惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
Netflix TechBlog - Medium
Microsoft Azure Blog
Microsoft Azure Blog
罗磊的独立博客
博客园 - 三生石上(FineUI控件)
aimingoo的专栏
aimingoo的专栏
B
Blog RSS Feed
V
Visual Studio Blog
P
Proofpoint News Feed
云风的 BLOG
云风的 BLOG
博客园 - 【当耐特】
大猫的无限游戏
大猫的无限游戏
Application and Cybersecurity Blog
Application and Cybersecurity Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
The Cloudflare Blog
B
Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Apple Machine Learning Research
Apple Machine Learning Research
M
MIT News - Artificial intelligence
Know Your Adversary
Know Your Adversary
I
InfoQ
T
The Exploit Database - CXSecurity.com
V
Vulnerabilities – Threatpost
C
Cisco Blogs
Spread Privacy
Spread Privacy
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
P
Palo Alto Networks Blog
Simon Willison's Weblog
Simon Willison's Weblog
月光博客
月光博客
博客园 - Franky
Project Zero
Project Zero
G
Google Developers Blog
S
SegmentFault 最新的问题
博客园 - 聂微东
P
Privacy & Cybersecurity Law Blog
The GitHub Blog
The GitHub Blog
阮一峰的网络日志
阮一峰的网络日志
P
Privacy International News Feed
T
Threat Research - Cisco Blogs
S
Schneier on Security
Microsoft Security Blog
Microsoft Security Blog
G
GRAHAM CLULEY
S
Security @ Cisco Blogs
Martin Fowler
Martin Fowler
A
Arctic Wolf
T
Tenable Blog
L
LINUX DO - 最新话题
TaoSecurity Blog
TaoSecurity Blog
Hugging Face - Blog
Hugging Face - Blog
有赞技术团队
有赞技术团队
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com

WeLiveSecurity

Supply chain dependencies: Have you checked your blind spot? Recovery scammers hit you when you’re down: Here’s how to avoid a ‘second strike’ As breakout time accelerates, prevention-first cybersecurity takes center stage Digital assets after death: Managing risks to your loved one’s digital estate This month in security with Tony Anscombe – March 2026 edition RSAC 2026 wrap-up – Week in security with Tony Anscombe A cunning predator: How Silver Fox preys on Japanese firms this tax season Virtual machines, virtually everywhere – but not all protected Cloud workload security: Mind the gaps Move fast and save things: A quick guide to recovering a hacked account EDR killers explained: Beyond the drivers Face value: What it takes to fool facial recognition Cyber fallout from the Iran war: What to have on your radar Sednit reloaded: Back in the trenches What cybersecurity actually does for your business How SMBs use threat research and MDR to build a defensive edge Protecting education: How MDR can tip the balance in favor of schools This month in security with Tony Anscombe – February 2026 edition Mobile app permissions (still) matter more than you may think Faking it on the phone: How to tell if a voice call is AI or not PromptSpy ushers in the era of Android threats using GenAI Is Poshmark safe? How to buy and sell without getting scammed Is it OK to let your children post selfies online? Naming and shaming: How ransomware groups tighten the screws on victims Taxing times: Top IRS scams to look out for in 2026 OfferUp scammers are out in force: Here’s what you should know A slippery slope: Beware of Winter Olympics scams and other cyberthreats This month in security with Tony Anscombe – January 2026 edition DynoWiper update: Technical analysis and attribution Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan Drowning in spam or scam emails lately? Here’s why ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 Children and chatbots: What parents should know Common Apple Pay scams, and how to stay safe Old habits die hard: 2025’s most common passwords were as predictable as ever Why LinkedIn is a hunting ground for threat actors – and how to protect yourself Is it time for internet services to adopt identity verification? Your information is on the dark web. What happens next? Credential stuffing: What it is and how to protect yourself This month in security with Tony Anscombe – December 2025 edition A brush with online fraud: What are brushing scams and how do I stay safe? Revisiting CVE‑2025‑50165: A critical flaw in Windows Imaging Component LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan ESET Threat Report H2 2025 Black Hat Europe 2025: Was that device designed to be on the internet at all? Black Hat Europe 2025: Reputation is currency – even in the ransomware economy Locks, SOCs and a cat in a box: What Schrödinger can teach us about cybersecurity Seeking symmetry during ATT&CK® season: How to harness today’s diverse analyst and tester landscape to paint a security masterpiece The biggest catch: How whaling attacks target top executives Phishing, privileges and passwords: Why identity is critical to improving cybersecurity posture MuddyWater: Snakes by the riverbank Oversharing is not caring: What’s at stake if your employees post too much online This month in security with Tony Anscombe – November 2025 edition What parents should know to protect their children from doxxing Influencers in the crosshairs: How cybercriminals are targeting content creators MDR is the answer – now, what’s the question? The OSINT playbook: Find your weak spots before attackers do PlushDaemon compromises network devices for adversary-in-the-middle attacks What if your romantic AI chatbot can’t keep a secret? Can password managers get hacked? Here’s what to know Why shadow AI could be your biggest security blind spot In memoriam: David Harley The who, where, and how of APT attacks in Q2 2025–Q3 2025 ESET APT Activity Report Q2 2025–Q3 2025 Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming How social engineering really works | Unlocked 403 cybersecurity podcast (S2E6) This month in security with Tony Anscombe – October 2025 edition Fraud prevention: How to help older family members avoid scams Cybersecurity Awareness Month 2025: When seeing isn't believing Recruitment red flags: Can you spot a spy posing as a job seeker? How MDR can give MSPs the edge in a competitive market Cybersecurity Awareness Month 2025: Cyber risk thrives in the shadows Gotta fly: Lazarus targets the UAV sector SnakeStealer: How it preys on personal data – and how to stay safe Cybersecurity Awareness Month 2025: Building resilience against ransomware Minecraft mods: When ‘hacking’ your game becomes a security risk IT service desks: The security blind spot that may put your business at risk Cybersecurity Awareness Month 2025: Why software patching matters more than ever AI-aided malvertising: How chatbots can help spread scams How Uber seems to know where you are – even with restricted location permissions Cybersecurity Awareness Month 2025: Passwords alone are not enough The case for cybersecurity: Why successful businesses are built on protection Beware of threats lurking in booby-trapped PDF files Manufacturing under fire: Strengthening cyber-defenses amid surging threats New spyware campaigns target privacy-conscious Android users in the UAE Cybersecurity Awareness Month 2025: Knowledge is power This month in security with Tony Anscombe – September 2025 edition Roblox executors: It’s all fun and games until someone gets hacked DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception Watch out for SVG files booby-trapped with malware Gamaredon X Turla collab Small business, big risk: How SMBs can fight back against ransomware HybridPetya: A Petya/NotPetya copycat comes with a twist Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass Are cybercriminals hacking your systems – or just logging in? Preventing business disruption and building cyber-resilience with MDR Under lock and key: Safeguarding business data with encryption GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes This month in security with Tony Anscombe – August 2025 edition Don’t let “back to school” become “back to bullying”
Ground zero: 5 things to do after discovering a cyberattack
Phil Muncaster · 2025-11-03 · via WeLiveSecurity

Business Security

When every minute counts, preparation and precision can mean the difference between disruption and disaster

03 Nov 2025  •  , 5 min. read

Ground zero: 5 things to do after discovering a cyberattack

Network defenders are feeling the heat. The number of data breaches Verizon investigated last year, as a share of overall incidents, was up 20 percentage points on the previous year. This need not be as catastrophic as it sounds, as long as teams are able to respond rapidly and decisively to intrusions. But those first minutes and hours are critical.

Preparation is the key to effective incident response (IR). Although every organization (and incident) is different, you don’t want to be making stuff up on the fly once the alarm bells have begun ringing. If everyone in the incident response team knows exactly what to do, there’s more chance of a swift, satisfactory and low-cost resolution.

The need for speed

Once threat actors get inside your network, the clock is ticking. Whether they are after sensitive data to steal and ransom, or want to deploy ransomware or other malicious payloads, the key is to stop them before they’re able to reach your crown jewels. This is becoming more challenging.

The latest research claims that adversaries progressed from initial access to lateral movement (aka “breakout time”) 22% faster in 2024 than the previous year. The average breakout time was 48 minutes, although the fastest recorded attack was almost half that: just 27 minutes. Could you respond to a security breach in under half an hour?

Meanwhile, the average time it takes global organizations to detect and contain a breach is 241 days, according to IBM. There’s a major financial incentive for getting IR right. Breaches with a lifecycle under 200 days saw costs drop by around 5% this year to US$3.9 million, while those over 200 days cost over US$5 million, the report claims.

Ransomware detections from June 2024 to May 2025
Ransomware detections from June 2024 to May 2025 (source: ESET Threat Report H1 2025)

5 steps to take following a breach

No organization is 100% breach-proof. If you suffer an incident and suspect unauthorized access, work swiftly, but also methodically. These five steps can help guide your first 24 to 48 hours. Be aware too that some of these steps should happen concurrently. The focus should be on speed but also thoroughness, without compromising accuracy or evidence.

1. Gather information and understand scope

The first step is to understand exactly what just happened and set to work on a response. That means activating your pre-built IR plan and notifying the team. This group should include stakeholders from across the business, including HR, PR and communications, legal and executive leadership. They all have an important part to play post-incident.

Next, work out the blast radius of the attack:

  • How did your adversary get inside the corporate network?
  • Which systems have been compromised?
  • What malicious actions have attackers done already?

You’ll need to document every step and collect evidence not just to assess the impact of the attack, but also for forensic investigation, and possibly legal purposes. Maintaining chain of custody ensures credibility if law enforcement or courts need to be involved.

2. Notify relevant third parties

Once you’ve established what has happened, it is necessary to inform the relevant authorities.

  • Regulators: If personally identifiable information (PII) has been stolen, contact relevant authorities under data protection or sector-specific laws. In the U.S., this may include notification under SEC cybersecurity disclosure rules or state-level breach laws.
  • Insurers: Most insurance policies will stipulate that your insurance provider is informed as soon as there has been a breach.
  • Customers, partners and employees: Transparency builds trust and helps prevent misinformation. It’s better that they don’t find out what happened from social media or the TV news.
  • Law enforcement: Reporting incidents, especially ransomware, can help identify larger campaigns and sometimes yield decryption tools or intelligence support.
  • External experts: External legal and IT specialists may also need to be contacted, especially if you don’t have this kind of resource available in house.

3. Isolate and contain

While outreach to relevant third parties is ongoing, you’ll need to work fast to prevent the spread of the attack. Isolate impacted systems from the internet, but don’t turn off devices in case you destroy evidence. In other words, the goal is to limit the attacker’s reach without destroying valuable evidence.

Any backups should be offline and disconnected so your attackers can’t hijack them and ransomware can’t corrupt them. All remote access should be disabled, VPN credentials reset, and security tools used to block any incoming malicious traffic and command-and-control connections.

4. Remove and recover

Once containment is in place, transition to eradication and recovery. Conduct forensic analysis to understand your attacker’s tactics, techniques and procedures (TTPs), from initial entry to lateral movement and (if relevant) data encryption or exfiltration. Remove any lingering malware, backdoors, rogue accounts and other signs of compromise.

Now it’s time to recover and restore. Key actions include:

  • removing malware and unauthorized accounts.
  • verifying the integrity of critical systems and data
  • restoring clean backups (after confirming they’re not compromised).
  • monitoring closely for signs of re-compromise or persistence mechanisms.

Use the recovery phase to harden systems, not just rebuild them. That may encompass tightening privilege controls, implementing stronger authentication, and enforcing network segmentation. Enlist the help of partners to accelerate restoration or consider tools like ESET’s Ransomware Remediation to speed up the process.

5. Review and improve

Once the immediate danger has passed, your work is far from over. Work through your obligations to regulators, customers and other stakeholders (e.g., partners and suppliers). Updated communications will be necessary once you understand the extent of the breach, potentially including a regulatory filing. Your PR and legal advisors should be taking the lead here.

A post-incident review helps transform a painful event into a catalyst for resilience. Once the dust has settled, it’s also a good idea to work out what happened and what lessons can be learned in order to prevent a similar incident occurring in the future. Examine what went wrong, what worked, and where detection or communication lagged. Update your IR plan, playbooks, and escalation procedures accordingly. Any tweaks to the IR plan, or recommendations for new security controls and employee training tips, would be useful.

A strong post-incident culture treats every breach as a training exercise for the next one, improving defenses and decision-making under stress.

Beyond IT

It's not always possible to prevent a breach, but it is possible to minimize the damage. If your organization doesn’t have the resources to monitor for threats 24/7, consider a managed detection and response (MDR) service from a trusted third party. Whatever happens, test your IR plan, and then test it again. Because successful incident response isn’t just a matter for IT. It requires a number of stakeholders from across the organization and externally to work together in harmony. The kind of muscle memory you all need usually requires plenty of practice to develop.

A Buyer’s Guide to Managed Detection and Response: What is it and why do you need it?


Let us keep you
up to date

Sign up for our newsletters