A. M. 
The number of data breaches investigated por Verizon, in 2024 increased by 20 percentage points compared to the previous year. ESET, a leading company in proactive threat detection, warns that preparedness is key to an effective incident response (IR).
Once threats are introduced into a network, time is of the essence, and stopping them before they cause damage is increasingly difficult. According to the latest research, in 2024, adversaries were 22% faster than the previous year in progressing from initial access to lateral movement (also known as “leakage time”). The average penetration time was 48 minutes, although the fastest recorded attack took almost half that: just 27 minutes.
“A data breach does not have to be as catastrophic as it seems for network defenders, if teams are able to respond quickly and decisively to intrusions. Although every organization (and every incident) is different, if all members of the incident response team know exactly what they must do, and nothing is left to chance or improvised, there is a greater chance of a quick, satisfactory, and low-cost resolution”, says Camilo Gutiérrez Amaya, Head of the ESET Latin America Research Lab.
ESET clarifies that no organization is 100% breach-proof and that if an incident occurs and unauthorized access is suspected, a methodical and rapid approach is essential. To this end, they offer a guide on how to act quickly and thoroughly during the first 24 to 48 hours, without compromising accuracy or evidence:
1. Gather information and understand the scope: The first step is to understand exactly what happened, activate the pre-established incident response plan, and notify the team. This group should include stakeholders from across the company, including HR, PR and communications, the legal department, and executive management. They all have an important role to play in the aftermath of the incident.
Next, assess the scope of the attack: How did the adversary gain access to the company’s network? Which systems were compromised? What malicious actions have the attackers already taken?
Document each step and gather evidence, both to assess the impact of the attack and for the forensic investigation stage, and even for future legal proceedings. Maintaining the chain of custody ensures credibility should law enforcement or the courts become involved.
2. Notify third parties: Once it has been established what happened, it is necessary to inform the relevant authorities.
• Regulators: If personally identifiable information (PII) has been stolen, you must contact the appropriate authorities under data protection or industry-specific laws. In the United States, for example, you must act in accordance with the SEC’s cybersecurity disclosure rules or state breach laws.
• Insurers: Most insurance policies will stipulate that you notify your insurer as soon as a breach has occurred.
• Customers, partners, and employees: Transparency builds trust and helps prevent misinformation. It is best to inform them before information spreads through social media or the news.
• Law enforcement agencies: Reporting incidents, especially ransomware, can help identify larger campaigns and sometimes provide decryption tools or intelligence support.
• External experts: It may also be necessary to contact external legal and IT specialists.
3. Isolate and contain: While maintaining contact with relevant third parties, work quickly to prevent the attack from spreading. It is recommended to isolate affected systems from the internet without powering down devices, to limit the attacker’s reach without compromising potentially valuable evidence.
All backups should be taken offline and disconnected to prevent them from being hijacked or corrupted by ransomware. Disable all remote access, reset VPN credentials, and use security tools to block any incoming malicious traffic and command and control connections.
4. Remove and Recover: A forensic analysis must be performed to understand the attacker’s tactics, techniques, and procedures (TTPs), from initial entry to lateral movement and (if applicable) encryption or data exfiltration. Any persistent malware, backdoors, fraudulent accounts, and other signs of danger must be removed. Recovery and restoration require removing malware and unauthorized accounts, verifying the integrity of critical systems and data, restoring clean backups (after confirming they are not compromised), and closely monitoring for signs of renewed compromise or persistence mechanisms.
This phase can be used to rebuild systems and strengthen privilege controls, implement stricter authentication, and reinforce network segmentation. To accelerate the process, partners offering tools such as ESET Ransomware Remediation can be engaged.
5. Review and Improve: Once the immediate danger has passed, it is time to review obligations to regulatory bodies, customers, and other stakeholders (partners and suppliers). Communications need to be updated once the full scope of the breach is understood, which could include filing a report with regulatory bodies. This initiative should be driven by legal and public relations advisors.
The post-incident review can be a catalyst for resilience. Once the situation has calmed, it is also a good idea to investigate what happened and what lessons can be learned to prevent a similar incident from occurring in the future. A useful step would be to adjust the incident management plan or recommend new security controls and employee training.
A strong incident response culture treats each breach as a training exercise for the next, improving defenses and decision-making under stress. “It’s not always possible to prevent a breach, but it is possible to minimize the damage. If your organization doesn’t have the resources to monitor threats 24/7, consider hiring a managed detection and response (MDR) service from a trusted third party. Whatever happens, test your incident response plan, and then test it again. Because successful incident response isn’t just an IT issue. It requires a range of stakeholders from across the organization and external partners to work together seamlessly. The kind of muscle memory everyone needs often takes a lot of practice to develop”, concludes Gutiérrez Amaya of ESET Latin America.
You can also read:
