Incident Response · · 6 min read

Active Incident: What to Do in the First 60 Minutes

incident response data breach emergency containment

If you are reading this during an active incident, call Sherlock Forensics now: 604.229.1994. The first 60 minutes of a breach determine the outcome. Isolate affected systems without powering them off, preserve all logs, document what you know and engage a forensic investigator immediately. Do not reboot, do not wipe, do not try to clean up.

The First 60 Minutes Determine Everything

You just discovered a breach. Maybe your monitoring tool fired an alert. Maybe a customer reported suspicious activity. Maybe you found data where it should not be. Whatever triggered the alarm, the clock is now running.

What you do in the next 60 minutes determines whether this incident is a contained event or a catastrophe. Follow these steps in order.

Minutes 0-10: Isolate

The single most important action in the first minutes is isolation. You need to stop the attacker from moving further into your environment while preserving evidence.

Do this:

  • Disconnect compromised systems from the network. Unplug the Ethernet cable or disable the WiFi adapter.
  • Do NOT power off or reboot the machines. Running systems contain volatile evidence in memory that is destroyed on shutdown.
  • Disable compromised user accounts but do not delete them.
  • Block known attacker IP addresses at your firewall if you have them.
  • Revoke API keys and tokens associated with compromised services.

Do not do this:

  • Do not shut down servers. You will lose memory artifacts, active connections and running processes.
  • Do not delete malware or suspicious files. These are evidence.
  • Do not reinstall operating systems. You are destroying the crime scene.
  • Do not change passwords yet. If the attacker has persistence, they will see the changes and adapt.

Minutes 10-20: Preserve

With compromised systems isolated, focus on preserving evidence before it disappears.

  • Export all available logs immediately: firewall logs, server access logs, authentication logs, application logs and cloud audit trails.
  • If possible, capture a memory dump of compromised systems using tools like WinPMem or LiME.
  • Screenshot any visible indicators of compromise: unusual processes, strange network connections, error messages or ransom notes.
  • Document the current state of all affected systems including which accounts were active, which services were running and which network connections existed.

Log retention is critical. Many organizations have logs that overwrite after 24-48 hours. If you do not export them now, they may be gone by the time a forensic investigator arrives.

Minutes 20-35: Assess

With isolation and preservation done, take stock of what you know and what you do not know.

Answer these questions as best you can:

  • What systems are confirmed compromised?
  • What data was accessible from those systems?
  • Is the breach still active or has the attacker been disconnected by your isolation steps?
  • How long has the attacker potentially had access? Check login logs for the earliest suspicious activity.
  • Was customer data, financial data or personal information potentially accessed?
  • Are there signs of data exfiltration, such as large outbound transfers or connections to unknown destinations?

You will not have complete answers yet. That is normal. Document what you know, what you suspect and what you do not know. This assessment guides the forensic investigation.

Minutes 35-45: Communicate

Notify the people who need to know. Keep the circle small initially to prevent panic and information leakage.

  • Executive leadership: Brief them on what happened, what you know and what you have done so far.
  • Legal counsel: They need to assess notification obligations under PIPEDA, provincial privacy laws and any contractual requirements.
  • IT team: Only the people directly needed for containment. Not the whole department.
  • Insurance provider: If you have cyber insurance, notify them immediately. Many policies have strict notification windows.

Do NOT communicate about the breach via the compromised systems. If the attacker has email access, they can read your incident response communications. Use phone calls, a separate messaging platform or in-person conversations.

Minutes 45-60: Engage Forensics

This is where you call us.

A forensic investigator does what your IT team cannot. We determine exactly what happened, how the attacker got in, what they accessed, whether data was exfiltrated and whether the attacker still has access through backdoors or persistence mechanisms.

What to have ready when you call:

  • A timeline of the incident as you understand it
  • A list of compromised and potentially compromised systems
  • What logs you have preserved
  • Whether customer data may have been affected
  • Any indicators of compromise you have identified

We can begin remote evidence collection within hours. For complex incidents requiring on-site presence, we deploy anywhere in Canada.

After the First 60 Minutes

The first hour is about containment and preservation. Everything after that is investigation, remediation and recovery. Those phases take days or weeks, not minutes. But they all depend on getting the first 60 minutes right.

If you are reading this before an incident, bookmark this page. Print the checklist. Put it in your incident response plan. When the alarm goes off, you will not have time to search for instructions.

If you are reading this during an incident, stop reading and call 604.229.1994.

Call 604.229.1994 Contact Online

FAQ

Incident Response Questions

What should I do first during an active breach?
Isolate affected systems by disconnecting them from the network without powering them off. Preserve logs, notify your response team and engage a forensic investigator immediately. Call 604.229.1994.
Should I shut down compromised systems?
No. Disconnect from the network but do not power off. Running systems contain volatile evidence in memory including active connections, encryption keys and malware that may only exist in RAM. Shutting down destroys this evidence.
How quickly should I engage a forensic investigator?
Immediately. Every minute of delay gives the attacker more time to move laterally and exfiltrate data. We can begin remote evidence preservation within hours of engagement.