WatchDog Blog

Incident Response Playbook for Home/SMB IoT Compromise

If you suspect an IoT device is compromised, the most important thing is to avoid improvisation. Panic leads to missed evidence, repeated compromise, and misconfigured “fixes” that create new problems. A simple incident response playbook gives you a calm sequence of actions: confirm, contain, eradicate, recover, and learn.

Incident Response Playbook for Home/SMB IoT Compromise

Incident Response Playbook for Home/SMB IoT Compromise

Containment is about stopping damage. In small networks, containment can be straightforward:

  • Disconnect the suspected device from Wi‑Fi or unplug Ethernet.
  • If you can’t disconnect it physically, block it at the router or firewall.
  • Disable remote management and UPnP temporarily to prevent new exposures.
  • If a vendor account looks compromised, change the password and revoke sessions immediately.

Step 3: Decide on eradication path (reset, reflash, or retire)

For many IoT devices, the safest eradication path is a factory reset followed by a firmware update from a trusted source. Some devices support secure reflash or verified firmware; others do not. If you cannot confidently restore a device to a known-good state, replacement may be the right security decision.

Step 4: Recover with better controls than before

Recovery is not “put it back the same way.” Recovery is “put it back in a safer way.” Do the following during recovery:

  1. Place the device in the correct segment (usually IoT network).
  2. Set unique credentials; disable default/guest accounts.
  3. Disable unused services and remote admin features.
  4. Enable MFA on any related cloud dashboards.
  5. Re-scan and verify expected exposure only.

Step 5: Document and learn (your future self will thank you)

Write down what happened, how you detected it, and what you changed. In small environments, incident documentation can be short, but it should include:

  • Time and trigger (what made you suspicious).
  • Devices involved and their network segment.
  • Actions taken (disconnect, password changes, reset, firmware updates).
  • Verification results (post-fix scan findings).
  • Preventive improvements (segmentation, disable UPnP, stronger auth).

A few common “gotchas” in real incidents

1) Reusing old credentials after reset

If a device was compromised, assume credentials are known to an attacker. Using the same password after a reset can lead to rapid re-compromise. Use a new, unique password.

2) Forgetting the router is part of the incident scope

If the router itself is compromised (or misconfigured via UPnP/port forwarding), you may have recurring issues. Consider changing router admin credentials and updating router firmware as part of incident response.

3) Leaving devices in the trusted LAN

Many compromises become serious because IoT devices had access to trusted systems. Segmentation is the best long-term prevention.

WatchDog tie-in: Use WatchDog before and after incident response. The “before” scan helps you understand what changed; the “after” scan is your proof that containment and recovery worked.