Incident Response for Security: The First 15 Minutes
Security incidents demand a different first 15 minutes than reliability incidents. Same urgency; different sequence.
Why security IR differs
Reliability IR optimises for fastest restoration. Security IR optimises for evidence preservation + containment + not tipping off the attacker.
The wrong instinct: shut everything down. The right one: preserve, then contain.
Four prioritised actions
- 1. Preserve evidence (snapshot affected systems before changes).
- 2. Contain (isolate; do not delete).
- 3. Notify internal IR team + legal.
- 4. Document timeline meticulously.
Quiet communication
Use a separate communication channel from the suspected-compromise environment. If chat could be monitored, fall back to phone calls.
Notification cadence determined by IR plan, not by ad-hoc judgment in the moment.
Legal-counsel touchpoint
Legal counsel involved early changes the privileged status of investigation work.
Pre-incident: identify external counsel; have phone number ready. Post-incident is too late.
Antipatterns
- Wiping the affected system. Destroys evidence.
- Public Slack channel discussion. Tips off attacker if they have access.
- Legal involved only after. Privilege weakened.
What to do this week
Three moves. (1) Pick one production system to apply this pattern to first. (2) Measure the security signal before/after. (3) Document the gap and write a follow-up ticket so the program stays alive between quarterly reviews.