First 24 Hours After a Cyber Incident

The first 24 hours after discovering a cyber incident are critical. What you do (and don't do) can determine whether you successfully contain the damage, preserve evidence, and recover effectively.

The Golden Rules

1. Don't panic - Rushed decisions often make things worse
2. Don't turn off computers - You'll lose evidence in memory
3. Don't start deleting/cleaning - Preserve evidence first
4. Document everything - Screenshots, notes, timestamps
5. Isolate, don't destroy - Disconnect from network, but preserve systems

Hour 0-1: Discovery and Initial Containment

Stop the Bleeding

• Disconnect affected systems from the network (unplug cables, disable WiFi)
• Do NOT turn systems off - evidence in memory will be lost
• If data is actively being stolen, disconnection is priority

Document What You See

• Take screenshots of error messages, ransom notes, unusual screens
• Note the exact time you discovered the incident
• Write down what made you suspect something was wrong
• Record which systems/users are affected

Alert Key People

• IT/Security team (if you have one)
• Management/decision makers
• Do NOT announce publicly yet

Hour 1-4: Assessment

Determine Incident Type

• Ransomware - Files encrypted, ransom demand?
• Account compromise - Unauthorized access to accounts?
• Malware - Suspicious software running?
• Data breach - Data stolen or exposed?
• Phishing - Employee clicked malicious link?

Assess the Scope

• How many systems are affected?
• What data might be compromised?
• Is the attack still active or contained?
• Are backups intact and accessible?

Preserve Initial Evidence

• Screenshot everything relevant
• Note timestamps and affected systems
• Don't delete logs or files

Hour 4-12: Containment and Evidence

Network Isolation

• Segment affected systems from the rest of the network
• Block suspicious external IP addresses at firewall
• Disable compromised user accounts
• Change critical passwords (but preserve old ones as evidence)

Evidence Preservation Priority

1. Memory (RAM) - Most volatile, capture first if possible
2. Network connections - Current state, what's connected
3. Running processes - What's executing
4. Logs - System, application, network logs
5. Disk - Files, timestamps, deleted items

If You Have IT Resources

• Capture memory dumps from affected systems
• Export relevant logs before they rotate
• Create forensic images if possible
• Document network traffic patterns

Hour 12-24: Planning and Communication

Develop Response Plan

• What are the immediate priorities?
• Who needs to be involved?
• What resources do you need?
• What's the recovery timeline?

Notification Decisions

Consider who needs to be notified: - CERT-SE - For significant incidents: cert.se - IMY - For personal data breaches (72-hour rule): imy.se - Police - For criminal activity - Insurance - If you have cyber coverage - Affected individuals - If high risk to them - Customers/partners - As appropriate

Communication Guidelines

• Designate a single spokesperson
• Stick to facts, don't speculate
• Document all external communications
• Consider legal review before public statements

What NOT to Do

Preserve Evidence - Don't:

• Turn off computers (lose memory evidence)
• Delete suspicious files (they're evidence)
• Reinstall systems (before imaging)
• Run "cleanup" tools (destroys evidence)
• Post details on social media

Avoid These Mistakes:

• Paying ransoms immediately (check for free decryption first)
• Announcing breach publicly before understanding scope
• Blaming employees publicly
• Ignoring the incident hoping it goes away
• Trying to negotiate with attackers without expertise

Checklist: First 24 Hours

Immediate (0-1 hour)

• [ ] Isolate affected systems (unplug network, don't turn off)
• [ ] Document what you see (screenshots, notes)
• [ ] Alert IT/security team
• [ ] Alert management

Assessment (1-4 hours)

• [ ] Identify incident type
• [ ] Determine scope (systems, data, users affected)
• [ ] Check if attack is ongoing
• [ ] Verify backup status

Containment (4-12 hours)

• [ ] Network segmentation in place
• [ ] Compromised accounts disabled
• [ ] Critical passwords changed
• [ ] Initial evidence preserved

Planning (12-24 hours)

• [ ] Response team assembled
• [ ] Notification requirements identified
• [ ] Recovery priorities defined
• [ ] External help engaged if needed

When to Seek External Help

Consider getting professional help if: - The attack is sophisticated or ongoing - Critical systems or sensitive data are involved - You lack internal forensics capability - Legal or regulatory implications are significant - Insurance claim requires professional documentation

Free Help

• HackAid - For Swedish organizations: Apply here
• CERT-SE - National coordination: cert.se

Commercial Help

• Incident response firms (Truesec, etc.)
• Your cyber insurance provider's response team
• Legal counsel with cyber experience

Guides & Documentation

CISA Incident Response Playbook

• PDF: cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf

NIST Incident Handling Guide

• SP 800-61: csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

SANS Incident Handler's Handbook

• Website: sans.org/white-papers/33901

---

Remember: The goal in the first 24 hours is containment and evidence preservation, not complete recovery. Take your time to do it right.

---

Last updated: 2026-01