You need to contain the attack, preserve evidence, involve the right people (including legal), and then systematically eradicate, recover, and notify as required.
☑️ Immediate actions (next 0–4 hours)
Disconnect or isolate affected systems from the network (pull network cables, disable switch ports, VLAN‑isolate, power off only if you cannot isolate). The goal is to stop lateral movement and data exfiltration while preserving disks and logs.
Disable compromised accounts and enforce password resets for high‑risk accounts (admins, VPN, remote access, service accounts). Consider forcing MFA re‑enrollment if identity compromise is suspected.
Preserve evidence: take forensic images or snapshots of key servers/endpoints, export logs from firewalls, EDR, email, VPN, identity providers, and cloud platforms before rotation or tampering.
Activate your incident response team and escalation path: include IT/security, legal, executive leadership, and communications/PR if customer or public impact is possible.
If ransomware or extortion is involved, do not engage directly with attackers; contact legal and, where appropriate, law enforcement or a specialist incident response firm.
☑️ Short‑term steps (next 1–3 days)
Identify the scope and root cause: determine how attackers got in (phishing, RDP, VPN, web app, supply chain), what systems they touched, and what data they accessed or exfiltrated.
Increase monitoring on endpoints, network, and identity systems to catch any re‑entry attempts.
Begin recovery:
Restore systems from known‑good backups, verifying they are clean before returning them to production.
Bring services online in a prioritized order (critical business functions and safety systems first).
Work with legal/privacy counsel to determine notification obligations (customers, employees, regulators) based on what data was involved and your jurisdictions (for U.S. businesses, see FTC data breach guidance).
☑️Communication and notification
Prepare internal communications so staff know what happened in high‑level terms, what to watch for (phishing, suspicious login prompts), and how to route questions; keep messages factual and avoid speculation.
For affected customers or partners, provide: what happened, what data may be involved, what you are doing, and what they should do (password changes, monitoring, credit freezes, etc.). Many guides recommend considering credit monitoring or similar protections for impacted individuals where appropriate.
Ensure only designated spokespeople (often legal/PR) speak externally to regulators, media, or law enforcement, consistent with incident response best practices.
☑️Regulatory, legal, & law enforcement
Consult counsel experienced in privacy/security to interpret breach notification and reporting requirements (e.g., sector‑specific rules, state breach laws, international data protection laws).
Document all actions, findings, and decisions (timelines, systems, people, data types) to support legal, regulatory, and insurance needs, as recommended in standard incident‑handling guidance.
Consider contacting law enforcement or national CERT, especially for large breaches, ransomware, critical infrastructure, or cross‑border impacts, in line with NIST incident handling guidance.
☑️After the dust settles
Conduct a formal post‑incident review (lessons‑learned meeting) to answer: what failed, what worked, what must change; SANS and NIST both treat this as a required phase of the incident lifecycle.
Update and test your incident response plan, security controls, and training: tighten access controls, improve logging and monitoring, review backup and recovery strategies, and run tabletop or technical exercises at least annually.
If you share a bit more detail (ransomware vs. data theft, on‑prem vs. cloud, size of your environment) to our contact page, a more tailored step‑by‑step runbook can be outlined for your specific situation.
CyberGui.de