The first 48 hours following a cyber attack are crucial for mitigating damage and guiding the recovery process. The actions taken during this period directly affect how quickly the breach is contained, the extent of data loss, and how fast business operations are restored. To handle the breach efficiently, organisations should have an incident response plan in place, which will reduce stress and confusion during this critical time. If you want to learn more about why you need incident response read more here.
Immediate response: the first 4 hours of a cyber attack
The first few hours after a breach are all about gaining control. Start by conducting an initial triage to assess the breach’s scope. This critical step helps you understand the severity of the situation and allows you to communicate effectively with internal teams and external stakeholders. Equally important is having a detailed overview of your IT environment and existing security controls. Gaps in this knowledge will delay your response.
In these early hours, engaging senior stakeholders is key to streamlining decisions. Those who detect the breach may not have the authority to do things such as sign off on incident response, legal counsel or emergency expenditures.
Involving external incident response specialist so that you can receive immediate technical advice can be highly beneficial. Experts can provide immediate technical guidance, speeding up the resolution process. If you don’t have a retainer with an incident response team talk to your cyber security provider or cyber insurer about vetted vendors.
So, by the end of the first four hours, you should have a record of the incident triage completed, a solid transfer of information regarding the IT environment, and the breached organisation should have received initial technical advice to contain the incident and preserve critical evidence.
Project coordination and evidence collection: the first 12 hours of a cyber attack
After understanding the business priorities, the lead incident manager will set the technical response strategy and prioritise individual technical tasks. They will also define the budgets that need to be approved by the business.
The technical team will be responsible in these first 12 hours for collecting evidence, producing threat intelligence and monitoring security tools to help contain the incident.
Containment: the first 24 hours of a cyber attack
Containing the breach within the first 24 hours is essential to prevent further damage. At this stage, focus should shift to limiting the attacker’s access and halting the spread of the breach. Effective containment involves:
User management: Changing passwords, enforcing multi-factor authentication, and identifying/blocking rogue accounts.
Network control: Limiting inbound and outbound connections to only known, trusted sources.
Asset monitoring: Deploying Endpoint Detection & Response (EDR) tools to detect, block, and remove malware.
By the end of the first day, EDR tools should be deployed across the network, and continuous monitoring should be in place.
Investigating the breach: the first 36 hours of a cyber attack
During the first two days, it’s unlikely that you’ll find out very much about the incident. The initial priorities should be to preserve critical evidence. When there is a chance to investigate, the initial goals should be to perform some targeted analysis, determine the point of entry, which will help inform the appropriate containment actions, as well as whether any data has been stolen, because that will inform the appropriate legal response.
It is also crucial to determine the extent to which the threat actor moved around the network and gained persistent access because that will inform subsequent restoration and recovery actions.
Restoring and recovering the network: the first 48 hours of a cyber attack
Recovery efforts should begin after containment, focusing on verifying backups to determine if they are viable for restoration.
Next, it is key to determine the critical systems, and which should be restored first to help serve the business priorities. Are there any systems that need to be restored first before others can function? Are there systems that are essential for business operations? For example, Microsoft teams so your staff can communicate, or your payment portal so you can start generating revenue again.
Then the recovery can begin, each system should be checked to ensure that it is functioning properly, and it clear of any persistent threats. The last thing you want to be doing is restoring an entire network only for the threat actor to easily re-gain access and re-attack.
The first 48 hours of a breach are focused on minimising damage, preserving evidence, and setting up a clear path for recovery. Fast, informed action supported by a well-defined incident response plan can drastically reduce downtime, costs, and long-term business impacts.
Cyber insurance
Some cyber insurers offer an element of incident response but ensure that you know what your policy includes and under what circumstances it can be activated. Not all cyber insurance is the same, and although your contract may mention incident response it may just be that your cyber insurer will inform an incident response team, but that does not guarantee that the team will have the capacity to help you without a retainer or any previous relationship.
