IR.PROTOCOL
ACTIVE.BREACH
CONTAINMENT: 60 MINUTES
RESPONSE: ACTIVE
RANSOMWARE // NETWORK INTRUSION
V.2026.2 // DEMO
EMERGENCY INCIDENT RESPONSE • ACTIVE BREACH CONTAINMENT

Contain the breach.
Stop the bleed. Preserve evidence.

A tactical, operational protocol for the first 60 minutes of an active ransomware or network intrusion event. Each step is designed to minimize damage, preserve forensic integrity, and establish a controlled response surface. If you are in an active breach, do not wait — engage containment immediately.

DEMO / SAMPLE DATA OPERATIONAL PROTOCOL NOT REAL DATA
Containment Target
60 minutes
Key Actions
Isolation, Credential Reset, Logging
Response Team
On-call 24/7
Breach Types
Ransomware, Network Intrusion, Data Exfil
Containment Protocol

The first 60 minutes: tactical response steps

Every second counts. Execute these steps in order. Do not deviate unless directed by your incident commander.

T+0 – T+5

Activate Incident Response Team

Immediately notify on-call IR personnel. Designate a single incident commander. Begin documenting all actions with timestamps. Do not rely on memory — use a dedicated log.

CRITICAL
T+5 – T+15

Network Isolation

Disconnect affected systems from the network at the switch or firewall level. For ransomware, isolate known infected endpoints and any systems with suspicious outbound connections. Do not power off systems — preserve memory for forensic capture.

IMMEDIATE
T+15 – T+25

Credential & Access Reset

Revoke all privileged credentials (domain admin, service accounts, local admin). Reset passwords for all accounts with evidence of compromise. Invalidate session tokens and force re-authentication. Assume all credentials are exposed.

HIGH PRIORITY
T+25 – T+35

Enable Full Logging & Monitoring

Activate verbose logging on all firewalls, IDS/IPS, and endpoint detection systems. Ensure logs are being forwarded to a secure, write-once storage location. Do not rely on local logs that the attacker may have wiped.

FORENSIC
T+35 – T+45

Initial Triage & Scope Assessment

Identify patient-zero systems and lateral movement paths. Use EDR telemetry and SIEM correlation to map the extent of the compromise. Document all affected hosts, user accounts, and data repositories.

SCOPE
T+45 – T+60

Initiate Forensic Data Preservation

Capture memory dumps, disk images, and network packet captures from key systems. Preserve in a manner that maintains chain of custody. Do not perform any actions that may destroy volatile evidence.

EVIDENCE

This protocol is a sample framework. Actual response steps may vary based on environment and breach type. Always follow your organization's IR plan.

Triage Checklist

Immediate verification & decision points

Use this checklist to validate the nature and scope of the incident during the first 60 minutes.

Ransomware

Files encrypted with known extensions? Ransom note present? Demand details — confirm if active encryption is ongoing.

Active Intrusion

Unauthorized remote access sessions? New admin accounts? Suspicious scheduled tasks or services? Verify via EDR and SIEM.

Data Exfiltration

Unusual outbound traffic volume? Data staging directories? Check firewall logs and cloud access logs for large data transfers.

Business Criticality

Affected systems and data sets — classify by business impact. Prioritize containment for systems supporting essential services.

Legal & Compliance

Does this breach trigger GDPR, HIPAA, or CCPA notification requirements? Involve legal counsel immediately if PII/PHI is involved.

Backups

Are backups available and isolated from the production network? Check backup integrity — verify they are not also encrypted.

Containment Tactics

Operational techniques for immediate containment

These are the tactical controls that incident commanders will execute to halt adversary movement and preserve evidence.

Tactic 1

Network Segmentation

Use VLAN ACLs or SDN policies to isolate compromised segments. Block all north-south and east-west traffic to and from affected hosts except for forensics and logging.

Tactic 2

Kerberos Ticket Revocation

Force immediate renewal of all TGTs and service tickets. Use klist purge on domain controllers and reset krbtgt password twice to invalidate existing tickets.

Tactic 3

Application Whitelisting

Enable AppLocker or Windows Defender Application Control to block execution of untrusted binaries. This stops malware droppers and lateral movement tools.

Tactic 4

MFA Enforcement

Require multi-factor authentication for all administrative and privileged accounts. Immediately revoke any MFA sessions that may have been hijacked.

Tactic 5

Log Forwarding & SIEM Tuning

Ensure all logs are sent to a centralized SIEM with real-time alerting. Create dashboards for anomalous outbound traffic, failed logins, and process creation events.

Tactic 6

Immutable Backups Activation

Activate read-only storage snapshots and cloud backups with object lock. Verify that backups are not accessible from the compromised environment.

Emergency Response

Active breach?
Call our incident hotline.

Our incident response team is available 24/7 for active breach containment. Do not delay — the first 60 minutes are critical. Engage us immediately.

All calls are answered within 5 minutes. Secure communication channels available upon request.

KERAUNOS Emergency Incident Response & Active Breach Containment Protocol Immediate, operational incident response protocol for active ransomware or network intrusion events. 60-minute containment steps for enterprise CISOs and security teams facing an active breach. Incident Response, Breach Containment, Ransomware Response, Network Intrusion KERAUNOS Security