How to reduce cyber incident response time
Resposta direta
Reduce incident response time by shortening two metrics: the time to detect (MTTD) and the time to respond/contain (MTTR). In practice this requires pre-approved playbooks, containment automation (SOAR), continuous monitoring (24/7 SOC) and an IR team on standby. Decisions rehearsed before the incident eliminate the hesitation that costs hours. Decripte operates with a critical-incident containment SLA of up to 1 hour.
Principais conclusões
- ›Time is the metric that defines incident response: reducing MTTD and MTTR directly reduces the damage, because every hour the attacker stays widens the leak.
- ›Most of the response-time reduction is won before the incident — with pre-approved playbooks, SOAR automation, 24/7 detection and an IR retainer with an SLA.
- ›Containing fast and preserving evidence are not opposites: isolate the host instead of powering it off and capture the memory before any destructive remediation.
- ›Notification to the ANPD within 3 business days depends on the technical risk assessment from incident response — IR, DPO and legal must operate in an integrated way from the first hour.
What incident response is and why MTTR is the metric that matters
Incident response (IR) is the structured process of identifying, containing, eradicating and recovering from a security event — a ransomware attack, a credential leak, an intrusion in a cloud environment or an application compromise. The goal is not just to "solve the problem", but to limit the damage, preserve evidence and restore operations with the least possible financial, legal and reputational impact. NIST SP 800-61 and ISO/IEC 27035 define IR as a continuous capability, not an improvised reaction on the day of the attack.
The metric that separates a mature IR program from an amateur one is time. Two indicators govern everything: MTTD (Mean Time To Detect) and MTTR (Mean Time To Respond or To Recover). The longer the interval between the initial compromise and containment, the more time the attacker has to escalate privileges, move laterally, exfiltrate data and install persistence. In ransomware attacks, the window between initial access and mass encryption is frequently measured in hours — not days.
Reducing MTTR is not merely an exercise in operational efficiency; it is a direct reduction of loss. Every hour of dwell time (the attacker's time in the environment) increases the volume of exposed data, the number of affected systems and the cost of remediation. That is why Decripte structures its IR contracts around a critical-incident containment SLA of up to 1 hour: the first hour is where you win or lose control of the incident.
The incident lifecycle: the six NIST phases
The NIST SP 800-61 framework organizes incident response into phases that form a continuous cycle. The first is preparation: building the team (CSIRT), defining roles and responsibilities, writing playbooks, procuring detection tools, establishing communication channels and training with simulations (tabletop exercises). Most of the MTTR reduction happens here — before any incident — because decisions already made do not consume time during the crisis.
The following phases are detection and analysis (identifying the event, triaging it, determining scope and severity) and containment, eradication and recovery. Containment isolates the vector: segmenting the network, disabling compromised accounts, blocking malicious IPs, isolating hosts. Eradication removes the root cause — malware, backdoors, ghost accounts, exploited vulnerabilities. Recovery restores systems from validated backups and confirms, with reinforced monitoring, that the attacker does not remain in the environment.
The sixth phase — lessons learned (post-incident activity) — is the most neglected and the one that most reduces the response time of future incidents. Within two weeks of closure, the team documents the timeline, identifies detection and process failures, updates playbooks and adjusts controls. Without this feedback loop, the organization repeats the same mistakes and never improves its MTTR. The NIST cycle is deliberately circular: each incident feeds the preparation for the next.
How to reduce response time in practice
The number-one lever is the existence of pre-approved playbooks and runbooks. A playbook describes the strategy for a class of incident (e.g., ransomware, business email compromise, data leak); a runbook is the technical, executable sequence of commands and actions for a specific task (e.g., isolate a host in the EDR, revoke OAuth tokens, run a threat-hunting query). With the decision and authorization already built into the playbook, the analyst executes rather than hesitates — and hesitation is what costs the most precious minutes during an incident.
The second lever is automation. SOAR (Security Orchestration, Automation and Response) platforms execute containment actions in seconds: isolate an endpoint, block an indicator of compromise (IoC) on the firewall, disable an account in the directory, open the ticket and notify the team. What would take a human 20 minutes to do manually, SOAR does in seconds — and immune to typos under stress. Automate the containment of low-risk, reversible actions; reserve human judgment for the irreversible decisions.
The third lever is continuous detection: a SOC operating 24/7 with well-tuned SIEM/EDR shortens the MTTD, because the MTTR clock can only start running after the incident is noticed. Add proactive threat hunting — hunting for signs of compromise before they trigger an alert — to find the silent attacker. Finally, keep an IR team on standby (retainer) with a contractual SLA: the difference between starting to respond in 1 hour and starting in 2 days is often the difference between a contained incident and a large-scale data breach.
Notification to the ANPD and legal obligations under the LGPD
Under the General Data Protection Law (LGPD), when a security incident may entail relevant risk or harm to data subjects, the controller is required to notify the National Data Protection Authority (ANPD) and the affected data subjects. Resolution CD/ANPD No. 15/2024 set the deadline: the communication to the ANPD must be made within 3 business days from becoming aware that the incident affected personal data and may generate relevant risk. This deadline is tight and requires the risk-assessment process to already be designed before the incident happens.
The communication has mandatory minimum content: the description of the nature of the affected personal data, the number of data subjects involved, the technical and security measures adopted, the risks related to the incident and the measures taken to reverse or mitigate the effects. When it is not possible to gather all the information within the deadline, the LGPD allows a preliminary (partial) communication followed by a supplement — but total silence is not an option. The good faith and timeliness of the notification are factors the ANPD weighs when calibrating any sanctions.
It is a strategic mistake to treat notification as a purely legal problem. The decision to notify depends on the technical risk assessment — which data leaked, in what volume, whether it was encrypted, whether there is evidence of actual exfiltration — that comes directly from incident response. That is why the IR team, the DPO and the legal team must operate in an integrated way from the very first hour. Well-executed forensics do not serve only to contain the attack; they produce exactly the facts that the ANPD communication requires.
Forensics and chain of custody: preserving the evidence in the first hours
Forensic analysis reconstructs what happened: how the attacker got in, what they accessed, what they exfiltrated and whether they still remain in the environment. But forensics is only reliable if the evidence is preserved correctly — and the window for that is short. Volatile memory (RAM), active network connections, running processes and rapidly rotating logs disappear in minutes or hours. The order of volatility (RFC 3227) determines what to collect first: data in memory before data on disk, ephemeral data before persistent data.
The chain of custody is the documented, unbroken record of who collected each piece of evidence, when, how and where it was stored. Each artifact must be copied bit by bit (forensic image), have its cryptographic hash (SHA-256) computed and recorded, and be kept in access-controlled storage. Without an intact chain of custody, evidence loses its probative value — which matters both for a potential lawsuit and for demonstrating diligence to the ANPD or to an affected customer.
There is a real tension between containing fast and preserving well: powering off a machine to stop the attack can destroy volatile evidence. The mature response does not choose between the two — it isolates the host from the network (preserving the state for collection) instead of simply powering it off, and captures the memory image before any destructive remediation. This discipline must be in the runbooks, because under pressure the team's natural tendency is to "pull the cable" and destroy the very evidence they will need later.
When to bring in an external IR team and what to require
Bring in an external incident response team when the incident exceeds internal capacity — and this happens sooner than most admit. Clear signs: active ransomware with encryption in progress, evidence of exfiltration of personal or financial data, compromise of administrative or domain credentials, suspicion of an advanced persistent threat (APT), or any incident that requires forensics defensible in court or notification to the ANPD. If the internal team is improvising, it is already past time to call in specialists — hesitation out of operational pride costs hours of dwell time.
Ideally, you do not hire IR in the middle of the crisis; you hire beforehand, in the form of a retainer (standby contract) with a defined containment SLA. Seeking a vendor during the incident — negotiating the contract, onboarding, granting access to systems with the attacker still inside — adds days to the MTTR precisely when every minute counts. A retainer guarantees prior access to the environment, knowledge of the architecture and an immediate start to the response, without commercial friction at the worst possible moment.
When hiring, require non-negotiable items: an engagement and containment SLA in hours (not in "business days"), 24/7/365 availability, a team with forensic competence and a defensible chain of custody, experience in your sector (fintech, crypto, e-commerce have distinct vectors and regulatory obligations), and delivery of a post-incident report with a timeline, root cause and actionable recommendations. Decripte operates with a critical-incident containment SLA of up to 1 hour and delivers forensics fit to support both the ANPD communication and potential litigation.
Passo a passo: como reduzir o tempo de resposta
- Build and train a CSIRT with roles, decision authority and communication channels defined before any incident.
- Write playbooks by incident class and executable technical runbooks, with the containment authorizations already pre-approved.
- Implement continuous detection (SIEM/EDR) with a 24/7 SOC to shorten the time to detect (MTTD).
- Automate reversible containment actions with SOAR — isolating hosts, blocking IoCs and disabling accounts in seconds.
- Establish a retainer with an external IR team with a containment SLA in hours, contracted before the crisis.
- Practice the response with simulation (tabletop) exercises and measure the MTTR at every real or simulated incident.
- Run the lessons-learned review within two weeks and feed it back into the playbooks and controls to reduce the time of the next incident.
Perguntas frequentes
How long do I have to notify the ANPD after an incident?
Under Resolution CD/ANPD No. 15/2024, the communication to the ANPD must be made within 3 business days from becoming aware that the incident affected personal data and may generate relevant risk to the data subjects. If you cannot gather all the information within that deadline, you can send a preliminary communication and supplement it later — but not notifying is not a legal option.
What is the difference between a playbook and a runbook?
A playbook describes the response strategy for a class of incident (for example, ransomware or a data leak), including who decides what and when to notify. A runbook is the technical, executable sequence of steps for a specific task, such as isolating a host or revoking tokens. The playbook says what to do; the runbook says exactly how to execute it.
What is MTTR in incident response?
MTTR is the mean time to respond or recover (Mean Time To Respond/Recover) — the interval between the detection of an incident and its containment or the restoration of operations. It is the central metric of incident response because every extra hour lets the attacker escalate privileges, move laterally and exfiltrate more data. Reducing MTTR directly reduces the loss.
What is the difference between MTTD and MTTR?
MTTD (Mean Time To Detect) is the mean time to notice that an incident is happening; MTTR (Mean Time To Respond/Recover) is the mean time to contain it or recover operations after it is detected. The two added together form the attacker's total dwell time. It is no use responding fast if detection takes days — you need to reduce both metrics together.
When should I hire an external incident response team?
Bring in an external team when the incident exceeds your internal capacity: active ransomware, exfiltration of personal data, compromise of administrative credentials or the need for court-defensible forensics. The ideal is to hire before the crisis, in the form of a retainer with a containment SLA in hours, avoiding the loss of days negotiating a contract and granting access while the attacker is still in the environment.
Why do I need to preserve forensic evidence in the first hours?
Volatile evidence — RAM, active network connections, running processes and rapidly rotating logs — disappears in minutes or hours. Without collecting it with an intact chain of custody (bit-by-bit image, SHA-256 hash and a record of who collected what), you lose the ability to reconstruct the attack, to notify the ANPD accurately and to support the evidence in potential litigation.
Sofreu um incidente ou quer um retainer de resposta com SLA de 1 hora?
A Decripte responde a incidentes 24x7, com forense apta a sustentar notificação à ANPD e litígio.
