Ten dos and ten don’ts when responding to a cyber-attack

You believe your organisation has recently been hit by a cyber-attack. You need to move fast but what immediate actions should you take?

If you believe you’re experiencing a cyber incident right now, please call our Incident Response team on 0333 444 0041 and we’ll help you right away.

Home / Explore our latest insights / Ten dos and ten don’ts when responding to a cyber-attack

Published: 16th November 2022 | In: Insights

At Quorum Cyber, our Incident Response team has bags of experience helping organisations of any size and complexity, and in any industry, safely contain and recover from all manner of cyber incidents, day or night. Here, they share some of the most important dos and don’ts in the event of a cyber-attack. What your teams do – and don’t do – can make an enormous difference to the total recovery time and cost, and in finding any crucial evidence that a threat actor might have left behind in your IT estate that can be used to determine what harm has been done, and perhaps also to identify them.

Report the incident

The first action to take is to report the incident to all the relevant authorities. First call the police and your industry regulators. Tell them what you know and be precise about what happened and when. This is no different from reporting a physical crime.  Next, call your cyber insurance provider – if you have one. They’ll know what questions to ask to obtain the information they need, so just be truthful. Naturally, you might not have all the information right away, but that’s ok, the important point is to inform them of what you do know.

Call for help

Cybercriminal groups have become very sophisticated. They each have their own particular tactics, techniques and procedures (TTPs) for breaching IT systems, hiding and moving around inside them and stealing and/or encrypting data. It takes a skilled, certified incident responder with the right tools to contain the situation, minimise any damage and eradicate the adversary without doing more harm than good. So it’s crucial that your team doesn’t just try to recover the affected IT systems or tries to fix any problems immediately because this can make matters worse.

But do focus on containing the problem. The steps you’ll need to take depend on the nature of the attack. We advise taking these actions for ransomware attacks:

  • Isolate affected devices, but don’t shut them down
  • Isolate affected user accounts and terminate active sessions
  • Isolate network segments in the event of an attack spreading
  • Take back-up servers offline
  • Power the domain controller off
  • Change network shares to read-only.

However, if you’re experiencing a valid account compromise then you’ll need to do things very differently (we’ll cover these in a later blog post).

Additionally, now’s definitely not the time to buy anti-virus software or more cyber security tools. It’s too late to take preventative measures, you now need professional help to handle the incident and get your business back up and running safely and smoothly.

Responsibilities and ownership

While you’re waiting for help, it’s highly advised that you appoint a Cyber Incident Owner and keep an action log, decision log and priority list for protection and recovery during the whole incident. You should record the times that commands were run and activities were undertaken. All this will really help the cyber security investigators do their job better.

Stay calm, listen and avoid the blame game

It’s natural that a cyber incident can be incredibly stressful and unnerving, and sometimes confusing, but try to stay calm, be patient and listen to people’s points of view. However, it won’t help asking everyone and his dog to get involved and help you, and could make the recovery process more complicated and prolong it. Don’t blame anybody in the organisation – a cyber incident is nobody’s fault and can happen to any company at any time. Playing a blame game won’t solve the problem.

Help authorities to help you

Industry authorities and regulators aren’t there to blame you and there’s nothing to fear from them.  They want to help you minimise the consequences quickly and safely and learn any lessons so that others don’t suffer the same fate in the future. So don’t be tempted to play down the severity of the incident, it’s always best to be truthful and honest, accurate and realistic.

While you’re managing all this, speculation and rumours are not good for your business. So you need to move fast and manage clear communications to internal and external stakeholders. Regular updates will help to reduce the chances of incorrect information being leaked and stakeholders receiving false, or old, news.

Having said all of this, we understand that it’s not always easy to be sure you’ve actually suffered from a cyber security incident in the first place. Unfortunately, many threat actors have become very good at silently breaching IT systems and covering their tracks.

Ten dos and don’ts at a glance

In summary, these are the top ten dos and don’ts if you’re experiencing a cyber security incident now:

Ten things you should do

  1. Report the incident
  2. Call your cyber insurance provider
  3. Ask for help – don’t go it alone
  4. Appoint a Cyber Incident Owner
  5. Keep an action and decision log
  6. Focus on containment
  7. Listen
  8. Be patient
  9. Help authorities and regulators as much as possible
  10. Be faster than the story

Ten things you should NOT do

  1. Let everyone ‘help’
  2. Pay the cybercriminal
  3. Communicate until you know how and what to communicate
  4. Lie or under-sell the severity of the incident
  5. Try recovering too soon
  6. Focus on root cause analysis
  7. Buy more security tools
  8. Point fingers / blame people
  9. Deny anything before you know the facts
  10. Try to cover things up