Principles before procedures

Do not panic. Do not pull cables blindly. Poorly-chosen containment actions destroy forensic evidence.
Document everything from minute one. Timestamps, who did what, what was observed. This becomes your regulatory and legal record.
Engage legal and breach coach counsel early. Privilege attaches to communications through counsel, not through your internal security team.
Do not communicate externally about the incident until legal has cleared it. No tweets, no customer emails, no vendor calls.
Assume the adversary is watching your response. Use out-of-band communications (phone, Signal, dedicated ticketing).

Hour 0-1: Initial triage

Incident Commander designated (typically CISO or on-call security lead)
Scribe designated (takes notes, timestamps, records decisions)
Out-of-band communication channel established (Signal group, dedicated Teams/Slack with audit logging off the compromised tenant)
Legal counsel notified
Initial severity assessment: what is compromised, what is the blast radius
Preserve initial evidence (screenshots, log snapshots, endpoint state)
Do NOT reboot, reimage, or restore systems. You are destroying evidence

Hour 1-4: Containment without destruction

Isolate affected systems at the network layer (firewall rules, not power-off)
Disable compromised user accounts, revoke active sessions
Rotate credentials accessible to compromised systems (API keys, service account tokens, database passwords)
Preserve memory images for forensic analysis if feasible
Snapshot affected systems at hypervisor or cloud provider level
Preserve network traffic captures if available
Begin timeline reconstruction

Hour 4-12: Scope assessment

Engage external forensic firm if internal capability is limited (pre-selected via IR retainer is faster)
Notify cyber insurance carrier (required under most policies, affects coverage)
Begin log analysis: what did the adversary access? For how long?
Identify initial access vector (phishing, exploit, valid creds, supply chain)
Assess lateral movement extent
Determine data exfiltration (check egress logs, DLP alerts, unusual outbound traffic)
Identify regulatory notification triggers (HIPAA, GDPR, state breach laws, SEC 4-day, NYDFS 72-hour)

Hour 12-24: Stakeholder notification

Executive team briefed with current facts and open questions (not speculation)
Board notified per policy
Legal drafts initial regulatory notifications (may not send yet, but prepare)
Public relations engaged for potential external communications
If SEC-reporting company: materiality determination begins formally
Decision on law enforcement engagement (FBI, Secret Service, local)

Hour 24-48: Eradication

Remove adversary persistence (backdoors, scheduled tasks, registry changes, cron jobs, rogue service accounts)
Patch exploited vulnerabilities
Rebuild compromised systems from known-good sources (not restore from backup if backup may be compromised)
Rotate all credentials that could have been accessed
Revoke all long-lived API tokens, certificates accessible from compromised systems
Update firewall and EDR rules to block observed adversary tooling and IPs

Hour 48-72: Recovery and notification

Restore operations on verified clean systems
Enhanced monitoring for 30-90 days post-incident (adversaries often return)
File required regulatory notifications within required windows
Customer notifications per contract and regulatory requirements
Media statement if applicable (legal-cleared only)
Begin post-incident review

Scenario-specific notes

Ransomware

Do NOT pay without legal and insurance carrier approval
Check OFAC sanctions screening before any payment consideration (US Treasury prohibits payments to sanctioned entities)
Confirm backup integrity and connectivity to air-gapped storage
Preserve ransom note and adversary communications for forensics and attribution
NYDFS regulated entities: 24-hour notification on ransom payment plus 30-day written justification

Business Email Compromise (BEC)

Identify mailbox rules set by adversary (auto-forwarding, deletion rules)
Revoke all OAuth tokens on the affected tenant
Check for any wire transfers initiated or modified. Contact bank within hours (often reversible within 24-72 hours)
Review related-communication patterns for other compromised mailboxes
Contact FBI IC3 within 72 hours for wire fraud reporting (helps with kill chain for recovery)

Credential compromise

Disable account; do not just force password reset
Revoke all sessions and tokens for the account
Review what systems the credential accessed in the last 30 days
Check for privilege escalation or lateral movement from the account
Audit for creation of additional accounts or modification of existing ones

Data exfiltration

Preserve the evidence of what was taken (access logs, egress data volumes)
Classify exfiltrated data categories (PII, PHI, cardholder data, trade secrets, regulated data)
Notification triggers determined by classification and jurisdiction
Assess dark-web exposure (specialized firms monitor for your data appearing for sale)

Regulatory notification quick reference

Regulator	Trigger	Timeline
SEC (public companies)	Material cyber incident	4 business days from materiality determination
NYDFS (regulated financial)	Cybersecurity event	72 hours
NYDFS (ransom payment)	Ransom paid	24 hours for notification, 30 days for written justification
HHS OCR (HIPAA)	Breach of unsecured PHI	60 days for notification (affected individuals, HHS, media for 500+)
GDPR (EU data)	Personal data breach	72 hours to supervisory authority
State breach laws	Varies by state	30-60 days typical; some require AG notification
CISA (critical infrastructure under CIRCIA)	Substantial cyber incident	72 hours (once CIRCIA final rule effective)