The First 24 Hours: What to Do when a Cyber Attack Strikes?
By IP Performance
When a cyber attack strikes, the initial 24 hours are critical in determining how well your organisation can weather the storm. A proactive and well thought through cyber attack response can make the difference between a manageable incident and a catastrophic breach. Understanding what to do during this crucial window can help minimise disruption from cyber incidents, preserve critical infrastructure and set the foundations for the business to recover.
Cyber Attack Detection and Assessment
The moment a potential breach is detected, the clock starts ticking. Begin by carefully documenting the discovery time, who detected the incident, how it was identified, and what initial symptoms appeared. This documentation forms the foundation of your cyber incident timeline and will prove invaluable for later analysis and reporting.
Consulting the Incident Response Team
Next, contact your incident response team in line with the protocol outlined in your existing cyber response plan. A well-coordinated immediate response requires clear leadership and defined roles. Your team should immediately perform an initial triage to assess the apparent scope and severity of the incident. This preliminary assessment should carefully avoid making major system changes that could destroy valuable forensic evidence while still identifying the immediate threat perimeter.
Cyber Attack Containment and Evidence Preservation
With your cyber response team assembled, focus on containing the threat while preserving evidence. Before making significant changes to affected systems, create forensic images that capture the state of the compromised environment.
Identify and close the attack vector if possible, which might involve disabling compromised accounts, blocking malicious IP addresses, or patching exploited vulnerabilities. However, recognise that sophisticated attackers often establish multiple access points within a network. Therefore, continue monitoring for ongoing attack activity throughout your environment, watching for signs of persistent threats or additional compromise attempts.
Throughout this phase of your cyber attack response, maintain detailed records of all response activities. Document every action taken by your team, when it occurred, and who performed it. This meticulous record-keeping supports future material for the data forensics team and demonstrates due diligence should questions arise about your organisation’s immediate response efforts.
Communication and Legal Considerations
As your technical team works on containment, parallel efforts should address communication and legal obligations. Notify your legal counsel early in the process to receive guidance on regulatory requirements and determine if the incident triggers mandatory reporting obligations. Different industries and jurisdictions have varying requirements for breach notification, and your legal team can help navigate these complex waters.
Prepare draft communications for various stakeholders, including employees, customers, partners, and potentially the public. These communications should be factual, transparent about known information, and careful not to make premature claims about the cyber breach’s scope or impact. Involve your communications team in crafting messages that balance transparency with legal considerations.
Investigation and Assessment
With immediate containment measures in place, deepen your understanding of the incident. Work to identify compromised data by determining what information may have been accessed, exfiltrated, or modified by the attackers.
Conduct technical analysis of any malware and attack methods discovered. Understanding the capabilities of malicious code and how it operated within your environment can reveal the sophistication of the attackers and help identify potential attribution.
Monitor Wider Systems and Initiate Impact Assessment
Expand monitoring across your systems beyond the initially identified compromise. Increase logging and implement additional detection mechanisms to identify any persistent access or secondary infections. Sophisticated attackers often establish multiple footholds, and thorough investigation may reveal previously undetected compromise points.
Begin a comprehensive impact assessment and post incident review that evaluates operational, financial, and reputational effects of the breach. This assessment helps guide immediate response prioritisation and resource allocation as you move into recovery planning. Understanding the full impact also supports more accurate communications with stakeholders about the incident’s significance.
Recovery Planning and External Communications
As the first 24 hours draws to a close, focus on planning for recovery and managing external communications. Develop a phased recovery plan that prioritises systems based on criticality to business operations. Whenever possible, plan for clean restoration from verified backups rather than attempting to “clean” compromised systems, which may harbour hidden backdoors or persistent threats.
Based on legal counsel’s advice, execute required notifications to regulatory bodies, emergency services, or affected individuals as mandated by applicable laws. These notifications should be factual, concise, and focused on providing necessary information without speculation. Your cyber breach response should include clear communication channels for affected parties to receive updates and assistance.
Rollout Additional Measures and Consult Key Stakeholders
Implement additional security measures and temporary compensating controls to strengthen your security posture during the recovery process. This might include enhanced monitoring, additional authentication requirements, or network segmentation to protect sensitive assets during the vulnerable recovery period.
Provide comprehensive briefings to executives and board members about the incident status, actions taken, and next steps. These briefings should be honest about the situation while outlining concrete plans for recovery and future prevention. Leadership needs clear information to make informed decisions about resource allocation and strategic communications.
The Ongoing Cyber Response for the Future
While this blog looks at the first 24 hours, effective cyber breach response continues well beyond this initial period. The days and weeks following discovery involve executing your recovery plan to restore affected systems and personal data breaches securely, conducting thorough post-mortem analysis to understand root causes and attack vectors, updating security controls and policies based on lessons learned, and providing ongoing support to affected systems and stakeholders.
The success of your response to a significant cyber incident depends largely on preparation and coordination. Having a documented incident response plan in place before an attack occurs provides a roadmap during the confusion of an active incident. By following these steps during the first 24 hours after detection, you’ll be in a far better position to handle cyber security breaches with more confidence and competence.
Useful Links to Cyber Response Frameworks
NCSC advise for account compromise
-
‘My honest opinion regarding IP Performance is that it’s all extremely positive, thanks again for your efforts, really appreciated and a great service’
Alex Israel, Senior Infrastructure Architect,
University of Plymouth
