Data Exfiltration Incident Response Plan: What to Do When Data Is Leaving

Hour 0–1: Detection and Initial Containment

The moment an exfiltration event is detected — whether through ADX alerts, network monitoring anomalies, or SIEM correlation — the priority is immediate containment without destroying forensic evidence. Do not shut down affected systems. Instead, isolate them at the network level to halt ongoing data transfer while preserving memory, logs, and disk state for investigation. Invoke your incident response plan and designate an incident commander. Establish a secure out-of-band communications channel — assume your primary email and messaging systems may be compromised.

• Network-isolate affected systems immediately — do not power off (preserves forensic state)
• Block the identified exfiltration destination at the firewall/proxy level
• Invoke incident response plan — designate incident commander
• Establish secure communications channel (out-of-band: personal phones, separate messaging platform)
• Begin incident log — timestamped record of all actions taken from this point forward
• Notify senior management and legal counsel within the first hour

Hour 1–4: Scope Assessment

With containment in place, the next priority is understanding the scope of the exfiltration. What data was accessed? What volume was transferred? Over what time period? To what destination? Was the exfiltration automated (suggesting a sophisticated attacker) or manual (suggesting insider threat or opportunistic access)? This assessment drives every downstream decision: whether regulatory notification is required, which individuals must be notified, and what remediation is needed. Work with your forensic team or engage an external incident response firm if in-house capability is insufficient.

• Identify all systems accessed by the compromised account or attacker tooling
• Quantify data volume transferred — network logs, proxy logs, endpoint ADX records
• Determine the time window of exfiltration — when did it start, when was it detected?
• Classify the data types involved: PII, financial, health, credentials, intellectual property
• Identify the exfiltration destination — known criminal infrastructure, nation-state, or unknown
• Assess whether the exfiltration is ongoing or has concluded

Hour 4–24: Investigation and Notification Decisions

By hour four, you should have a working understanding of the breach scope. Now the legal and regulatory clock begins in earnest. Under GDPR, if the exfiltrated data includes personal data and there is a risk to individuals, you must notify your supervisory authority (ICO in the UK, IDPC in Malta) within 72 hours. If the risk to individuals is "high" — which it almost certainly is if identity documents, financial data, or health records are involved — direct notification to affected individuals is also required. Your legal counsel should be leading these decisions with input from the technical investigation team.

• GDPR assessment: does the exfiltrated data include personal data? If yes, the 72-hour clock is running
• Determine if direct individual notification is required (high risk to rights and freedoms)
• Engage external forensic investigators if not already involved
• Preserve all logs under legal hold — ensure no automated log rotation destroys evidence
• Begin root cause investigation: how did the attacker gain access?
• Prepare draft notification to supervisory authority with known facts

Day 1–7: Remediation and Recovery

With the immediate crisis contained and notifications in progress, focus shifts to closing the vulnerability that allowed the exfiltration and hardening defences against recurrence. This includes patching the exploited vulnerability, resetting all potentially compromised credentials, reviewing and tightening access controls, and deploying or strengthening anti-data exfiltration controls. BlackFog should be deployed on all endpoints if not already present — the incident has proven that existing controls were insufficient to prevent data from leaving the network.

• Patch the exploited vulnerability or close the access vector used by the attacker
• Force password reset for all accounts that may have been compromised
• Review and restrict privileged access — apply principle of least privilege
• Deploy BlackFog ADX on all endpoints to prevent future exfiltration
• Submit formal GDPR notification to supervisory authority if required
• Issue individual notifications to affected persons with specific guidance

Day 7–30: Post-Incident Review and Improvement

Every exfiltration incident should produce a detailed post-incident review that drives measurable security improvements. This is not a blame exercise — it is a systematic analysis of what failed, what worked, and what must change. The review should cover detection capability (how long was the attacker active before detection?), containment speed (how quickly was the exfiltration stopped?), communication effectiveness (were the right people notified at the right time?), and control gaps (what technology or process would have prevented the incident?). Document findings and track remediation actions to completion.

• Conduct formal post-incident review with all involved teams
• Quantify detection delay: dwell time from initial access to detection
• Quantify containment time: detection to exfiltration stopped
• Identify control gaps that allowed the exfiltration to occur
• Create remediation action plan with owners and deadlines
• Update incident response plan based on lessons learned

Frequently Asked Questions