I am studying for my Security+ and was wondering about the practical side. If a company realizes they've been breached, what is the very first thing the Cyber Security team does? Is it about isolation or investigation?
3 answers
The immediate priority is always containment. You need to stop the "bleeding" before you start the "autopsy." This usually involves isolating affected systems from the rest of the network to prevent the attacker from moving laterally. Once the threat is contained, the team moves into the investigation phase to identify the entry point and the extent of the data exfiltration. Documentation is also critical from the very first second for legal and insurance purposes. Following a structured Incident Response Plan ensures that the team doesn't panic and miss vital steps during a high-stress event.
At what point do you involve legal and PR? Should that happen during containment or only after the full scope of the breach is understood?
Containment is definitely first. You can't investigate a moving target. Pull the plug on the affected servers and then start looking at the logs.
I agree with Michelle. In Cyber Security, every second an attacker has access is another second they can be stealing sensitive company or client data.
Scott, legal should be notified almost immediately. There are strict regulatory timelines (like GDPR) for reporting breaches. PR usually waits until you have a clear, honest message about what happened and what you are doing to fix it. If you speak too early without facts, you risk losing even more public trust. Coordination between tech and legal is the backbone of a good response.