A cybersecurity incident doesn't pause while your team figures out what to do next. Every minute an attacker remains in your environment, they have more time to expand their foothold, exfiltrate data, or encrypt additional systems — and the business is losing money the entire time. But here's the critical nuance most organizations miss: the goal isn't to start recovering as fast as possible. It's to understand what you're dealing with and contain the incident first.
I've seen organizations recover from backups taken after they were already compromised, inadvertently restoring an attacker’s persistence mechanisms along with their data. That mistake wastes enormous time and effort. The sooner you can determine when and how an incident started, the sooner you can contain it and move into true recovery.
Start With the Plan You Hopefully Already Have
The first step in any incident response should be to locate and follow an incident response plan — ideally written long before any real incident occurred. If it's 5:00 a.m. on a Monday and you've just discovered your environment has been effectively wiped out, you are not going to make your best decisions in the moment.
A good IR plan includes a prioritized contact list: cyber insurance carrier, legal counsel, and the incident response firm you have on retainer. Having those calls mapped out in advance means your team isn't improvising under pressure when the stakes are highest.
Scope, Contain, Then Recover
Once the plan is in motion, the technical and business tracks need to run in parallel — but they shouldn't get in each other's way.
On the technical side, the IR team's job is to scope and contain: identify the initial access method, establish a timeline of attacker activity, determine which systems were impacted, and cut off the attacker's access. Containment must happen before any recovery work begins. No exceptions.
On the business side, the CISO should be working with legal counsel and senior leadership to understand notification obligations and manage internal and external communications. The IR team drives the investigation; leadership manages the response.
The Biggest Mistake: Panicking
In ransomware incidents, especially, panic is one of the most damaging forces in the room. I've seen organizations immediately cut power to firewalls, servers, and other systems in a desperate attempt to stop the spread — and, in doing so, destroy the very evidence needed to understand what happened.
In many environments, logs aren't being offloaded from firewalls to a SIEM. Cutting power to those devices can result in the permanent loss of critical forensic evidence. Now, instead of following the evidence, the response team is working from context clues and assumptions. That slows everything down and limits your ability to make confident decisions about what happened and what to do next.
Where to Turn for Help
The best resource during an incident is a trusted cybersecurity firm with whom you already have an established relationship — whether that's a managed detection and response provider or an IR firm on retainer. If that relationship doesn't exist yet, your cyber insurance provider is often the next best call. They'll connect you with an IR firm to lead the forensic investigation and, typically, breach counsel to help navigate disclosure obligations.
The keyword is established in both cases. Trying to vet and onboard a new vendor in the middle of an active incident is not a position you want to be in.
Don't Just Recover — Come Back Stronger
The final goal of incident recovery should never be simply returning to where you were before the incident. That bar isn't high enough. The organization should emerge with a stronger security posture than it had before.
That's what the lessons-learned phase is for: How did the threat actor gain access? What gaps prevented earlier detection? What can we fix now so we're better prepared for the next attack — because there will be one.
The Easiest Way to Reduce Recovery Time? Practice.
Run tabletop simulations. Actually test your incident response plan rather than writing it down and putting it in a drawer. Make sure your backups are regularly tested and isolated from your production environment.
It is significantly easier to discover what works and what doesn't before everything is on fire.
Corey Staas is an Incident Response Engineer at ProCircular, a leading cybersecurity firm serving mid-market organizations across healthcare, manufacturing, financial services, and higher education. Learn more at procircular.com.