormal behavior.

Post-incident activities include documenting the incident, informing leadership, taking measures to prevent future incidents, and improving future incident response activities.

The vulnerability response playbook describes the high-level process that should be followed when responding to urgent and high-priority vulnerabilities. The document describes preparation, vulnerability response process, identification, evaluation, remediation, and reporting activities.

Recommendations include ensuring that effective vulnerability management practices are being followed, proactively identifying reports of actively exploited vulnerabilities, determining whether a vulnerability exists in the environment and its impact, patching or mitigating vulnerabilities, and sharing information with CISA so that the agency can help other organizations.

Related: CISA Reminds of Risks Connected to Managed Service Providers

Related: NSA, CISA Issue Guidance on Selecting and Securing VPNs

Related: CISA Releases Remote Access Guidance for Government Agencies

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.