SHIELD

Organization and team

Field incident response: the first 90 minutes

What to do in the first 90 minutes of a security incident, in the field, without enterprise resources.

Published 15 min read Critical

Last reviewed:

This version was translated with AI assistance and reviewed by a human.

Salle de réunion d'entreprise moderne

It’s 11:17 PM. A finance director calls, voice flat: an email signed by the CEO asked for an “urgent and confidential” wire, and she’s just realized it wasn’t him. First question I ask: “Did the wire go out?” Silence. “Yes, forty minutes ago.” Second question: “Is the computer still on, the email still open?” “No, I closed everything and rebooted to be safe.” That’s where the real losses start — not with the attack, but with the forty minutes of silence and the reboot that wiped everything.

Angle de lecture

The usual trap

Incident response, in most people’s minds, comes down to “call someone who’ll know what to do.” That sentence assumes two false things: that the someone exists and picks up, and that the early minutes don’t matter as long as you eventually reach the right person. Both are wrong. The person is almost never reachable within the hour, and the early minutes are precisely the ones that determine how bad it gets.

The second trap is the cleanup reflex. Facing a device acting strangely, an account sending mail on its own, a ransom note, the instinct says: close everything, reboot, run the antivirus, delete the suspicious file. Each of those gestures destroys evidence and, more often than not, stops nothing. The attacker isn’t in the room; they operate from a server on the other side of the planet, and shutting down your machine doesn’t disconnect them — it only erases what would have let you understand what they did.

The third trap, the most expensive, is the belief that incident response gets designed during the incident. The NISTUS institute publishing reference cybersecurity standards (CSF, SP 800-*). reference guide, SP 800-61Structured process for managing a security incident: detection, containment, eradication, recovery., places preparation as the first phase of the cycle, before detection even. That’s not bureaucratic theory. When the incident hits, you no longer have the mental bandwidth to think: you execute what’s already decided, or you improvise badly. The first 90 minutes can’t be invented at 11:17 PM. They’re prepared on a quiet Tuesday afternoon, weeks earlier.

What actually happens in the first 90 minutes

An incident, in the field, never arrives in the clean form the manuals describe. It arrives as a doubt. “That email is weird.” “My laptop’s been crawling since this morning.” “Why am I logged out of all my accounts?” The first battle isn’t technical, it’s cognitive: recognizing that you might have an incident, and accepting to react as if you do before you’re certain. The cost of a false alarm treated seriously is low. The cost of a real incident treated as a false alarm is catastrophic.

The real field threat model fits in three families. First: account compromise. Credentials stolen by phishingSocial engineering attack pushing targets to disclose credentials or execute code., reused from a breach, or captured through a bypassed MFAMulti-factor authentication: combining two independent proofs of identity to log in.. The typical tell: logins from a country you’re not in, auto-forwarding rules created in the mailbox without your action, mail sent in your name. Second: device compromise. Malware, physical access during an absence, an implant installed. Tells: sudden slowness, battery melting, unknown apps, unexpected network connections. Third: social engineering fraud, of which CEO fraudScam where an attacker impersonates an executive to order an urgent wire transfer. is the headline case — no malware, just a manipulated human carrying out the attacker’s action themselves.

These three families share one thing: time works against you, and not linearly. In the first minutes, the damage is containable — a session still open that you can revoke, a wire still queued that you can stop, an attacker still in the reconnaissance phase. Past a certain threshold, the attacker has consolidated: persistent access created, what they wanted exfiltrated, traces erased. The useful window is measured in tens of minutes, not days. That’s why the 90-minute framing holds: it’s not a magic number, it’s the order of magnitude of the window during which your actions still change the outcome.

Understand how an attacker exploits a compromised mailbox, because it’s the most common scenario and the worst handled. The first thing they do isn’t steal from you — it’s settle in. They create a silent forwarding rule that copies your incoming mail to an external address. They review your contacts, your wire history, the tone of your exchanges with accounting. They wait. Sometimes weeks. The day a real supplier invoice comes in, they act: they change the IBAN, reply in your place, and the wire goes to their account. You see nothing, because their replies are deleted from your “sent” folder as they go. By the time you discover the problem, the money is gone and the attacker already knows your next payment due. On a compromised device the mechanics differ but the logic is identical: the implant makes no noise, it watches, it waits for the moment you type the password that opens the real vault.

The trigger for the incident, in the field, is rarely a clean technical alert. It’s a supplier puzzled at not being paid while you have the wire order in front of you. It’s a colleague asking why you sent them a zip file at 3 AM. It’s the bank calling to confirm a wire you never initiated. In all these cases, the incident started well before you became aware of it — and the 90-minute clock doesn’t start at the intrusion, it starts at your realization. That’s exactly why detection matters so much: the earlier you discover it, the more of the useful window stays open. A company that finds the compromise through its own monitoring still holds cards. A company that finds it through the ransom note on its screens holds none.

The 90-minute routine: isolate, preserve, alert

The right approach fits in three verbs, executed in this order, and learned by heart before the incident: isolate, preserve, alert. The order isn’t negotiable, because each step protects the next. You isolate to stop the bleeding, you preserve so you can understand, you alert to mobilize the people who’ll decide what comes next. Most people do the reverse — they panic, clean up, then call — and lose all three benefits at once.

Isolate means cutting off the attacker’s access, not cutting the power. For a compromised account: immediately change the primary mailbox password (it’s the recovery account for everything else), then revoke all active sessions from a separate, clean device. Google, Apple, Microsoft all offer a “sign out of all devices.” For a compromised device: cut the network without shutting down. For a fraud in progress: call the bank to attempt a wire recall — every minute counts, a standard SEPA transfer remains recallable for a short window.

Preserve means documenting before you touch. Photograph the screen with your phone — the fraudulent email, the ransom note, the abnormal behavior. Note the exact time you noticed the problem. Don’t delete anything, don’t “tidy up,” don’t empty the trash. These elements will serve three audiences: the forensicsDiscipline analyzing digital traces after an incident to reconstruct what happened. expert who’ll reconstruct the attack, the insurer who’ll demand proof of your diligence, and the regulator if personal data is involved. An incident well documented in the first hour is worth ten times an incident reconstructed from memory three days later.

Alert means mobilizing the right people in the right order, with the right information. Not an email lost in an inbox — a phone call. The security contact, the forensicsDiscipline analyzing digital traces after an incident to reconstruct what happened. provider identified in advance, and depending on the case the bank, the insurer, leadership. The information to convey fits in four points: what (nature of the incident), when (detection time), what’s affected (accounts, devices, data), and what you’ve already done. A precise alert triggers a fast response; a vague alert triggers half an hour of questions.

One detail separates the prepared from everyone else: which channel do you alert through when the usual channel may be compromised? If your corporate mailbox is the subject of the incident, don’t write your alert inside that mailbox — the attacker would read it, and they’d know that you know. Use an out-of-band channel: a phone call, a text, an encrypted messenger like SignalOpen-source messenger with E2EE by default, operated by Signal Foundation. on a clean device. This out-of-band principle holds for the whole crisis cell: until you’re certain your systems are clean, you assume the attacker is listening. It sounds paranoid right up until you realize the attacker actually read, in real time, the internal email where the CIO announced the remediation procedure — and accelerated their exfiltration accordingly.

That leaves the question of ordering in mixed cases, and that’s where plans hold or fold. A compromised device that was used to log into critical accounts implicates the first two families at once: you isolate the device from the network (without shutting it down), then handle the accounts from a separate, clean device — password changes, session revocation — exactly as for an account compromise. A wire fraud triggered by a fraudulent email may signal either simple address spoofing (the account isn’t compromised, only the display name is forged) or a real compromise of the sender’s account. When in doubt, treat the worse of the two: you block the wire, then you verify the integrity of the account in question. This discipline — always treating the most serious hypothesis consistent with what you observe — is what keeps you from “half-fixing” an incident that comes roaring back three days later.

What this means concretely

For you, as an individual

You don’t have a CISO to call at 11 PM. Your plan therefore comes down to three memorized reflexes, set up this week, for zero euros.

1. Know how to revoke your sessions and change your passwords from another device. Open, once and calmly, the security settings of your Google, Apple, or Microsoft account. Find the “sign out of all devices” button. Memorize the path. The night of an incident is not the time to learn it.

2. If you doubt a device: cut the network, don’t shut down, don’t clean up. Airplane mode, then breathe. You don’t run the antivirus, you don’t delete suspicious files, you don’t reboot. You take a photo of whatever looks wrong with your phone.

3. For a wire fraud: call your bank immediately, not tomorrow. A recent transfer can sometimes be recalled if not yet executed. You also call the person or contact involved through a different channel (phone, not the suspect email) to verify. The first 90 minutes determine the next 90 days: past that window, you’re managing consequences, not the incident.

For you, CISO / CIO / executive

The shift to field incident response changes your framing on five points.

1. The plan is written before the incident, and it fits on two pages. Not an 80-page binder no one reads under stress. Two pages: who to call and in what order, with which numbers (memorized, not just saved), which systems to isolate first, what external communication to trigger, at what threshold to notify the data protection authority. NISTUS institute publishing reference cybersecurity standards (CSF, SP 800-*). calls this the preparation phase; it’s the one that makes the other four possible. Direct consequence: if that document doesn’t exist, it’s your action this week, not a quarterly project.

2. The forensics provider is chosen cold, not in the panic. Identify and contract, before the incident, a forensicsDiscipline analyzing digital traces after an incident to reconstruct what happened. firm or an MSSP reachable on call. The day you need them, you have neither the time to compare quotes nor the perspective to negotiate. Direct consequence: a retainer costs a few thousand euros a year; its absence costs the three silent days during which the evidence disappears.

3. Detection capability conditions everything else. You can only respond to incidents you can see. Without a SIEMPlatform aggregating security logs, correlating, alerting, enabling investigation., without EDRAgent on workstations/servers detecting suspicious behavior and enabling response. on endpoints, without alerts on abnormal logins, the incident is revealed to you by the attacker — ransom note, wire gone — meaning too late. Direct consequence: the detection budget isn’t a comfort, it’s what turns a day-30 discovery into a useful window of a few hours.

4. Evidence preservation is a discipline, not a reflex. Train first responders — often IT support, sometimes an executive — to isolate without shutting down, not to restore before capture, to document the time and nature. A forensicDiscipline analyzing digital traces after an incident to reconstruct what happened. image is taken before any remediation, never after. Direct consequence: without that discipline, you remediate blind and never know whether the attacker is still present or what they exfiltrated.

5. Crisis communication is part of the technical response. Who speaks, to whom, when. Employees, customers, the regulator, the insurer, sometimes the press. A breach notification is triggered within 72 hours when personal data is involved — that clock runs from awareness of the incident, not from its resolution. Direct consequence: a communication track absent from the plan turns a manageable incident into a reputation crisis and regulatory exposure.

For you, as an executive

You get the call on a Sunday night. Something has burned — a compromised account, a wire gone out, a ransom note on the screens. In the first 90 minutes, your role isn’t technical. You don’t touch a keyboard. Your role is decision and communication, and it plays out almost entirely on choices you should have settled beforehand.

Three questions need a written answer before it happens. If you discover them at 11 PM, you improvise, and improvising under shock is the worst possible adviser.

Who runs the crisis? Not you. An executive who grabs the technical helm of an incident disorganizes everyone and makes himself unavailable for what only he can do. Designate, cold, a crisis lead — internal or a provider — with the authority to act without asking you for every move. Your job is to back them, not replace them.

Who speaks to the outside? One voice. Employees, customers, partners, press: everything goes through one person and one approved message. The worst scenario isn’t the incident, it’s three contradictory versions going out in parallel because no one had said who speaks. Decide it now, in writing.

At what point do we notify customers and authorities? This isn’t a comfort choice, it’s a regulatory answer. When personal data is touched, the notification clock runs from the moment you know, not from the resolution. The trigger threshold and the recipients are defined cold, with your legal team, not in the panic of a Sunday night.

The worst decision is the one improvised under shock, at 11 PM on a Sunday, without having had the conversation first. That conversation takes an hour, on a quiet Tuesday. Have it while nothing is happening. It’s the only time you’ll think clearly.

Mistakes we see all the time

  • Waiting to be sure before acting. The doubt is the signal. Treating a false alarm seriously costs half an hour; treating a real incident as a false alarm costs the company.
  • Shutting down or rebooting the suspect device. You destroy RAM, hence the evidence, and you don’t stop the attacker operating remotely.
  • Cleaning up yourself. Running the local antivirus (possibly already neutralized), deleting suspect files, restoring servers: all gestures that erase traces and sometimes spread the compromise.
  • Notifying by email instead of calling. An email in the CISO’s inbox on a Friday night means zero response before Monday. And if the mailbox is itself compromised, the attacker reads your alert.
  • Staying silent out of fear of consequences. The undeclared incident is always worse than the declared one: no remediation, no insurance coverage, and a clear breach of duty toward the regulator.
  • Improvising forensics and communication. With no identified provider and no written communication track, you lose the first hours figuring out who to call and what to say — exactly the hours that count.

Actionable checklist

  • N1 Know how to revoke sessions and change passwords from a separate, clean device
  • N1 If you doubt a device: cut the network, don't shut down, don't clean up
  • N1 Photograph the screen and note the detection time before touching anything
  • N1 For wire fraud: call the bank immediately and verify through a different channel
  • N2 Two-page written incident plan: who to call, in what order, what to isolate, what communication
  • N2 Key numbers memorized (security, bank, lawyer), not just saved in the phone
  • N2 Forensics provider or MSSP identified and contracted on call before the incident
  • N2 First responders trained to isolate without shutting down and to preserve evidence
  • N2 Crisis communication track and breach-notification thresholds defined in advance
  • N3 Detection in place (endpoint EDR, SIEM, abnormal-login alerts) and MTTD/MTTR tracked
  • N3 Annual tabletop incident exercise, timed, with the real actors

Further reading

The reference framework remains the NISTUS institute publishing reference cybersecurity standards (CSF, SP 800-*). incident handling guide (SP 800-61), which structures the response into four phases — preparation, detection and analysis, containment-eradication-recovery, lessons learned. ENISAEU cybersecurity agency, publishes the annual Threat Landscape. publishes an equivalent good-practice guide for the European context, useful in particular for connecting the technical response to notification obligations.

On Shield, three companion reads round this out. The exposed executive: a specific threat model details why social-engineering fraud targets the top of the org chart first. Corporate travel policy frames the procedures to define before a staffer leaves carrying sensitive data. And Return from mission: decontamination handles the special case of a device potentially compromised during travel — the logical sequel to an incident detected in the field.

Related articles