You've been breached but how, what was the original attack vector?
Just like Service: Breach Impact Assessment, the first step is to understand the sophistication of the attack and the various attack vectors which have been used to understand the likelihood of data exfiltration occurring, through the standard Tactics Techniques and Procedures (TTP) normally associated with the type of attack.
Where possible, the likely threat actors are identified to understand the motivation and likely outcomes.
Root Cause Analysis projects the attack backwards in order to ascertain how the attack occurred.
As well as the TTP for the evident attack, logs will be analysed in an attempt to verify the source of the attack back to its origins.