A cyberattack can be devastating. 60% of SMEs go under within months of a successful cyberattack, many of them thinking they could never be targets. But cybercriminals are ruthless opportunists who don’t care about the damage they wreak.
If the worst happens and you come under attack, what should you do during the first 24 hours? In reality, the length of the attack and its damage will vary considerably. But the following information will give a sense of what to expect and how to prepare.
Before the attack
The most valuable resource during a cyberattack is an incident response plan. You should develop this plan beforehand to reduce delays and confusion if an attack takes place.
Every organisation’s plan will be different, shaped by its priorities and resources. But response plans have common elements:
- Who will take charge during a cyberattack, and their responsibilities.
- A war council to advise and act during the attack, including IT, legal, and communications.
- Clear communication information, such as contact numbers and where to report attack information.
- A list of the most critical business assets, such as specific software, data, and servers.
- Containment strategies to limit the attack and its damage.
- Recovery strategies, including backups and alternative systems.
For more details on creating a good response plan, read this 2-page guide from the Cybersecurity and Infrastructure Security Agency.
24 Hours of an Attack
Movies and TV shows give the impression that cybercriminals only have a few minutes before they are discovered. In reality, they can be inside your systems for months before launching a visible attack. In other cases, the attack could be immediate.
At the start, the criminals have the advantage. Thus, the biggest priority of the first 24 hours is to reduce panic, isolate infected systems, and keep critical systems secure. The following 24-hour scenario is idealised. Stopping an attack and bringing business systems back online can take much longer. But here is a sense of what will happen:
Hour 0-1: Stop the spread: Don’t panic (because other people will). Activate your incident response plan and follow it. Designate an incident commander to coordinate all activities. Immediately isolate affected systems, but do not shut them down as they will contain forensic evidence. Also, isolate critical systems to prevent the attack from reaching them. Analyse network traffic and block malicious IP addresses. Lock compromised accounts and revoke access for suspected unauthorised users. Change passwords across business-critical accounts. Start documenting everything to help subsequent investigations.
Hours 1-4: Identify the attack: Determine the nature of the attack. This stage can start early and last for a long time. Some attacks can be very obvious, such as ransomware, while others are more hidden with unclear intentions. Don’t assume that one type of attack represents the entire event—they could be diversions or part of a larger attack. Start activating defensive measures, such as multi-factor authentication.
Hours 4-8: Investigate and report: Forensic experts will make progress uncovering the scope of the attack and conducting deeper investigations. Produce an initial report of the attack to inform the company leadership. The legal representative will advise on regulatory and compliance responsibilities, and communications staff will prepare internal and external releases to inform relevant parties.
Hours 8-14: Plugging the holes: As investigations and containment progress, administrators can start resetting passwords and bring some privileged accounts online, though in a very controlled and careful way. If the attack method has been identified, apply emergency patches that could stop it or slow it down.
Hours 14-18: Bring systems back online: Evaluate the business impact, such as downtime, data exposure, and critical service interruptions. Check unaffected systems and decide if it is safe to bring them back online. Start restoring affected systems from clean and verified backups, keeping them under close surveillance.
Hours 18-24: Plan ahead: Provide information to employees so they know what to do, and notify customers, partners, and regulators per legal obligations. Conduct post-incident sessions and establish a 48-hour plan for the next steps in investigation, recovery, and communication.
Preparation is better than reaction
As mentioned, this is an idealised event timeline. In reality, attacks can be quick and obvious or long-term and difficult to stop. The attackers might find system backups and corrupt them. They could spread dangerous software, backdoors, and stealth administrator accounts that can take months, even years, to uncover.
There is no real timeline to a cyberattack. But preparation can stop an attack and limit its damage. When companies have a response plan, secure backups, security monitoring, and focus on protecting their most valuable digital assets, recovering from an attack can be relatively quick. Yet, if they don’t take such precautions, an attack might end with the company closing its doors.
Preparation is the most important thing. What you do in the months before a cyberattack will determine everything that happens in the first 24 hours of an attack.
