15.2 C
New York

5 things to do after discovering a cyberattack

Cybersecurity

Published:

Reading time: 5 min.

When every minute counts, preparation and precision can mean the difference between disruption and disaster

03 Nov 2025
 • 
,
5 min. read

Ground zero: 5 things to do after discovering a cyberattack

Network defenders are feeling the heat. The number of data breaches Verizon investigated last year, as a share of overall incidents, was up 20 percentage points on the previous year. This need not be as catastrophic as it sounds, as long as teams are able to respond rapidly and decisively to intrusions. But those first minutes and hours are critical.

Preparation is the key to effective incident response (IR). Although every organization (and incident) is different, you don’t want to be making stuff up on the fly once the alarm bells have begun ringing. If everyone in the incident response team knows exactly what to do, there’s more chance of a swift, satisfactory and low-cost resolution.

The need for speed

Once threat actors get inside your network, the clock is ticking. Whether they are after sensitive data to steal and ransom, or want to deploy ransomware or other malicious payloads, the key is to stop them before they’re able to reach your crown jewels. This is becoming more challenging.

The latest research claims that adversaries progressed from initial access to lateral movement (aka “breakout time”) 22% faster in 2024 than the previous year. The average breakout time was 48 minutes, although the fastest recorded attack was almost half that: just 27 minutes. Could you respond to a security breach in under half an hour?

Meanwhile, the average time it takes global organizations to detect and contain a breach is 241 days, according to IBM. There’s a major financial incentive for getting IR right. Breaches with a lifecycle under 200 days saw costs drop by around 5% this year to US$3.9 million, while those over 200 days cost over US$5 million, the report claims.

Ransomware detections from June 2024 to May 2025
Ransomware detections from June 2024 to May 2025 (source: ESET Threat Report H1 2025)

5 steps to take following a breach

No organization is 100% breach-proof. If you suffer an incident and suspect unauthorized access, work swiftly, but also methodically. These five steps can help guide your first 24 to 48 hours. Be aware too that some of these steps should happen concurrently. The focus should be on speed but also thoroughness, without compromising accuracy or evidence.

1. Gather information and understand scope

The first step is to understand exactly what just happened and set to work on a response. That means activating your pre-built IR plan and notifying the team. This group should include stakeholders from across the business, including HR, PR and communications, legal and executive leadership. They all have an important part to play post-incident.

Next, work out the blast radius of the attack:

  • How did your adversary get inside the corporate network?
  • Which systems have been compromised?
  • What malicious actions have attackers done already?

You’ll need to document every step and collect evidence not just to assess the impact of the attack, but also for forensic investigation, and possibly legal purposes. Maintaining chain of custody ensures credibility if law enforcement or courts need to be involved.

2. Notify relevant third parties

Once you’ve established what has happened, it is necessary to inform the relevant authorities.

  • Regulators: If personally identifiable information (PII) has been stolen, contact relevant authorities under data protection or sector-specific laws. In the U.S., this may include notification under SEC cybersecurity disclosure rules or state-level breach laws.
  • Insurers: Most insurance policies will stipulate that your insurance provider is informed as soon as there has been a breach.
  • Customers, partners and employees: Transparency builds trust and helps prevent misinformation. It’s better that they don’t find out what happened from social media or the TV news.
  • Law enforcement: Reporting incidents, especially ransomware, can help identify larger campaigns and sometimes yield decryption tools or intelligence support.
  • External experts: External legal and IT specialists may also need to be contacted, especially if you don’t have this kind of resource available in house.

3. Isolate and contain

While outreach to relevant third parties is ongoing, you’ll need to work fast to prevent the spread of the attack. Isolate impacted systems from the internet, but don’t turn off devices in case you destroy evidence. In other words, the goal is to limit the attacker’s reach without destroying valuable evidence.

Any backups should be offline and disconnected so your attackers can’t hijack them and ransomware can’t corrupt them. All remote access should be disabled, VPN credentials reset, and security tools used to block any incoming malicious traffic and command-and-control connections.

4. Remove and recover

Once containment is in place, transition to eradication and recovery. Conduct forensic analysis to understand your attacker’s tactics, techniques and procedures (TTPs), from initial entry to lateral movement and (if relevant) data encryption or exfiltration. Remove any lingering malware, backdoors, rogue accounts and other signs of compromise.

Now it’s time to recover and restore. Key actions include:

  • removing malware and unauthorized accounts.
  • verifying the integrity of critical systems and data
  • restoring clean backups (after confirming they’re not compromised).
  • monitoring closely for signs of re-compromise or persistence mechanisms.

Use the recovery phase to harden systems, not just rebuild them. That may encompass tightening privilege controls, implementing stronger authentication, and enforcing network segmentation. Enlist the help of partners to accelerate restoration or consider tools like ESET’s Ransomware Remediation to speed up the process.

5. Review and improve

Once the immediate danger has passed, your work is far from over. Work through your obligations to regulators, customers and other stakeholders (e.g., partners and suppliers). Updated communications will be necessary once you understand the extent of the breach, potentially including a regulatory filing. Your PR and legal advisors should be taking the lead here.

A post-incident review helps transform a painful event into a catalyst for resilience. Once the dust has settled, it’s also a good idea to work out what happened and what lessons can be learned in order to prevent a similar incident occurring in the future. Examine what went wrong, what worked, and where detection or communication lagged. Update your IR plan, playbooks, and escalation procedures accordingly. Any tweaks to the IR plan, or recommendations for new security controls and employee training tips, would be useful.

A strong post-incident culture treats every breach as a training exercise for the next one, improving defenses and decision-making under stress.

Beyond IT

It’s not always possible to prevent a breach, but it is possible to minimize the damage. If your organization doesn’t have the resources to monitor for threats 24/7, consider a managed detection and response (MDR) service from a trusted third party. Whatever happens, test your IR plan, and then test it again. Because successful incident response isn’t just a matter for IT. It requires a number of stakeholders from across the organization and externally to work together in harmony. The kind of muscle memory you all need usually requires plenty of practice to develop.

A Buyer’s Guide to Managed Detection and Response: What is it and why do you need it?

Source link

Related articles

Recent articles

127 Dewey Rd, Cheltenham, PA 19012

support@pcnewsup.com

(855) 262-0803

© 2025 pcnewsup.com