Your cyber intelligence source

You’ve been breached? Here’s what to do in the next 24 hours

You’ve been breached? Here’s what to do in the next 24 hours

The actions taken in the immediate aftermath of a breach could make or break your business, writes Neil Thacker, CISO EMEA, Netskope. Here’s his hour-by-hour survival plan…

In the event of a breach, the importance of the next 24-hours cannot be underestimated. When your entire organisation and customers are at risk, responding appropriately and quickly to an emerging threat is vital.  

While responses will differ slightly based on your organisation, the team you work with, and the kind of attack you are facing, here’s some recommended steps to take.

Within the first hour: Confirm the attack and communicate to stakeholders

First, you need to try and identify whether the incident is indeed a breach, or if it's a false positive. This step is absolutely critical. 

Perform triage and go through a review process to identify if any data is at risk or has been compromised – or whether intruders have found their way into your infrastructure, applications and cloud services. 

If you have clear evidence of a breach you may need to issue an immediate internal notice, remove access to compromised systems for non-essential users, and/or isolate the environment to limit propagation.  

As the first hour comes to a close, it’s time to take the information you have to your internal stakeholders and formulate your response.  

Next: Plan, test and prepare

What your plan looks like will depend on what you identify. A ransomware attack will be obvious, because the threat agent will issue terms for the return for the data. 

Other attacks will be more covert, such as data exfiltration or even a zero-day compromise which can indicate a more sophisticated, potentially state-sponsored threat. 

Whatever the case, you should have a plan that is well tested and your response should be prepared in advance.  

In any instance, the threat agent could be monitoring your actions closely to determine how best they can avoid being caught. And, now that your stakeholders are aware of the situation, you will be under great pressure to resolve the incident while maintaining business as usual.   

Trying to balance security with business continuity can be highly stressful, and can put you under pressure to avoid drastic measures.  Recording detailed notes as the situation progresses is invaluable. Ensure you record every decision you make, as well as the context available at the time. This helps you formulate future plans, but also helps you justify the entire process and your decisions when the incident is over.   

It’s time to tell the world (in the right way)

With remediation in operation, you need to tell those impacted, and the authorities, what happened – if applicable.  

This is a delicate situation, so working closely with your communications team to deliver on-point messaging is important. Although the general public may be jaded to cyber-attacks, don’t be lulled into a false sense of security.   

Regulators and the industry at large will measure your response, so make sure you understand your legal and regulatory obligations for reporting, as well as taking advice from your communications colleagues.

Go home (tired people make bad decisions)

Once you reach the stage where the incident is under control and communications have been made, take a break. Most cyber attacks take place out of hours, and you and your team may have worked a full day before the incident was identified. The most important task you can undertake now is to take a step back, go home, and rest. Tired people are more likely to make poor decisions.  

Beyond the first day

What happens next is difficult to say. You may be tasked with mitigating new vulnerabilities discovered, recovering from backup systems or preparing for further potential attacks. Once an incident goes public, you may have an even larger target on your back.   

Whatever happens, once the threat is under control you have an opportunity to put your experience to use. That might result in creating a case study to request further budgets or drawing on the experience to formulate new incident response plans – or even leveraging your role in the response to land a new role. 

In any case, it's often helpful to share your experiences with others because sharing information and insight is the best weapon we have for combating cyber threats.