The First Hour After a Cyber Attack: A Step-by-Step Guide

According to Bastion, in 2024 the number of cyber threats increased by more than 20%, and their number is constantly growing. Efficient organization of IT infrastructure and quick response to incidents allow for prompt restoration of processes and minimization of cybercrime risks.

Semyon Rogachev, Head of the Bastion Incident Response Department, explained what steps should be taken in the first hours after a threat is detected to prevent its further spread.

What to do after detecting a cyber attack

Limit the spread of the attack

Isolate suspicious hosts from the network. If necessary, temporarily disable individual segments of the IT infrastructure, especially those that already show signs of compromise. This will not only contain the threat, but also facilitate the investigation.

Conduct initial data collection

At this stage, it is critical to preserve “digital footprints” – collect OS logs, authentication events, SIEM data, etc.

Limit the actions of attackers

Check accounts, especially those with privileged rights. Temporarily block suspicious sessions, force active connections to end, change passwords, and check access policies.

Check your backups

Make sure that backups are stored in an isolated environment and have not been compromised. It is advisable to have "cold" copies on a physical medium that is inaccessible from the compromised network.

Shield undamaged systems

Create backups from devices that are not preliminarily affected by the attack and move them to isolated storage. Prioritize devices that are critical to business processes. In the event of failure to contain the attacker, this will help in restoring critical infrastructure components.

Read more materials on this topic in Compass CIO

Notify employees and partners

Inform your colleagues about possible compromise of corporate accounts, especially in messengers. It is recommended to end active sessions on all devices. If there are external clients or partners, it is important to warn them about the risks, especially if the company provides IT services.

How to determine the scope and source of an incident

There is a basic algorithm of actions that can be applied in most cases of an incident in order to localize the threat as quickly as possible and begin an investigation.

First, examine the device that showed signs of compromise. Obvious signs of hacking include the use of hacking tools and IP addresses of third-party servers through which the attackers managed the attack, as well as user activity related to the incident.

Second, determine which devices interacted with the infected host. This will help identify potentially compromised nodes.

Third, identify the nature of the attack – this will open up the possibility of connecting external sources of information, which will expand the range of verifiable data related to the hack.

The process of working with detected traces of activity is usually cyclical and repeated for each device on which there is a suspicion of interference.

It is important to keep track of any issues that may be encountered during the process, as they may indicate areas for improving the security and safety levels of the IT infrastructure.

Who should be notified in the first hours after an attack

The information security team and CISO should begin investigating the incident as soon as possible. In most companies, this is done by specialists in the field of computer forensics or other related disciplines. If the company does not have them, then it is highly recommended to involve third-party experts to conduct the investigation.

In addition, at the stage of starting an investigation, it is necessary to check the current legislation that regulates actions in the event of incidents.