The first hour — an incident-response cheat sheet

~5 min read · reviewed by a working Icelandic sysadmin · drafted with AI assistance

Keep this on the wall, in the wiki, or printed and pinned. When you actually have an incident you will not have time to read the handbook — the handbook is for before. This page is the cold start: someone called, something is wrong, what now.

A companion to the defender handbook. For the laws, the institutions, and the proactive 15-item checklist, read that.

The first ten minutes

1. Do not power off the machine. Live memory holds the evidence — running processes, network connections, decryption keys still in RAM. A shutdown destroys most of it. Disconnect the network instead (next step).
2. Isolate at the network, not at the host. Unplug the cable, disable the NIC, isolate the VLAN. The machine stays running but unreachable. This stops lateral movement and exfiltration while preserving evidence.
3. Don't restore from backup yet. A backup taken after the intrusion contains the intrusion. Identify the clean backup before you touch the restore button — there's no race that's worth corrupting your evidence.
4. Preserve, don't poke around. If you can, take a memory dump (Magnet RAM Capture, FTK Imager, AVML for Linux) and a disk image. If you can't do forensics in-house, don't run commands — every shell command on the live host changes timestamps and overwrites artefacts.
5. Start a timeline. Open a notepad. Every action with a timestamp. Why you did it. Who you spoke to. This is your post-mortem document and your legal record.

In the next 30 minutes — who to call, in this order

1. Personal-data breach with likely high risk → Persónuvernd within 72 hours of becoming aware. The clock starts now. Don't wait until you "understand the full extent" — the 72-hour notification is initial, you can amend later. (See defender handbook §4.)
2. Spreads beyond your operation (customers, partners, supply chain) → CERT-IS. They coordinate cross-organisation response and have the international CSIRT contacts.
3. Criminal investigation needed (extortion, theft, fraud) → Ríkislögreglustjóri netbrotadeild. CERT-IS handles technical; the police prosecute. Both can be called.
4. Cyber insurance policy → contact your insurer in parallel with Persónuvernd. Many policies have their own 24–48 hour notification clock and will refuse cover if you missed it. Some forbid paying the ransom; check yours before any payment conversation.
5. Financial entity under DORA (lög 78/2025) → notification clock to Seðlabanki Íslands is tighter than NIS-2. Your DPO or compliance lead should already have the form.
6. IR retainer (Syndis, Mandiant, Kroll, etc.) → if you have one, this is what you bought it for. Call now, not after procurement.
7. Internal communications — at minimum: CEO, CFO, general counsel, head of comms. Do not tweet, do not email customers yet. Wait for the comms playbook decision.

In the next hour — containment and communication

• Containment. Identify the blast radius: same VLAN, shared service accounts, shared admin paths. Force-rotate admin credentials out-of-band (assume your normal admin tooling is compromised). Block known C2 IPs and domains at the firewall.
• Communication, drafted but not sent. Customer notification, press statement, regulator notification, employee internal note — write them, then wait. Let the people you called (CERT-IS, legal, insurer) shape the wording before anything goes out.
• Evidence preservation, second pass. If memory wasn't dumped in the first ten minutes, do it now. Snapshot the firewall, IDS, SIEM. Pull logs to an isolated location before they roll over their retention window.

Things you will be tempted to do — and shouldn't

• Tweet about it. Even "we're working on it". The first public statement is a legal artefact; let counsel draft it.
• Pay the ransom to make it go away. Most insurance policies forbid this. CERT-IS officially advises against it. The payment funds the next attack and gives no guarantee — half of "paid for decryption" cases either don't receive keys or receive partial keys.
• Restore from yesterday's backup to "get back up". Yesterday's backup contains the intrusion if the attacker was patient. Karakurt sat in Strætó's systems for two months (§5); they'd have been in last week's backup, last month's, and the snapshot from October. Identify the last known-clean backup first.
• Push a patch into prod to "close the hole" before forensics. That destroys evidence of the entry vector and the case for whether the patch was even the right one.
• Investigate the breach on the breach. Email and Slack on the compromised tenant are owned by the attacker right now. Move conversation to a phone line, or a separate clean tenant.

After the first hour

• Day 1: notify Persónuvernd if required; full forensic engagement; customer notification approved by legal; press statement if necessary.
• Day 2–7: containment confirmed; clean restore; post-mortem started.
• Day 8–30: regulator follow-up; lessons-learned implemented; updated runbook; updated security.txt if the reporter route mattered.
• Day 30–90: monitor for attacker re-entry — they often try. Renew or expand your IR retainer based on what actual experience taught you.

For the longer-term what-to-do — the laws, the institutions, the 15-item proactive checklist — see the defender handbook. For exercising this cheat sheet before a real incident, see defender handbook §8 item 5.

Reviewed by a working Icelandic sysadmin · drafted with AI assistance. Corrections to admin@1881.is.