5 things to do after discovering a cyberattack
Cybersecurity & Awareness

5 things to do after discovering a cyberattack

By Write a Comment on 5 things to do after discovering a cyberattack

Hey there! When every minute counts, preparation and precision can make all the difference between a minor hiccup and a major disaster.

03 Nov 2025

,
5 min. read

Feeling the pressure, network defenders? The number of data breaches Verizon looked into last year increased by 20 percentage points compared to the previous year. But fear not, quick and decisive responses can turn the tide. It’s those crucial first moments that matter the most.

Preparation is the secret sauce for effective incident response (IR). While every organization and incident is unique, winging it when the alarm bells go off is not ideal. A well-prepared IR team can lead to a swift, successful, and cost-effective resolution.

The Need for Speed

Once threat actors infiltrate your network, the countdown begins. Whether they’re after sensitive data to hold ransom or aiming to deploy ransomware or other malicious payloads, the goal is to stop them before they reach your most valuable assets. This task is getting tougher.

The latest research suggests that adversaries moved from initial access to lateral movement (aka “breakout time”) 22% faster in 2024 than the year before. The average breakout time was 48 minutes, with the fastest attack clocking in at just 27 minutes. Can your team respond to a security breach in under half an hour?

Meanwhile, global organizations take an average of 241 days to detect and contain a breach, according to IBM. Getting IR right has major financial incentives. Breaches with a lifecycle under 200 days saw costs drop by about 5% this year to US$3.9 million, while breaches lasting over 200 days cost over US$5 million, as per the report.

Ransomware detections from June 2024 to May 2025
Ransomware detections from June 2024 to May 2025 (source: ESET Threat Report H1 2025)

5 Steps to Take Following a Breach

Hey, no organization is immune to breaches. If you face an incident and suspect unauthorized access, act swiftly yet systematically. These five steps can guide you through the first 24 to 48 hours. Some steps may need to happen simultaneously. Speed is key, but don’t sacrifice accuracy or evidence integrity.

1. Gather Information and Understand Scope

First things first, grasp what just went down and kickstart your response. Activate your pre-built IR plan and alert the team. This team should comprise stakeholders from various departments like HR, PR, legal, and executives. Everyone has a role to play post-incident.

Next, pinpoint the attack’s blast radius:

  • How did the adversary breach the network?

  • Which systems are compromised?

  • What malicious actions have the attackers taken?

Document every step and gather evidence not only to assess the attack’s impact but also for forensic investigation and potential legal proceedings. Maintaining chain of custody ensures credibility if law enforcement or courts get involved.

2. Notify Relevant Third Parties

Once you’ve figured out what transpired, inform the necessary parties.

  • Regulators: Notify relevant authorities if personally identifiable information (PII) is compromised, following data protection or industry-specific laws. In the U.S., this might involve SEC cybersecurity disclosure rules or state-level breach laws.

  • Insurers: Most insurance policies require immediate notification after a breach.

  • Customers, partners, and employees: Transparency builds trust and helps combat misinformation. It’s better they hear about it from you than from social media or the news.

  • Law enforcement: Reporting incidents, especially ransomware attacks, can aid in identifying broader campaigns and sometimes lead to decryption tools or intelligence support.

  • External experts: You may need to reach out to external legal and IT specialists, especially if you lack these resources internally.

3. Isolate and Contain

While informing third parties, act swiftly to prevent the attack from spreading. Isolate affected systems from the internet, but don’t power down devices to avoid destroying evidence. The goal is to limit the attacker’s reach without compromising valuable evidence.

Keep backups offline and disconnected to prevent attackers from accessing them or corrupting them with ransomware. Disable all remote access, reset VPN credentials, and use security tools to block incoming malicious traffic and command-and-control connections.

4. Remove and Recover

After containment, shift focus to eradication and recovery. Conduct forensic analysis to understand the attacker’s tactics, techniques, and procedures (TTPs), from initial entry to lateral movement and, if applicable, data encryption or exfiltration. Eliminate any lingering malware, backdoors, rogue accounts, and other signs of compromise.

Now, it’s time to recover and restore. Key actions include:

  • Removing malware and unauthorized accounts.

  • Verifying the integrity of critical systems and data.

  • Restoring clean backups (after ensuring they’re uncompromised).

  • Monitoring closely for signs of re-compromise or persistence mechanisms.

Utilize the recovery phase to strengthen systems, not just rebuild them. This may involve tightening privilege controls, implementing robust authentication, and enforcing network segmentation. Seek assistance from partners to expedite restoration or consider tools like ESET’s Ransomware Remediation for a quicker process.

5. Review and Improve

Once the immediate threat subsides, your job isn’t done. Fulfill obligations to regulators, customers, and other stakeholders (e.g., partners and suppliers). Adjust communications once the breach’s extent is clear, possibly including regulatory filings. Let your PR and legal advisors take the lead here.

A post-incident review transforms a painful event into a resilience-building opportunity. Once the dust settles, analyze what transpired and extract lessons to prevent similar incidents in the future. Evaluate what went wrong, what worked well, and where detection or communication faltered. Update your IR plan, playbooks, and escalation procedures accordingly. Any adjustments to the IR plan, suggestions for new security controls, or employee training enhancements would be beneficial.

A robust post-incident culture treats each breach as a learning experience for future incidents, bolstering defenses and decision-making under pressure.

Beyond IT

Preventing breaches may not always be feasible, but minimizing damage is. If your organization lacks the resources for round-the-clock threat monitoring, consider a managed detection and response (MDR) service from a trusted third party. Whatever happens, test your IR plan repeatedly. Effective incident response isn’t solely IT’s responsibility—it requires collaboration among various stakeholders within and outside the organization. The muscle memory you all need usually comes from ample practice.

A Buyer’s Guide to Managed Detection and Response: What is it and why do you need it?

Tagged In

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *