The saddest moment in incident response is when a well-meant action erases the clues. “We powered it off” makes our hearts sink. Damage from a breach is often decided less by when it happened than by how the first hour was spent. This is a calm note on what to do first in that golden time, centered on the judgment calls that most often go wrong.
First, the fork in the first 60 minutes
When an alert fires, just having this one picture in mind changes a lot.
suspicious activity found
│
├─ power the host off? ──► ✕ wait a moment
│ └ it stops spread, but memory evidence vanishes with it
│
└─ isolate the network ─► ◎ usually this way
│ (pull the cable / quarantine VLAN — keep power on)
▼
preserve volatile evidence first (memory → connections → processes)
│
▼
activate the plan (contacts, authority, playbook) → start analysisThe point is simple — don’t power off; cut the network. Pulling power may stop spread, but it also loses the evidence needed to reconstruct what happened.
Initial triage — most volatile first
Grab the fastest-fading evidence first: memory, current connections, running processes, then suspicious persistence (autoruns, services, scheduled tasks).
# what is it talking to, and what is running
netstat -anob
tasklist /v
# where did they "plant" things (autoruns, scheduled tasks)
schtasks /query /fo LIST /v
wmic startup list full
# then capture memory → disk imaging (with proper tools)By phase
Phase | What you do |
|---|---|
Prepare | Have logs, contacts, authority, playbooks ready in advance |
Detect/analyze | Decide if it’s real and how far it spreads |
Contain | Cut spread by network, not by power |
Eradicate | Remove entry point, persistence, created accounts fully |
Recover | From verified backups, staged, with monitoring |
Learn | Record timeline, root cause, detection gaps — feed it back |
Don’t skip “eradicate” in particular — recover with the root cause intact and reinfection is only a matter of time.
Going deeper — ransomware and “how did they get in?”
Modern ransomware usually steals data before encryption and extorts on it (“double extortion”). So “what was leaked” and “how did they get in” matter as much as “what was encrypted.” The entry is often a known flaw (1-day) in an externally exposed component, so we check that during eradication. Finding such entries before an incident is, honestly, the best response of all. (Related: pentest process post)
Field note: the teams that recover fastest share one trait — everyday preparation. With logs in place, contacts alive, and even one drill done, the first 60 minutes look completely different. The golden time is built before the incident, not after.
FAQ
What’s the first thing on suspicion?
Don’t power off — isolate the network, then preserve volatile evidence and activate the plan. A hasty shutdown ruins analysis most.
How to prepare in advance?
Logging/retention, contact/authority structures, playbooks, and even a light tabletop drill dramatically change the quality of the first 60 minutes.
Closing
Incidents can happen to anyone; the size of the damage turns on the first-60-minute judgment and everyday preparation. To check your response plan and find entry paths before an incident, reach out at red team & incident-readiness consulting.