Cyber Attack - 7 key actions in the event of an attack

No company is free from a cyber attack!

The question that shouldn't keep you awake is: is your company prepared if this happens today?

If you answered yes, congratulations! If not, this article provides the fundamental points you need to know in order to respond effectively and minimize the damage caused by a cyber attack.

1- CONTAINMENT

The first action when detecting an attack in progress is to completely cut off all machines' access to the internet. This is essential to prevent the attack from spreading and reaching other parts of the system.

However, it is crucial not to turn off the machines. Instead, disconnect them from the internet. Why? Because the next step is to look for traces and evidence of the attack, which could be lost if the equipment is turned off. These traces are fundamental to understanding the origin, scope and method used in the attack. A common example is the use of system logs, which help with subsequent forensic analysis.

Imagine a scenario in which a company detects suspicious activity on its servers. By disconnecting the machines, experts are able to capture details such as source IPs and commands executed by the attacker. This not only helps with containment, but also provides valuable information for the investigation.

Other important containment measures include identifying compromised machines and checking devices that may have been infected. In larger organizations, network segregation is essential, making it possible to isolate affected sectors and protect areas that have not yet been hit.

2. GROUP - TEAM

Just as in a war, it is necessary to define leadership at a time of crisis. Who will be responsible for heading up the response operation? This professional, or team of professionals, must have experience in crisis management and be able to make quick and effective decisions.

In addition, it is important to allocate internal and external resources. If the company does not have a dedicated cyber security team, partners and technology providers should be called in immediately. Many companies have contracts with incident response providers precisely for these cases.

For example, small and medium-sized companies that don't have a robust structure can hire companies that specialize in monitoring and response, guaranteeing immediate support in crisis situations.

To complement this, the definition of a crisis team should take into account the experience and specialties of each member. For example, a security analyst may focus on log analysis, while a manager may concentrate on communication and decision-making.

A well-structured team also needs access to specialized tools. These can include network monitoring platforms, automatic backup systems and forensic analysis software.

3. SETTING PRIORITIES

In a cyber attack, all areas of the company can be affected, and each of them will believe that it is the most urgent. To avoid chaos and disorganization, it is essential to have a clear prioritization strategy.

• How to deal with each area: Establish clear rules. For example, critical areas such as finance, operations and customer service should generally be the first to be re-established.
• Action timetable: Put together a plan with well-defined steps for recovery.
• Involvement of the business area: Ensure that the managers of the affected areas are aligned with the decisions made.

For example, if the company's billing system is compromised, it may be prioritized over the recovery of corporate emails, depending on the impact on cash flow. Companies in the retail sector, for example, need to ensure that their payment systems are the first to come back online.

It is also important to create a contingency plan for secondary areas, so that they can function with interim solutions while the more critical ones are re-established. This can include the deployment of manual tools or backup systems.

4. WAR ROOMS

The so-called "war rooms" are teams set up to coordinate response efforts to an attack. They must focus on:

• Internal and external communication: Ensuring that consistent messages are sent to employees, customers and other interested parties.
• Containing the attack: Working to stop the progress of the attack.
• Fixing vulnerabilities: Identifying and fixing exploited loopholes.
• Forensic analysis: Gathering evidence to understand the attack and prevent recurrences.
• Restoring the system: Bringing the systems back to normal.

These rooms should include specialists in IT, security, corporate communications and business leadership. Collaboration between different areas is essential for an effective response.

Companies that have well-defined crisis protocols can set up these rooms quickly, ensuring that each professional knows exactly what to do.

In addition, the creation of a virtual war room, using online collaboration tools, can be useful for companies with geographically dispersed teams.

A practical example would be the use of platforms such as Microsoft Teams or Slack to maintain constant communication between members of the response team.

5. CHANGING SHIFTS

Cyber attacks can take days or even weeks to resolve completely. Overloading the team is therefore not an option.

• Defining shifts: Organize shifts so that employees can rest properly.
• Planning: Make sure those involved know when they will be called and what their tasks will be.
• Avoid unnecessary pressure: An exhausted team can make mistakes that compromise the response to the attack.

For example, an organization can adopt 8-hour shifts, ensuring that there are always qualified personnel on duty 24 hours a day. This type of organization is common in security operations centers, known as SOCs.

In addition, holding brief shift change meetings allows teams to share critical updates, ensuring continuity of action.

6. PSYCHOLOGICAL SUPPORT

The pressure for quick results, the fear of failure and the tension generated by an attack can lead to emotional exhaustion. That's why it's important to offer the team psychological support.

• HR on hand: The Human Resources department must monitor and support the professionals involved.
• Conflict management: Avoid tensions between team members, which can hinder the progress of work.
• Resilience training: Promote regular training that prepares professionals to deal with high-pressure situations.

Companies that invest in well-being manage to increase the resilience of their teams, making them better prepared to face crises.

It can also be useful to provide an anonymous communication channel for professionals to express concerns and frustrations during the process.

7. RESCUE OPERATION

One of the most delicate situations in a cyber attack is dealing with ransom demands. Attackers often demand payment to release data or systems.

• Independent recovery: Assess whether the company is able to recover compromised systems without negotiating.
• Involvement of authorities: Decide whether to involve the police or regulatory bodies.
• Risks of negotiating: Consider that there is no guarantee that raiders will fulfill their promises, even after payment.

For example, a hospital may face a ransomware attack where critical care systems are blocked. Deciding between paying up or trying to restore the systems is a difficult choice that requires risk analysis.

RAPID RESPONSE PLAN

An essential component of any recovery strategy is to have a rapid response plan. This plan should be:

• Detailed: Include all the steps to be followed.
• Tested regularly: Carry out periodic simulations to assess the effectiveness of the plan.
• Updated: Revise the plan based on lessons learned and new threats identified.

Companies that invest in a robust incident response plan are better prepared to deal with cyber attacks and minimize their impact. These simulations can include scenarios such as data leaks or DDoS attacks.

In addition, a good response plan considers the integration of internal and external areas. Involving technology providers, specialized law firms and corporate communications professionals can be the difference between mitigating an attack quickly or facing prolonged damage.

As a result of a well-defined strategy, your company can gain precious time and re-establish operations more quickly. Working on prevention and preparation is the best way to reduce the damage of an attack.

The final question remains: is your company ready?

As specialists in mission-critical environments, we help our clients restore their environments in minutes or a few hours with strategic disaster recovery (DR) tools.

Want to know more, talk to us. Click here!

Escrito porEduardo ChisteCEO e Fundador — ADD IT Cloud Solutions

CEO e fundador da ADD IT Cloud Solutions, com mais de 20 anos de experiência em infraestrutura de TI, cloud computing e cibersegurança. Lidera a estratégia de nuvem privada de alta performance que atende mais de 200 empresas no Brasil.

LinkedIn ↗