The first 72 hours after discovering a data breach define the outcome. Fumble the response, and you face extended dwell time, regulatory penalties, and reputational damage. Execute methodically, and you can contain the incident, preserve evidence, and demonstrate due diligence to regulators and stakeholders.
Hour 0–4: Initial Detection & Confirmation
- ☐ Confirm the incident — Distinguish between false positive, security event, and confirmed breach
- ☐ Activate the incident response team — IR lead, legal counsel, communications, executive sponsor
- ☐ Establish a secure communication channel — Assume email and Slack may be compromised; use out-of-band communication (Signal, dedicated IR bridge line)
- ☐ Begin incident documentation — Timestamp every action, decision, and finding from this point forward
- ☐ Preserve volatile evidence — Memory dumps, network traffic captures, running process lists before any containment actions
Hour 4–12: Containment
- ☐ Isolate compromised systems — Network isolation (not power-off — preserve memory), disable compromised accounts
- ☐ Block known attacker infrastructure — IPs, domains, C2 addresses at firewall and DNS level
- ☐ Reset credentials — All accounts with access to compromised systems; prioritize service accounts and domain admins
- ☐ Revoke active sessions — Invalidate all OAuth tokens, SSO sessions, and VPN certificates for affected users
- ☐ Assess blast radius — Determine lateral movement using EDR telemetry, authentication logs, and network flow data
- ☐ Check dark web sources — Use SIA Watch Tower to determine if data has already appeared on leak sites or in threat actor communications
Hour 12–24: Investigation & Scoping
- ☐ Determine initial access vector — Phishing, vulnerability exploitation, stolen credentials, or insider threat
- ☐ Establish attacker timeline — When did the attacker gain access? How long was the dwell time?
- ☐ Identify exfiltrated data — Review DLP logs, proxy logs, cloud storage access logs, and network egress patterns
- ☐ Classify affected data — PII, PHI, financial data, intellectual property, credentials — this determines regulatory obligations
- ☐ Engage forensics — If internal capability is insufficient, engage a third-party DFIR firm within the first 24 hours
- ☐ Notify cyber insurance carrier — Most policies require notification within 24–72 hours of discovery
Hour 24–48: Stakeholder Communication
- ☐ Brief executive leadership — Factual summary: what happened, what's affected, what's being done, what's unknown
- ☐ Engage external legal counsel — Attorney-client privilege protects investigation findings; coordinate all communications through counsel
- ☐ Assess regulatory notification requirements:
Key regulatory timelines:
- GDPR — 72 hours to notify supervisory authority after becoming aware
- UAE PDPL — "Without undue delay" notification to authorities
- SEC (US public companies) — 4 business days for material cybersecurity incidents
- HIPAA — 60 days to notify HHS and affected individuals
- PCI DSS — Immediate notification to payment brands and acquiring bank
Hour 48–72: Eradication & Recovery Planning
- ☐ Remove attacker persistence — Backdoors, scheduled tasks, modified Group Policy, rogue accounts, web shells
- ☐ Rebuild compromised systems — Clean rebuild from known-good images; never trust "cleaned" compromised systems
- ☐ Implement emergency hardening — Additional monitoring, restricted network rules, enhanced logging
- ☐ Draft external communications — Customer notification, press statement (if required), regulatory filings
- ☐ Plan monitoring enhancement — Deploy additional detection for attacker TTPs specific to this incident
Post-Incident: Lessons Learned
Within 2 weeks of incident closure, conduct a structured retrospective:
- What detection gaps allowed the breach to go undetected?
- Where did the response process break down?
- What tooling or telemetry would have enabled faster investigation?
- What proactive intelligence (dark web monitoring, ASM) could have provided early warning?
Document findings and track remediation actions to completion. The goal is not blame — it's measurable improvement.
How SIA Force Helps
During a critical incident, context is everything. SIA Watch Tower helps incident responders understand if data has already leaked, while SIA Toolkit provides specialized tools for threat hunting and rapid forensic investigations.