A tactical, operational protocol for the first 60 minutes of an active ransomware or network intrusion event. Each step is designed to minimize damage, preserve forensic integrity, and establish a controlled response surface. If you are in an active breach, do not wait — engage containment immediately.
Every second counts. Execute these steps in order. Do not deviate unless directed by your incident commander.
Immediately notify on-call IR personnel. Designate a single incident commander. Begin documenting all actions with timestamps. Do not rely on memory — use a dedicated log.
CRITICALDisconnect affected systems from the network at the switch or firewall level. For ransomware, isolate known infected endpoints and any systems with suspicious outbound connections. Do not power off systems — preserve memory for forensic capture.
IMMEDIATERevoke all privileged credentials (domain admin, service accounts, local admin). Reset passwords for all accounts with evidence of compromise. Invalidate session tokens and force re-authentication. Assume all credentials are exposed.
HIGH PRIORITYActivate verbose logging on all firewalls, IDS/IPS, and endpoint detection systems. Ensure logs are being forwarded to a secure, write-once storage location. Do not rely on local logs that the attacker may have wiped.
FORENSICIdentify patient-zero systems and lateral movement paths. Use EDR telemetry and SIEM correlation to map the extent of the compromise. Document all affected hosts, user accounts, and data repositories.
SCOPECapture memory dumps, disk images, and network packet captures from key systems. Preserve in a manner that maintains chain of custody. Do not perform any actions that may destroy volatile evidence.
EVIDENCEThis protocol is a sample framework. Actual response steps may vary based on environment and breach type. Always follow your organization's IR plan.
Use this checklist to validate the nature and scope of the incident during the first 60 minutes.
Files encrypted with known extensions? Ransom note present? Demand details — confirm if active encryption is ongoing.
Unauthorized remote access sessions? New admin accounts? Suspicious scheduled tasks or services? Verify via EDR and SIEM.
Unusual outbound traffic volume? Data staging directories? Check firewall logs and cloud access logs for large data transfers.
Affected systems and data sets — classify by business impact. Prioritize containment for systems supporting essential services.
Does this breach trigger GDPR, HIPAA, or CCPA notification requirements? Involve legal counsel immediately if PII/PHI is involved.
Are backups available and isolated from the production network? Check backup integrity — verify they are not also encrypted.
These are the tactical controls that incident commanders will execute to halt adversary movement and preserve evidence.
Use VLAN ACLs or SDN policies to isolate compromised segments. Block all north-south and east-west traffic to and from affected hosts except for forensics and logging.
Force immediate renewal of all TGTs and service tickets. Use klist purge on domain controllers and reset krbtgt password twice to invalidate existing tickets.
Enable AppLocker or Windows Defender Application Control to block execution of untrusted binaries. This stops malware droppers and lateral movement tools.
Require multi-factor authentication for all administrative and privileged accounts. Immediately revoke any MFA sessions that may have been hijacked.
Ensure all logs are sent to a centralized SIEM with real-time alerting. Create dashboards for anomalous outbound traffic, failed logins, and process creation events.
Activate read-only storage snapshots and cloud backups with object lock. Verify that backups are not accessible from the compromised environment.
Our incident response team is available 24/7 for active breach containment. Do not delay — the first 60 minutes are critical. Engage us immediately.
All calls are answered within 5 minutes. Secure communication channels available upon request.