Incident Response7 min read

The First 4-8 Hours of a Breach: What You Do Now Determines Everything

← Back to Resources

The moment you suspect your organization has been breached, two clocks start simultaneously: the attacker's ability to do further damage, and your ability to prove what happened. The decisions made in the first four to eight hours often determine the outcome of the entire incident, including the technical resolution, the regulatory exposure, the insurance claim, and any legal proceedings that follow.

Most organizations get it wrong. Not because they lack competence, but because every instinct in a crisis points toward exactly the wrong actions.

The actions you take in the next hour may determine whether there is anything left to investigate.

Read this before touching any affected system. Then call a forensic examiner.

The Most Dangerous Thing You Can Do Right Now

The instinct is to act. To run a scan, reboot the server, delete the suspicious files, tell IT to clean it up. Every one of those actions contaminates the investigation, often permanently.

  • Running antivirus or malware scans deletes or quarantines the samples investigators need to analyze, alters file timestamps, and can trigger attacker-implanted scripts designed to activate when scanning is detected.
  • Rebootingclears volatile memory. RAM may be the only location where the attacker's tools, active sessions, or encryption keys exist. Once the system restarts, that evidence is gone permanently.
  • Deleting files or logs is evidence spoliation. In litigation or a regulatory proceeding, demonstrating that your organization deleted data after suspecting a breach creates legal liability that often exceeds the cost of the breach itself.
  • Rebuilding or reimaging systems before forensic acquisition destroys the evidence base for the entire investigation. This makes it impossible to determine scope, attribution, or the full extent of the compromise.

Your first obligation right now is not to clean up. It is to contain and preserve.

Step 1: Isolate. Do Not Power Off

There is a critical distinction between isolating a system and shutting it down. Isolation stops the attacker from continuing to communicate while leaving the forensic state intact. Shutdown destroys it.

  • Disconnect the network cable or disable the network adapter.This cuts the attacker's remote access while preserving everything in RAM and on disk.
  • Do not press the power button. Systems should only be powered down by a forensic examiner after volatile memory has been captured using proper forensic tooling.
  • For virtual machines and cloud workloads, do not terminate, revert, or snapshot the instance without forensic guidance. Snapshots taken without methodology can miss critical state. Termination destroys it.

If affected systems are servers that other infrastructure depends on, call a forensic examiner before making any isolation decision. The correct action depends on your specific environment.

Step 2: Document the Scene Before You Touch Anything

Before any system is accessed, changed, or remediated, document everything visible. This becomes the foundation of your incident timeline and chain of custody.

  • Photograph or screenshot every monitor showing the current state of affected systems. Include the clock in the frame if possible.
  • Record the exact time (with timezone) the incident was detected, who detected it, and how.
  • Write down the symptoms including which systems appear affected, what anomalies were observed, and any error messages or unusual activity.
  • Note all actions already taken. If someone rebooted a system before reading this, that needs to be documented, not hidden. Forensic examiners can often work around prior actions, but only if they know about them.

Step 3: Preserve Logs Before They Disappear

Security logs rotate and overwrite. Some have windows as short as 24 to 72 hours. This is the forensic evidence most likely to be gone by the time investigators arrive.

If legal proceedings are anticipated, a litigation hold should be placed on relevant data in Microsoft 365 immediately, covering Exchange mailboxes, SharePoint sites, and OneDrive accounts. This should be initiated through legal counsel to ensure the hold is structured under solicitor-client privilege.

  • Firewall and perimeter logs: export immediately. Retention is often 24 to 72 hours on default configurations.
  • Microsoft 365 Unified Audit Log (UAL): the default is 90 days, but mailbox audit logs and specific activity records may be shorter. Export now.
  • Microsoft Entra ID sign-in and audit logs (formerly Azure AD): the default retention is 30 days in most tenants. These logs capture authentication attempts, MFA events, conditional access decisions, and administrative changes. Export immediately.
  • Active Directory security logs: on-premises domain controller logs capture authentication events, account changes, and privilege escalation. These are frequently overlooked and have short default retention windows.
  • EDR telemetry and SIEM data: if you have endpoint detection or a SIEM, preserve that data before the retention window closes.
  • Network flow logs: NetFlow, VPC flow logs (AWS, Azure, GCP), or perimeter traffic data.

The right approach is to have a qualified forensic examiner collect and preserve these log sources. Improperly exported logs create chain-of-custody problems that can make them inadmissible, and the collection process itself can alter metadata in ways that undermine the investigation. If you are in an active incident and facing a critical retention window, contact SIFT Solutions before attempting to collect logs on your own.

Step 4: Stop Active Exfiltration and Lateral Movement

If data is actively leaving your network or you suspect it may be leaving, containment becomes the immediate priority, but it must be done carefully.

  • Segment the affected network segment from the rest of your infrastructure using VLANs, firewall rules, or physical disconnection, depending on what your environment supports.
  • Disable compromised accounts at the identity provider level, in Azure AD, Active Directory, or your SSO platform. Disabling only at the local machine level does not stop the attacker from using those credentials elsewhere on the network.
  • Block confirmed egress IPs or command-and-control domains at the perimeter, only when you have identified them with high confidence. Blocking the wrong addresses can alert the attacker and cause them to accelerate activity.

Avoid changing passwords on affected systems before forensic imaging where possible. Password changes modify authentication artifacts that investigators use to establish the timeline and scope of attacker access. When password changes cannot be avoided due to active account misuse, document each change precisely, including the timestamp, the account affected, and who made the change.

Step 5: Secure Your Communications

If email, Microsoft Teams, or Slack may be compromised (common in business email compromise and advanced intrusion scenarios), do not use those channels to discuss the incident. An attacker with ongoing email access can monitor your response in real time, accelerate exfiltration based on what they learn, and delete evidence before investigators arrive.

  • Move incident communication to personal cell phones or a clean, unaffected device.
  • Do not send screenshots or notes about the incident to your corporate email.
  • Legal communications should go through counsel's direct line to preserve privilege.

Step 6: Notify Legal Counsel Before Anyone Else

Most organizations operating in Canada are subject to breach notification obligations under federal and provincial privacy legislation and sector-specific regulatory requirements. These obligations have specific timelines, format requirements, and legal consequences for non-compliance. The content and timing of any notification matters enormously.

  • Call legal counsel before making any public statement or regulatory notification. Premature disclosure without confirmed facts creates legal exposure that compounds the original incident.
  • Consider engaging your forensic examiner through legal counsel. This structures the engagement under solicitor-client privilege, protecting investigation findings from disclosure in adversarial proceedings.
  • Document every decision and action taken, with timestamps. The paper trail of your response is as important as the investigation itself.

Step 7: Call SIFT Solutions

Once immediate containment is in place, a certified, independent forensic examiner needs to lead the investigation. This is not a task for your internal IT team, and it is not a criticism of your IT team's capability. Forensic investigation is a distinct discipline with different tools, different legal requirements, and different consequences for errors.

An improperly conducted internal investigation can destroy evidence, create liability, and produce findings that cannot withstand legal or regulatory scrutiny. When the investigation eventually goes to insurers, regulators, or a courtroom, the methodology matters as much as the findings.

SIFT Solutions provides senior-led digital forensics and incident response across Canada and North America. Every engagement is handled with documented forensic methodology, an unbroken chain of custody, and complete confidentiality from first call to final report. We will:

  • Acquire forensic images of affected systems in a legally defensible manner, with full chain of custody
  • Preserve volatile memory before it is lost
  • Analyze malware behavior in a controlled environment without contaminating the evidence
  • Establish a complete, defensible timeline of attacker activity
  • Produce findings that withstand regulatory, legal, and insurance scrutiny

What Not to Do

  • Power off affected systems
  • Run antivirus or malware scans on affected systems
  • Delete logs, temporary files, or anything that appears suspicious
  • Wipe or rebuild systems before forensic imaging is complete
  • Notify regulators or issue statements before speaking with legal counsel
  • Discuss the incident on systems or channels that may be compromised
  • Assume your IT team's investigation will satisfy legal, regulatory, or insurance requirements

Further Reading

The following resources are widely cited references in incident response and digital forensics. They are produced by independent standards bodies and research organizations, and are freely available.

  • NIST SP 800-61r3 — Computer Security Incident Handling Guide. The foundational federal standard for incident response planning and execution.
  • NIST SP 800-86 — Guide to Integrating Forensic Techniques into Incident Response. Covers evidence collection methodology and forensic analysis best practices.
  • MITRE ATT&CK — A globally accessible knowledge base of adversary tactics and techniques. Useful for understanding attack patterns and building detection coverage.
  • MITRE D3FEND — A knowledge graph of cybersecurity countermeasures developed by MITRE and the NSA, mapping defensive techniques across hardening, detection, isolation, and response.
  • SANS Blog — Practitioner-written articles from SANS faculty and industry experts, covering digital forensics, incident response, and the full spectrum of defensive security disciplines.
  • CISA — The Cybersecurity and Infrastructure Security Agency provides free advisories, incident reporting guidance, and sector-specific resources for organizations across North America.

The difference between a contained, documented incident and a prolonged regulatory and legal crisis often comes down to what happened in the first four hours. Get those hours right.

In crisis right now?

Call now. Every inquiry goes directly to a senior investigator who takes your matter seriously and responds as quickly as possible. All inquiries are strictly confidential.