US English (US)
FR French

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Create a Ticket

  • Return to HighGround
English (US)
US English (US)
FR French
  • Home
  • Pro Services
  • Helpful Resources

How to Respond to a Cyber Attack

What you SHOULD and SHOULD NOT do in the event of a cyber-attack

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Create a Ticket

  • Dashboard
    CEO CTO CFO
  • Technical Drilldown
    Helpful Resources
  • Compliance Manager
    Compliance Status' Helpful Resources
  • Cyber Trend Data
  • Pro Services
    Rewards Buy or Enquire Helpful Resources
  • Cyber KPI's
    Role-Based KPI's Primary KPI's Getting Started
  • Sign Up & Sign In
    Helpful Resources
  • Integrations
    Referrals Guides for Each Tool Helpful Resources
  • Settings
    Notifications Personal Profile System Settings User Management Subscriptions
+ More

Dashboard

Technical Drilldown

Compliance Manager

Cyber Trend Data

Pro Services

Rewards

Buy or Enquire

Helpful Resources

  Guide to Professional Services from HighGround

  What is Cyber Essentials and why should I get certified?

  What is the Dark Web and why should I monitor it?

  Why should I audit my Office 365 Security?

  Why should I Perform a Cyber Risk Assessment?

  Why you should Plan to Fail

  Why do I have to sign a Vulnerability Assessment Authorisation Form?

  What is the difference between a Vulnerability Assessment and a Penetration Test?

  What is the difference between a Cyber Risk Assessment and a Vulnerability Assessment?

  What is the NIST Cyber Security Framework?

  How to Respond to a Cyber Attack

Cyber KPI's

Sign Up & Sign In

Integrations

Settings


In the event of a Cyber Attack, here are our tips on what to do and what to avoid for an effective response:


What NOT to do

Don't delete anything that might be needed as evidence

We understand - you're in the midst of an attack and you just want to stop it as soon as possible. You may think its best to remove or delete anything associated with the infection.

However, be careful -  you'll need this information later on for post-incident analysis. Try to preserve as much evidence as possible, as these details are crucial to identifying how the attacker managed to bypass your security, and who was behind it.


Don't bargain with the attackers

Don't try to contact the attacker to negotiate.

At best, they'll ignore you. At worst, your pleading will encourage their efforts. If their aim is to generate cash rather than chaos (which is the most likely case) they may be incentivized to increase the ransom on your data. You may even end up accidentally exposing more details and entry points that they can exploit, and more often than not you will be flagged for a future attack as an easy and willing target.


Don't provide a timeline to the media

Be honest and realistic. You can't be sure of when (or if) you will be back up and running at normal capacity, so try not to make any public statements that you will regret, or that may antagonize the cyber criminals into prolonging their attack. 


Don't pull the plug

It's easy to panic and resort to turning everything off in an attempt to stop the attack in its tracks. Whilst switching your devices off may well stop an attack,  it will also delete much of the forensic evidence that you will need for attribution, entry points, lateral movement and privilege escalation, essentially the entire attack profile. In cases of ransomware, it can also do more damage than good. Instead of turning them off, disconnect from the network by removing the network cable or turning off the wireless, whilst maintaining power.



What TO do

Triage and Prioritize the Incident

Could it just be a false alarm? Not every report or detection is a genuine incident. Triage the incident to first validate whether this is a genuine attack or not. 

If the incident is valid, try to prioritise it - does the attack pose severe damage or are the consequences likely to be mild? To do so, you will need to classify the form of attack, and try to identify the intended targets. This will help direct you towards the next steps to be taken, along with the amount of resources you should allocate to them. 


Contact your Incident Handlers to enact your Incident Response Plan

Now is the time to put your Incident Response Plan into action. You should have a team of Incident Response Handlers who are experienced and certified in dealing with such situations. 

Delete

Info

Our Incident Response Handling Service provides you with a team of certified and experienced Incident Response Handlers at your disposal - ready for when an incident occurs. Take a look at our Pro Services to learn more. 


Notify relevant parties

You will need to notify any relevant parties - such as customers, suppliers and stakeholders. If you are a high-profile organisation and/or you have sent staff home, it is likely the media will pick up on the story and you feel pressure to communicate with them, in which case you should do so by working with a public relations agency (do not engage the media directly). You may already have a Communication Plan defined within your Incident Response Plan which you can follow too, but again, consider what message you are sending (or not). 


Be aware of your legal responsibilities

This point leads on from the last. Depending on your location, there may be laws in place that govern when and who you should be making aware of the attack. This is likely to include authorities and customers. 

Additionally, if your  organisation operates in the UK and the attack involves a personal data breach - you will need to report it to the Information Commissioner's Office (ICO) within 72 hours.


Backup your Data

If you've been using our Compliance Manager to build a strong foundation of Information Security Governance, Risk and Compliance (GRC), you'll be familiar with Business and Disaster Recovery (BCDR). 

Remember all of the Test Recovery Drills you've (hopefully!) been performing? This is where they'll become invaluable. 

One of the biggest threats you'll be facing in a cyber attack is the loss of data. To prevent as much loss as possible, you'll need to ensure you have taken pre-emptive action by backing up your data and regularly testing this is recoverable. One of your first ports of call in cyber-attack should be to check the integrity and recoverability of systems and data to ensure you are definitely able to recover, as this will have a direct impact on what you do next.

Delete

Info

Our Backup and Disaster Recovery Services can protect your business from data loss and IT outages.  Take a look at our Pro Services to learn more. 


Contain the Incident

Stop the damage from spreading by isolating the compromised devices. Examples include implementing firewall rules to block the IP addresses that the attack is originating from or calling home to, disconnecting your network from the internet or other internal networks entirely, isolating devices by blocking their mac addresses / disabling their switch ports, or removing network cables / WiFi adaptors from affected devices. 


Investigate the Incident

Once you have contained the incident, but before you have eradicated it, you need to gather as much evidence as possible to aid in the investigation, incident reporting and post incident analysis phases. This evidence may come from many sources such as your security logs, IDS, endpoint protection control centre, SIEM tools, log stashes, endpoint logs, network monitoring etc. Try to gather as much as you can! (and a note to self, go check the time/date on all your devices now so you are logging data with the current timestamp, there's nothing worse than looking at logs from the 1971 !!)

Aim to build a comprehensive Incident Report detailing entry points, attack vectors, targets, the data, users and business functionality impacted, the amount and sensitivity of the data affected, the source of the attack, the timeline, and the cost of the incident. You will review this in-depth in your Post Incident Analysis later on to determine how to prevent this from happening again.


Learn from the incident

Last but by no means least - use your Incident Report and everything prior to this point in the Post Incident Analysis stage to learn from the attack. What defences can you put in place to ensure this kind of attack can't happen again? What could be improved in your Incident Response Procedure? Were you equipped with the right resources to deal with the situation? 

The one positive you should take from a cyber attack is that you will be better prepared for if (but most likely when...) there is another one!



Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Why should I audit my Office 365 Security?

    Get a detailed security assessment of your Office 365 environment

  • Why you should Plan to Fail

  • What is the Dark Web and why should I monitor it?

  • Why do I have to sign a Vulnerability Assessment Authorisation Form?

Create Ticket

Reach out to our support team

Open a Ticket

Copyright 2023 – m3 Networks Limited.

Knowledge Base Software by Helpjuice

0
0
Expand