Cyber Incident: What to Do in the First 24 Hours

The First 30 Minutes: Immediate Response

The moments immediately after discovering an incident are chaotic. Here is what to prioritize in the first half hour:

• Do not panic and do not act impulsively. Hasty actions can destroy forensic evidence and spread the incident further.
• Activate your incident response team. Alert your CISO, IT security lead, and legal counsel immediately. If you have an IR retainer, call your provider now.
• Identify the scope. What systems are affected? Is the attack ongoing? Is data being exfiltrated right now?
• Isolate, do not shut down. Disconnect affected systems from the network, but do not power them off. Running memory contains forensic evidence that is lost on shutdown.
• Start a war room log. Document every action taken with timestamps. This log is essential for forensics, legal proceedings, and regulatory reporting.

The 8-Step Incident Response Plan

Step 1: Preparation (before it happens)

The best time to prepare for an incident is before it occurs. This means having a tested incident response plan, defined roles and escalation paths, contact lists for your IR provider, legal counsel and regulators, and pre-negotiated access to forensic tools and expertise.

Step 2: Detection and identification

Confirm that an incident has actually occurred. Distinguish between a genuine security incident, a false positive, and an IT outage. Document indicators of compromise (IoCs), affected systems, and the suspected attack vector (phishing, vulnerability exploit, insider, supply chain, etc.).

Step 3: Containment

Prevent the incident from spreading. Isolate affected systems at the network level (VLANs, firewall rules, physical disconnection). Disable compromised accounts. Block known malicious IP addresses and domains. Distinguish between short-term containment (stop the bleeding) and long-term containment (stable isolated environment for investigation).

Step 4: Evidence preservation

Before cleaning up, capture forensic evidence. Create disk images of affected systems. Collect memory dumps from running systems before shutdown. Export relevant logs (SIEM, firewall, endpoint, cloud) and preserve their integrity with cryptographic hashes. Maintain chain of custody documentation if legal action is likely.

Step 5: Eradication

Remove the threat from your environment. This includes removing malware, closing exploited vulnerabilities, revoking attacker-created accounts or persistent access mechanisms, and patching the systems that were compromised. Verify that the attacker has no remaining footholds before proceeding.

Step 6: Recovery

Restore systems from verified clean backups. Reset all credentials that may have been exposed. Increase monitoring on recovered systems and watch for signs of re-infection. Restore business operations in a controlled, staged manner, starting with the most critical systems.

Step 7: Communication and notification

Manage internal and external communications carefully. Keep leadership informed with regular situation updates. Notify affected customers and partners if their data was compromised. Engage PR counsel if media attention is likely. File regulatory notifications within required timeframes (see GDPR section below).

Step 8: Post-incident review

Within 1-2 weeks after the incident is resolved, conduct a thorough post-incident review. What happened? How did the attacker get in? What went well in the response? What failed? Update your incident response plan, patch additional vulnerabilities, and implement improved detection controls to prevent recurrence.

What NOT to Do During a Cyber Incident

• Do not immediately wipe affected systems. You will destroy forensic evidence needed to understand the attack and comply with regulatory requirements.
• Do not pay the ransom without expert advice. Payment does not guarantee data recovery, may fund criminal organizations, and can violate sanctions regulations in some jurisdictions.
• Do not communicate over compromised channels. If email or Slack is compromised, use out-of-band communication (phone, Signal, separate devices).
• Do not make public statements without legal review. Inaccurate public statements about an incident can create significant legal liability.
• Do not try to handle it alone. Incident response is a specialized skill. Engaging external expertise early reduces total cost and improves outcomes.

GDPR: The 72-Hour Reporting Obligation

If the incident involves a personal data breach, GDPR Article 33 requires notification to the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach poses a high risk to individuals' rights and freedoms, you must also notify affected individuals directly (Article 34).

Key points for GDPR breach notification:

• The 72-hour clock starts when you become aware, not when the breach occurred
• If you cannot provide full details within 72 hours, you can submit an initial notification and supplement it later
• Document your decision-making process, even if you decide not to notify
• Under NIS2, significant incidents must also be reported to the national competent authority within 24 hours (early warning)

Failure to notify within the required timeframe can result in fines of up to €10 million or 2% of global annual turnover under GDPR.

The Cost of a Cyber Incident

The IBM Cost of a Data Breach Report 2024 found that the global average cost of a data breach reached $4.88 million, the highest figure ever recorded. This includes direct costs (forensics, legal, notification, regulatory fines) and indirect costs (business disruption, customer loss, reputational damage, increased insurance premiums).

Organizations with an incident response retainer in place resolved breaches 54 days faster than those without, significantly reducing total cost. Having a tested IR plan and a trusted IR provider on retainer is one of the highest-ROI investments in cybersecurity.

Frequently Asked Questions About Incident Response

What is an incident response retainer?

An IR retainer is a pre-negotiated agreement with an incident response provider that gives you guaranteed access to their team when an incident occurs. Retainer clients receive priority response, pre-agreed rates, and typically annual readiness reviews to ensure the relationship is ready when you need it.

Should we pay a ransom demand?

This is a decision that should never be made without legal, forensic, and cyber insurance counsel. There is no guarantee that paying restores data. Many organizations that pay are attacked again within months. Law enforcement and regulators generally advise against payment. Engage experts before making any decision.

How do we know if we have been breached?

Common indicators include: unusual outbound network traffic, unexpected account lockouts, ransomware notifications, files encrypted or renamed, security alerts from endpoint tools, or external notification (from a threat intel provider, law enforcement, or a third party). Many breaches are discovered by third parties months after initial compromise.

What is a tabletop exercise?

A tabletop exercise is a facilitated discussion-based simulation of a cyber incident. Key stakeholders (IT, legal, communications, management) walk through a realistic scenario to identify gaps in your incident response plan before a real incident occurs. DEFION offers tabletop exercises as part of its Incident Response Readiness service.

How long does incident response take?

Containment of an active incident typically takes 24-72 hours for straightforward cases. Full investigation, eradication, and recovery can take 1-4 weeks depending on the scale and complexity of the attack. Post-incident review and hardening activities extend the timeline further.

What is the difference between incident response and digital forensics?

Incident response focuses on containing and resolving the incident as quickly as possible. Digital forensics is the systematic investigation and documentation of what happened, how, and why. Forensics is often conducted during and after incident response, and its findings are essential for legal proceedings, regulatory reporting, and preventing recurrence.