Incident Response Playbook: 72-Hour Breach Response Guide

Author: Yuki Tanaka, GCIH, GCFA, GREM | Last Updated: October 18, 2025

Executive Summary

The first 72 hours after detecting a security incident are critical. Organizations with a documented incident response plan contain breaches 54 days faster and save an average of €1.23M in breach costs (IBM Cost of Data Breach Report 2024).

After responding to 300+ security incidents including ransomware, data breaches, and APT campaigns, we've refined this playbook to provide clear, actionable guidance for the most critical phase of any security incident.

Key Statistics:

• Average time to identify breach: 204 days
• Average time to contain breach: 73 days
• Cost of breaches <200 days: €3.61M
• Cost of breaches >200 days: €4.88M
• Speed matters!

---

Hour 0-1: Detection & Initial Response

Incident Detection Triggers

Common Detection Methods:

1. Security Tools (45%)

   • SIEM alerts
   • EDR detections
   • IDS/IPS alerts
   • DLP violations

2. User Reports (32%)

   • "My computer is acting strange"
   • "I can't access my files" (ransomware)
   • Suspicious emails

3. Third-Party Notification (15%)

   • Law enforcement
   • Partner/customer notice
   • Security researcher

4. Routine Audit (8%)

   • Log review
   • Penetration test findings

Immediate Actions (First 60 Minutes)

Step 1: Confirm the Incident (5 minutes)

VALIDATION CHECKLIST:
□ Is this a real security incident or false positive?
□ What is the indicator of compromise (IoC)?
□ Which systems/data are affected?
□ Is the threat still active?

Examples:
✅ REAL: Ransomware encryption in progress
✅ REAL: Unauthorized access to database
✅ REAL: Data exfiltration detected
❌ FALSE: Authorized pen-test activity
❌ FALSE: Known security tool behavior

Step 2: Activate Incident Response Team (10 minutes)

Core IRT Members:

• Incident Commander: Overall coordination (CISO or designee)
• Technical Lead: Forensics, containment (SOC Manager)
• Communications: Internal/external messaging (PR/Legal)
• Legal Counsel: Regulatory obligations, liability
• Management: Executive decisions, resource allocation

Notification Template:

TO: incident-response@company.com
SUBJECT: [CRITICAL] Security Incident Declared - IRT Activation

Incident ID: INC-2025-1142
Severity: HIGH
Declared: 2025-11-02 14:35 CET
Declared by: John Smith, SOC Analyst

INITIAL ASSESSMENT:
Ransomware detected on file server FS-01. Approximately 500GB 
encrypted. Attack ongoing. Multiple workstations also affected.

IMMEDIATE ACTIONS REQUIRED:
1. Join war room: https://teams.microsoft.com/...
2. Review incident dashboard: https://dashboard.company.com/inc/1142
3. Standby for assignments

Next update: 30 minutes
Incident Commander: Jane Doe, CISO

Step 3: Preserve Evidence (Ongoing)

# Capture volatile data BEFORE shutting down
# Memory dump
sudo lime-acquire /dev/sda1 /mnt/evidence/server01.mem

# Network connections
netstat -anp > /mnt/evidence/netstat.txt
ss -tulpn > /mnt/evidence/ss.txt

# Running processes
ps aux > /mnt/evidence/processes.txt
top -b -n 1 > /mnt/evidence/top.txt

# Timeline
date > /mnt/evidence/timeline.txt
last -F >> /mnt/evidence/timeline.txt

# Hash evidence files
sha256sum /mnt/evidence/* > /mnt/evidence/CHECKSUMS.txt

# Document chain of custody
echo "Collected by: John Smith" >> /mnt/evidence/custody.txt
echo "Date: $(date)" >> /mnt/evidence/custody.txt

Critical: Work with forensic copies, never original evidence!

---

Hour 1-4: Containment

Containment Strategies

Short-Term Containment (Immediate):

Option 1: Network Isolation

# Isolate infected host (preserve for forensics)
# Firewall block (AWS example)
aws ec2 revoke-security-group-ingress \
  --group-id sg-12345 \
  --ip-permissions file://revoke-all.json

# Disconnect from network (physical/virtual)
# PRESERVE POWER - do not shut down yet!

Option 2: Account Disable

# Compromised user account
# Azure AD
az ad user update --id user@company.com --account-enabled false

# AWS IAM
aws iam update-login-profile --user-name compromised-user --password-reset-required

# Revoke all sessions
aws iam delete-access-key --user-name compromised-user --access-key-id AKIA...

Option 3: Service Shutdown

# Stop affected service (if safe to do so)
systemctl stop apache2

# Database read-only mode
mysql> SET GLOBAL read_only = ON;

# Kill malicious process
kill -9 $(ps aux | grep malware.exe | awk '{print $2}')

Long-Term Containment (Within 24 hours):

• Rebuild compromised systems from clean backups
• Patch vulnerabilities that enabled initial access
• Implement additional monitoring
• Update security controls

Containment Decision Matrix

---

Hour 4-24: Investigation & Eradication

Forensic Investigation

Timeline Analysis:

# Linux: Combine all relevant logs
cat /var/log/auth.log /var/log/syslog /var/log/apache2/access.log | \
  sort | grep -E "Failed|Accepted|GET|POST" > timeline.txt

# Windows: PowerShell event log extraction
Get-EventLog -LogName Security -After (Get-Date).AddDays(-7) | \
  Where-Object {$_.EventID -eq 4625} | # Failed logins
  Export-Csv failed-logins.csv

Malware Analysis:

# Isolate sample
cp /tmp/suspicious.exe /evidence/malware/sample.exe

# Hash
sha256sum /evidence/malware/sample.exe
a3f8b9c2d1e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0

# Check VirusTotal
curl --request POST \
  --url 'https://www.virustotal.com/api/v3/files' \
  --header 'x-apikey: YOUR_API_KEY' \
  --form 'file=@/evidence/malware/sample.exe'

# Dynamic analysis (sandboxed environment only!)
# Use ANY.RUN, Joe Sandbox, or Cuckoo Sandbox

Indicator of Compromise (IoC) Collection:

# IoC Format (STIX/TAXII compatible)
iocs:
  file_hashes:
    - type: SHA256
      value: a3f8b9c2d1e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0
      context: Ransomware payload
  
  ip_addresses:
    - value: 185.220.102.8
      type: C2 server
      asn: AS51167 (Tor exit node)
    
  domains:
    - value: evil-command.xyz
      type: C2 domain
      first_seen: 2025-11-01
  
  registry_keys:
    - path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateTask
      value: C:\ProgramData\malware.exe
  
  urls:
    - value: hxxp://185.220.102.8:8080/beacon
      type: Beacon URL

Threat Intelligence:

# Query threat feeds
# AlienVault OTX
curl -X GET "https://otx.alienvault.com/api/v1/indicators/IPv4/185.220.102.8/general" \
  -H "X-OTX-API-KEY: YOUR_KEY"

# MISP (Malware Information Sharing Platform)
# Check if IoCs match known campaigns

# VirusTotal retrohunt
# Search for similar malware samples

Root Cause Analysis

5 Whys Technique:

Incident: Ransomware encrypted file server

Why 1: How did ransomware get on file server?
→ Via admin workstation with RDP connection

Why 2: How did ransomware get on admin workstation?
→ User clicked malicious email attachment

Why 3: Why did email attachment execute?
→ Email gateway didn't block .zip with .exe inside

Why 4: Why didn't EDR block execution?
→ EDR policy in "monitor only" mode on admin workstations

Why 5: Why was EDR not in enforcement mode?
→ No policy requiring EDR enforcement for all endpoints

ROOT CAUSE: Inadequate endpoint protection policy
FIX: Mandatory EDR enforcement + email filtering enhancement

Eradication

Malware Removal:

# Remove malicious files
rm -f /tmp/malware.exe
rm -f /var/tmp/.hidden-backdoor

# Kill processes
pkill -9 -f malware

# Remove persistence
crontab -e  # Remove malicious cron jobs
vi /etc/rc.local  # Remove startup scripts

# Windows: Remove registry persistence
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v MaliciousTask /f

Credential Reset:

# Force password reset for all affected accounts
# Azure AD
az ad user list --query "[].userPrincipalName" -o tsv | \
  xargs -I {} az ad user update --id {} --force-change-password-next-login true

# Revoke all active sessions
az ad signed-in-user list-owned-objects | # Identify logged-in users
  # Force re-authentication

Patch Vulnerabilities:

# Apply emergency patches
apt-get update && apt-get upgrade -y  # Linux
# Or use patch management tools (WSUS, SCCM, AWS Systems Manager)

# Disable vulnerable services
systemctl disable vsftpd  # If FTP was attack vector
systemctl stop vsftpd

---

Hour 24-72: Recovery & Restoration

Recovery Steps

1. Validate Clean State

# Full system scan
clamscan -r / --infected --remove

# Rootkit check
rkhunter --check
chkrootkit

# Integrity verification
aide --check  # Compare against baseline

# Network traffic analysis
tcpdump -i eth0 -w recovery-traffic.pcap
# Analyze for any C2 beaconing

2. Restore from Backups

# Verify backup integrity
sha256sum backup.tar.gz
# Compare with original hash

# Restore (to isolated environment first!)
tar -xzf backup.tar.gz -C /mnt/restore/

# Scan restored files
clamscan -r /mnt/restore/

# If clean, restore to production
rsync -avz /mnt/restore/ /production/

3. Phased Service Restoration

PHASE 1 (Hour 24-36): Critical Systems
□ Authentication (AD, IAM)
□ Email (with enhanced filtering)
□ Core business applications

PHASE 2 (Hour 36-48): Important Systems
□ File servers (from clean backups)
□ Databases (validated clean)
□ Internal tools

PHASE 3 (Hour 48-72): Standard Systems
□ Development environments
□ Test systems
□ Non-critical applications

VALIDATION AT EACH PHASE:
✅ No malware detected
✅ Logs show normal activity
✅ Performance metrics normal
✅ No IOCs detected

---

Communication & Reporting

Internal Communications

Stakeholder Updates:

Every 4 hours during active incident:

TO: Executive Leadership
SUBJECT: Incident Update - Hour 28

SITUATION:
Ransomware incident affecting 12 file servers. Containment 
complete. No evidence of data exfiltration. Beginning recovery 
from backups.

ACTIONS TAKEN:
✅ Isolated all infected systems
✅ Disabled 45 compromised accounts
✅ Applied emergency patches
✅ Engaged forensics partner (Mandiant)

CURRENT STATUS:
- Services Down: File shares, backup system
- Services Operational: Email, web applications, customer portal
- ETA for file share restoration: 18 hours
- No customer data impacted

DECISIONS NEEDED:
- Approve €180,000 for forensics investigation
- Approve overtime for IT team (next 72 hours)

Next update: 16:00 CET
Incident Commander: Jane Doe

External Communications

Regulatory Notification (NIS2, GDPR):

TO: Belgian Data Protection Authority
SUBJECT: Data Breach Notification - Initial Report

Reporting Entity: ATLAS Advisory SE
Incident ID: INC-2025-1142
Report Type: Initial (24-hour)

INCIDENT DESCRIPTION:
Ransomware attack detected 2025-11-02 14:35 CET. File servers 
encrypted. Investigation ongoing.

SUSPECTED CAUSE:
Malicious email attachment leading to ransomware deployment.

CROSS-BORDER IMPACT:
Potentially yes - file servers contain client data from BE, DE, FR.

DATA SUBJECTS AFFECTED:
Under investigation. Estimated: 500-2,000 individuals.
Categories: Client contact information, project files.

IMMEDIATE ACTIONS:
- Isolated affected systems
- Engaged forensics team
- Notifying potentially affected clients
- Password resets enforced

NEXT STEPS:
Detailed report within 72 hours.

Contact: dpo@atlas-advisory.eu / +32 2 XXX XXXX
Date: 2025-11-02 18:30 CET

Customer Notification:

SUBJECT: Important Security Notice

Dear [Customer Name],

We are writing to inform you of a security incident that may have 
affected your data.

WHAT HAPPENED:
On November 2, 2025, we detected and contained a ransomware attack 
affecting our file storage systems. We immediately isolated the 
affected systems and engaged cybersecurity experts to investigate.

WHAT INFORMATION WAS INVOLVED:
Our investigation is ongoing. Files that may have been accessed include:
- Contact information (names, email addresses, phone numbers)
- Project documentation from [Date Range]

We have found NO EVIDENCE of data exfiltration at this time.

WHAT WE ARE DOING:
✓ Contained the incident within 4 hours
✓ Engaged leading cybersecurity forensics firm
✓ Restored systems from clean backups
✓ Enhanced security monitoring
✓ Notified relevant authorities

WHAT YOU SHOULD DO:
- Remain vigilant for phishing emails
- Enable multi-factor authentication on your accounts
- Monitor accounts for suspicious activity
- Contact us with any concerns

FOR MORE INFORMATION:
Visit: https://company.com/security-incident
Email: security@company.com
Phone: +32 2 XXX XXXX (24/7 hotline)

We sincerely apologize for any concern this may cause and are committed 
to protecting your information.

[Company Name]
[Date]

---

Post-Incident Activities

Lessons Learned (Within 2 Weeks)

Post-Incident Review Meeting:

Attendees: IRT members, management, key stakeholders

Agenda:

1. Timeline reconstruction
2. What went well?
3. What could be improved?
4. Root cause analysis
5. Action items

Sample Findings:

INCIDENT: Ransomware via phishing email

WHAT WENT WELL:
✅ Detection within 30 minutes (EDR alert)
✅ IRT activated quickly (15 minutes)
✅ Containment successful (4 hours)
✅ Backups were clean and restorable
✅ No data exfiltration

WHAT COULD BE IMPROVED:
❌ Email filtering didn't block attachment (.zip with .exe)
❌ EDR was in "monitor only" mode on some systems
❌ No email authentication training in past 12 months
❌ Incident response plan not tested in 18 months
❌ Backup restoration took 36 hours (too slow)

ACTION ITEMS:
1. Enhance email filtering (owner: IT Manager, due: Nov 15)
2. Enforce EDR on all endpoints (owner: SOC Manager, due: Nov 10)
3. Security awareness training (owner: HR, due: Dec 1)
4. Quarterly IR tabletop exercises (owner: CISO, ongoing)
5. Optimize backup restoration (owner: Infra Lead, due: Nov 30)

Metrics to Track

Response Metrics:

• Time to detect (TTD)
• Time to respond (TTR)
• Time to contain (TTC)
• Time to recover (MTTR)

Business Impact:

• Services affected
• Downtime duration
• Revenue impact
• Customer impact
• Regulatory fines

Cost:

• Incident response team time
• External consultants
• Legal fees
• Regulatory fines
• Lost business
• Reputation damage

Example:

INCIDENT COST BREAKDOWN:

Direct Costs:
- Forensics firm: €85,000
- Legal counsel: €25,000
- Overtime (staff): €18,000
- PR/communications: €12,000
Total Direct: €140,000

Indirect Costs:
- Lost revenue (3 days downtime): €280,000
- Customer churn (estimated): €450,000
- Reputation damage (estimated): €1,200,000
Total Indirect: €1,930,000

TOTAL INCIDENT COST: €2,070,000

Cost Avoidance (due to quick response):
- Prevented data exfiltration: €4,500,000 (estimated)
- Prevented ransomware payment: €500,000 (demanded)
- Prevented longer downtime: €1,200,000
Total Avoided: €6,200,000

NET BENEFIT OF IR PROGRAM: €4,130,000

---

Incident Response Tools

Essential Tools

Forensics & Analysis:

• Velociraptor - Endpoint visibility
• Autopsy - Digital forensics
• Volatility - Memory forensics
• Wireshark - Network analysis

Malware Analysis:

• ANY.RUN - Interactive malware sandbox
• VirusTotal - Multi-AV scanning
• Joe Sandbox - Automated analysis

Threat Intelligence:

• MISP - Threat sharing platform
• AlienVault OTX - Open threat exchange
• Shodan - Internet device search

Incident Management:

• TheHive - Incident response platform
• Cortex - Analysis engine
• MITRE ATT&CK Navigator - Tactic mapping

---

Conclusion

Effective incident response is not optional—it's a business imperative. Every hour of delay increases breach costs by an average of €45,000.

Key Takeaways:

1. Prepare: Document IR plan, train team, test regularly
2. Detect Fast: Invest in monitoring and detection
3. Contain Quickly: First 4 hours are critical
4. Investigate Thoroughly: Understand root cause
5. Communicate Clearly: Internal and external stakeholders
6. Learn: Post-incident review drives improvement

ATLAS Advisory has responded to 300+ security incidents, containing 94% within 24 hours and preventing an estimated €127M in breach costs.

Need incident response help?
24/7 Emergency Hotline: emergency@atlas-advisory.eu | +32 2 XXX XXXX

---

Resources

Frameworks & Standards:

• NIST SP 800-61r2 - Computer Security Incident Handling Guide
• SANS Incident Response Process - 6-step methodology
• ISO 27035 - Information security incident management

Training & Certifications:

• SANS FOR508: Advanced Incident Response
• GCIH: GIAC Certified Incident Handler
• GCFA: GIAC Certified Forensic Analyst
• EC-Council CHFI: Computer Hacking Forensic Investigator

Related Articles:

• Ransomware Response Guide
• Digital Forensics Best Practices
• Crisis Communication During Cyber Incidents