Five key actions to take after discovering a cyberattack

The number of data breaches in 2024, investigated by Verizon, increased by 20 percentage points in the total number of incidents compared to the previous year. ESET, a leading company in proactive threat detection, asserts that prior preparation is significantly important for providing an effective incident response (IR).

Once threats infiltrate a network, time is of the essence, and stopping them before they cause harm is increasingly difficult. According to the latest research, in 2024, adversaries were 22 % faster than the previous year in progressing from initial access to lateral movement (also known as “time to escape”). The average penetration time was 48 minutes, although the fastest recorded attack was almost half that: just 27 minutes.

 

“A data breach doesn’t have to be as catastrophic as it seems for network defenders, as long as teams are able to respond quickly and decisively to intrusions. While every organization (and every incident) is different, if all members of the incident response team know exactly what they have to do, and nothing is left to chance or improvised, there’s a greater chance of a quick, successful, and low-cost resolution,” says Camilo Gutiérrez Amaya, Head of the ESET Latin America Research Lab.

Guide on how to act during the first 24 to 48 hours

ESET clarifies that no organization is 100% protected or breach-proof, and that if an incident occurs and unauthorized access is suspected, a methodical and rapid response is essential. To this end, a guide on how to act quickly and thoroughly during the first 24 to 48 hours, without compromising accuracy or evidence, is extremely useful:

1. Gather information and understand the scope: The first step is to understand exactly what happened, activate the pre-established incident response plan, and notify the team. This group should include stakeholders from across the company, including human resources, public relations and communications, the legal department, and executive management. They all have an important role to play after the incident.

Next, the scope of the attack is assessed: How did the attacker gain access to the company’s network? Which systems were compromised? What malicious actions have the attackers already taken?

It is essential to document each step and gather evidence, both to evaluate the impact of the attack and for the forensic investigation stage, and even for future legal proceedings. Maintaining the chain of custody ensures credibility should law enforcement or the courts need to intervene.

2. Notify third parties: Once it has been established what happened, it is necessary to inform the relevant authorities.

• Regulators: If personally identifiable information (PII) has been stolen, the appropriate authorities must be contacted under data protection or industry-specific laws. In the United States, for example, action must be taken in accordance with the SEC’s cybersecurity disclosure rules or state-level violation laws.

• Insurance companies: Most insurance policies stipulate that your insurance provider be informed as soon as a violation has occurred.
• Customers, partners, and employees: Transparency builds trust and helps prevent misinformation. It’s best to inform them before the information spreads through social media or news outlets.

• Law enforcement agencies: Reporting incidents, especially ransomware, can help identify larger campaigns or provide decryption tools and intelligence support.

• External experts: It may also be necessary to contact external legal and IT specialists.

3. Isolate and contain: While maintaining contact with relevant third parties, work quickly to prevent the attack from spreading. It is recommended to isolate affected systems from the internet without powering down devices, to limit the attacker’s reach without compromising potentially valuable evidence.

All backups should be taken offline and disconnected to prevent them from being hijacked or corrupted by ransomware. Disable all remote access, reset VPN credentials, and use security tools to block any incoming malicious traffic and command and control connections.

4. Remove and recover: A forensic analysis must be performed to understand the attacker’s tactics, techniques, and procedures (TTPs), from initial entry to lateral movement and (if applicable) encryption or data exfiltration. Any persistent malware, backdoors, fraudulent accounts, and other signs of danger must be removed. Recovery and restoration require removing malware and unauthorized accounts, verifying the integrity of critical systems and data, restoring clean backups (after confirming they are not compromised), and closely monitoring for signs of renewed compromise or persistence mechanisms.

This phase can be used to rebuild systems and strengthen privilege controls, implement stricter authentication, and reinforce network segmentation. Partners offering tools such as ESET Ransomware Remediation can accelerate the process.

5. Review and Improve: Once the immediate threat has passed, it’s time to review obligations to regulators, customers, and other stakeholders (e.g., partners and suppliers). It is necessary to update communications once the scope of the breach is understood, which could include filing a report with regulatory bodies. This initiative should be driven by legal and public relations advisors.

The post-incident review can be a catalyst for resilience. Once the situation has calmed, it is also a good idea to investigate what happened and what lessons can be learned to prevent a similar incident from occurring in the future. A useful step would be to introduce adjustments to the incident management plan or recommend new security controls and employee training.

A strong incident response culture treats each breach as a training exercise for the next, improving defenses and decision-making under stress

“It’s not always possible to prevent a breach, but it is possible to minimize the damage. If your organization doesn’t have the resources to monitor threats 24/7, consider hiring a managed detection and response (MDR) service from a trusted third party. Whatever happens, test your incident response plan, and then test it again. Because successful incident response isn’t just an IT issue. It requires a range of stakeholders from across the organization and external partners working together seamlessly. The kind of muscle memory everyone needs often takes a lot of practice to develop,” concludes Gutiérrez Amaya of ESET Latin America.

ESET invites you to learn more about cybersecurity by visiting: https://www.welivesecurity.com/es/.

For other useful preventative information, also available in Venezuela at: https://www.eset.com/ve/, and on their social media channels @eset_ve. Also on Instagram (@esetla) and Facebook (ESET).

With information and images provided by ESET and Comstat Rowland

Visit our news channel on Google News and follow us to get accurate, interesting information and stay up to date with everything. You can also see our daily content on X/Twitter and Instagram