top of page
Search

The first 60 minutes - acting fast when cyber attackers strike

  • Writer: rrelentless
    rrelentless
  • 3 days ago
  • 6 min read
Close up of a message on a mobile phone from a company informing its clients of an ongoing cyber security incident.

There’s a common misconception that once a cyber attack is underway, there’s little you can do beyond accepting the loss of your data. In reality, that’s far from the truth. Speed is often of the essence once an attack is detected, and acting swiftly can significantly reduce its effects and prevent the most damaging consequences. The way you react in the first hour can tilt the balance from a full blown crisis with severe financial, operational and reputational consequences to swift containment and recovery.


Attackers understand this window of opportunity and will exploit that time - and the element of surprise - to escalate their privileges, move laterally within networks and steal sensitive data. 


Escalating privileges

This is a form of cyber attack where an attacker exploits a system vulnerability, such as bugs, weak security controls or human error, to gain higher access and administrative control beyond their original permissions, performing actions they were not authorised to do. They can move from a standard user account to an administrator or root account, allowing them to steal data, deploy malware or disrupt systems.

Lateral movement 

This refers to the way that a cyber attacker, after gaining access, moves deeper into a network looking for sensitive data and other assets. The attacker keeps their progress going by moving through the compromised environment, getting increased privileges as they go.

 

Therefore, decisive action in the first sixty minutes can help to:


  • limit damage,

  • preserve evidence and

  • maintain stakeholder trust.

 



Why is that first hour so important?

There are several reasons.


Rapid escalation

Within the minutes of gaining access, attackers can start the process of encrypting files, disabling essential backups that your business relies on for continuity reassurance and planting malware bombs in your system – these lay dormant and undetected till a certain set of conditions are met, so even if you think you’ve got everything sorted, there could be a nasty surprise lurking in your future. Consider how much damage you think could be done in ten minutes – and then double it.


Breakout time 

Once an attacker is in the system, it won’t take long for them to crack lateral movement. Cybersecurity experts estimate that attackers need, at most, an hour or two - and often a lot less - to start breaking through your internal walls, so you need to move fast to contain the attack before this happens.


Regulatory obligations 

UK GDPR requires timely notifications of breaches. If you delay while you try to get the situation under control, this could lead to big fines and legal exposure, not to mention reputational damage.


Reputational risk 

The longer your reaction to a cyber attack, the worse the damage gets. This will erode customer trust and can hit your bottom line if you have shareholders or investors.

 



Minute by minute – how your action plan will play out

A typical, structured approach to attacks has been evolved by cyber security agencies, and now forms best practice for organisations who become the victims of cyber attacks.

 

1. Detect and Validate (0–10 Minutes)

Not every system outage is the result of a cyberattack, as recent widespread internet disruptions caused by major providers like AWS and Cloudflare have shown. Technical issues can often initially look like malicious activity. That’s why it’s critical to validate the incident before escalating. Correlate alerts from your security tools, such as Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR) and Intrusion Detection Systems(IDS), to rule out false positives and confirm genuine compromise.


Once confirmed, pinpoint the systems that have been affected. Identify the ones that show signs of having been compromised. Those signs could include:


  • unusual login activity,

  • unexpected file encryption, or

  • suspicious outbound network traffic.

 


2. Contain the Threat (10–20 Minutes)

Once the compromised devices have been identified, they need to be isolated as soon as possible. This means disconnecting infected endpoints (any device that connects to a computer network, such as a laptop, smartphone, server or Internet of Things (IoT) device) and servers from the network at once.


If any accounts have been compromised for whatever reason, they also need to be disabled before more damage can be caused. Credentials need to be reset as soon as possible, and multi-factor authentication used for all users.


Networks will also need to be segmented. This is when a larger network is sub-divided into smaller, isolated sections or subnets to improve security and performance. This isolation is achieved using hardware like firewalls or software-defined methods, which control traffic between segments and limit the lateral movement of attackers (which we have covered earlier).



3. Preserve Evidence (20–30 Minutes)

Although a cyber attack can be a very stressful and fast-moving experience, it’s essential to record and preserve as much information as possible. Clear documentation allows you to understand what happened, identify weak points and support any later forensic investigation or regulatory reporting. You can also refer back to it afterwards and identify weak points, what was done well and areas for recovery and improvement.


This means recording timestamps, the actions you’ve taken and anomalies that have been observed. This helps maintain an accurate chain of evidence and ensures that nothing critical is lost while the incident unfolds.


Many organisations assume backups will always be safe, but this is not guaranteed. Backups that are online, poorly segmented or stored within the same environment can be affected by the same compromise. If backups appear to be intact, they should remain until such point as it is deemed safe to reconnect.


A system that has been infected, even once isolated, should not be wiped unless you have confirmation and agreement from IT and/or forensic teams.



4. Activate Communication Protocols (30–45 Minutes)

Once these first key steps have been carried out, the time has come to start letting people know what has happened and the actions you’ve taken to protect your data and the organisation.

A system of internal alerts should already be set up for just such an eventuality and this can be used to make the incident response team and senior leadership aware.


Externally, your legal advisors, your insurers and the regulators who you’re legally obliged to inform within a certain timeframe should all be notified. From this point, the situation is no longer entirely in your hands, and you should be receptive to any professional advice that you get about how to manage the situation.


As we have mentioned earlier, reputational damage is a real possibility and so you should make sure you have one - and only one - point of contact for all media enquiries. Staff should be warned not to comment publicly (either directly to journalists or via social media) about what has happened, to avoid the danger of misinformation spreading; this can take the situation out of your hands and make managing it a lot harder. It may be an idea to give senior staff and those most likely to be approached by the media some training on how to react if they are being pressured for information.  



5. Begin Impact Assessment (45–60 Minutes)

At this point, you may have the opportunity to step back and start to look at what has happened from a less frenetic viewpoint. You will need to identify the affected data and systems and whether the attackers managed to obtain or view sensitive information.


We already mentioned your incident response team earlier, and you should either have already contacted them or should do so now to get their support and guidance on measures necessary for containment and recovery.

 



Be prepared

Prompt action in the event of an attack is good, but preparedness beforehand can really pay dividends. There are several areas of best practice when it comes to readiness.


Have you got an Incident Response Plan in place? If not, develop and test it now. This should include clearly defined roles, responsibilities and escalation paths so that staff are aware of who needs to know what, when and in what level of detail.


Plans only work if they are regularly exercised. Run tabletop simulations to test how they perform under pressure and to identify any gaps. Bringing in a cyber security expert can add realism and help refine the process, but the key is ensuring staff know what happens, who takes ownership and how decisions will be made during an incident.


As touched on earlier, Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR) and automated containment systems provide early visibility of threats. They give you time to initiate reactive controls and slow the attacker’s progress, which is why investing in strong detection capabilities is essential.


 


Takeaway point

The first hour after an attack begins centres around damage control. The breach has happened, but preventing further spread and therefore minimising further damage is still achievable.  Remember your four priorities:


  • Detect

  • Contain

  • Communicate

  • Preserve evidence


If you’re prepared for the worst, act decisively when it happens and keep a cool head, you can turn what might have been a potential catastrophe into a manageable incident from which much can be learned – and salvaged.

bottom of page