Incident Response: Why the First 24 Hours Make or Break Your Recovery

A ransomware payload has executed. Email is down. Staff are panicking. The board wants answers. What happens in the next 24 hours will determine whether your organisation recovers in days or in months. Incident response isn't about having the right tools — it's about having the right people doing the right things in the right order, fast.

The Golden Hour: Why Speed Matters More Than Perfection

In emergency medicine, the "golden hour" refers to the critical window after a trauma where intervention has the greatest impact on survival. Cybersecurity incidents follow the same principle.

In the first hour after an attack is detected:

• Attackers may still be active in your network, moving laterally, escalating privileges, and exfiltrating data
• Ransomware may still be encrypting systems that could otherwise be saved
• Evidence is being overwritten by normal system operations, log rotation, and the attacker's own cleanup efforts
• Every minute of inaction increases the blast radius

The organisations that recover fastest aren't the ones with the most sophisticated security tools. They're the ones that had a plan, knew who to call, and started executing immediately. The organisations that struggle are the ones that spend the first four hours figuring out who should be in the room.

What Happens When You Call Layer7

When an organisation calls Layer7's incident response hotline, here's what the first 24 hours typically look like. This isn't theoretical — it's the process we've refined through real incidents across 170+ organisations.

Hour 0-1: Triage and Initial Containment

The first call is about understanding the situation and stopping the bleeding:

• Initial briefing: What was detected? When? What systems are affected? Who has touched what since discovery? These questions establish the scope and guide immediate decisions.
• Evidence preservation: Before anything else, we ensure that forensic evidence is being preserved. This means capturing memory dumps, securing logs, and establishing a chain of custody. Organisations that start "fixing" things before preserving evidence often destroy the information needed to understand what happened.
• Containment decisions: Based on the initial triage, we make containment recommendations. This might mean isolating network segments, disabling compromised accounts, blocking specific IP addresses, or — in severe cases — disconnecting systems entirely. Containment is about limiting damage, not about full remediation.

Hour 1-4: Deep Assessment and Expanded Containment

With the immediate bleeding stopped, the focus shifts to understanding the full scope:

• Attack vector identification: How did the attacker get in? Phishing email? Exploited vulnerability? Compromised credentials? Knowing the entry point is critical for preventing re-entry and identifying other potentially compromised systems.
• Lateral movement mapping: Attackers rarely stay on the first system they compromise. We trace their movement through the network using log analysis, endpoint detection data, and forensic artifacts to build a complete picture of what they accessed.
• Data exposure assessment: Was data exfiltrated? If so, what data? This determines whether the incident has regulatory implications under POPIA and whether notification obligations are triggered.
• Communication coordination: We establish a communication plan — who needs to know what, when, and through which channels. This includes internal stakeholders, legal counsel, and potentially the Information Regulator.

Hour 4-12: Forensic Investigation and Remediation Planning

With the scope understood, detailed forensic work begins in parallel with remediation planning:

• Malware analysis: If malware was involved, we analyse it to understand its capabilities — does it have persistence mechanisms? Is it communicating with command-and-control infrastructure? Can it spread to systems we haven't identified yet?
• Compromise timeline: Building a detailed timeline of the attack from initial access through to detection. This often reveals that the attacker was present long before the incident was noticed — the average dwell time globally is still measured in weeks.
• Remediation plan development: Based on forensic findings, we develop a remediation plan that addresses the root cause, eliminates attacker persistence, and closes the vulnerabilities that were exploited. This plan is prioritised and phased — not everything needs to happen simultaneously.

Hour 12-24: Remediation Execution and Recovery

With a plan in hand, execution begins:

• Attacker eviction: Removing all known attacker access — backdoors, compromised accounts, persistence mechanisms — in a coordinated action. Piecemeal eviction gives the attacker time to establish new footholds.
• System recovery: Rebuilding compromised systems from known-clean images or trusted backups. This is where having a solid backup strategy (like Acronis DRaaS) pays dividends — you can restore systems confidently without worrying about restoring the infection alongside your data.
• Monitoring enhancement: Increasing monitoring sensitivity across the environment to detect any resurgence. Attackers frequently try to regain access after eviction, and the detection window is critical.
• Initial reporting: Delivering an initial incident report to stakeholders covering what happened, what was done, and what's left. This forms the basis for executive communication and any regulatory notifications.

After the First 24 Hours: Hardening and Lessons Learned

The crisis phase is over, but the work continues:

Root cause remediation. The vulnerability or weakness that enabled the attack needs to be permanently addressed — not just patched, but architecturally resolved. If the attack exploited a VPN with weak authentication, the fix isn't just resetting passwords; it's implementing multi-factor authentication and reviewing remote access architecture.

Post-incident review. A structured debrief covering what worked, what didn't, and what needs to change. This feeds into updated incident response plans, security architecture improvements, and potentially changes to security tooling.

POPIA notification assessment. If personal information was compromised, the Information Regulator and affected data subjects must be notified "as soon as reasonably possible." Your legal team and the vCISO should collaborate on this — the notification needs to be accurate, complete, and timely.

Retainer vs. Emergency: Choosing the Right Model

Incident response services are typically available in two models:

Retainer model: You pay a monthly or annual fee that guarantees response capacity, defined SLAs (typically 1-2 hour response for critical incidents), and pre-positioned knowledge about your environment. The advantage is speed — when an incident occurs, the responders already know your network, your systems, and your business context.

Emergency model: You call when something happens and engage on an ad hoc basis. This is less expensive upfront but comes with longer response times (the team needs to learn your environment during the crisis), no guaranteed availability (other clients may have priority), and typically higher hourly rates.

For organisations with significant digital assets or regulatory obligations, the retainer model is strongly recommended. The cost difference is trivial compared to the impact of a slower response.

Layer7's Incident Response Capability

Layer7 Networking has provided incident response services to South African organisations since 2005. Our team includes experienced forensic analysts, malware reverse engineers, and network security specialists who have handled incidents ranging from commodity ransomware to targeted attacks by sophisticated threat actors.

Our incident response integrates with our broader cybersecurity services. Clients who use our managed firewall services and SOC monitoring benefit from faster detection and richer context during incident response — we're already watching the environment and understand what normal looks like.

For organisations that want strategic security leadership alongside operational capability, our CISOaaS offering provides the governance framework that ensures incident response plans exist, are tested, and are integrated into the broader security programme.