After a Hack: How Companies Should Respond

After a Hack: How Companies Should Respond

April 11th, 2025 - Written By CyberLabs

Cyber incidents are no longer rare threats; these days, a cyber incident is practically a matter of certainty, but many organizations still have no forensically based response plan for actual breaches. Such a delay increases damage and poses risks in dealing with possible legal non-compliance and loss of public trust. So, what should companies do right after an attack in those few critical moments? Let’s break it down.

 

The First 24 Hours: What Must Happen Immediately

This is the make-or-break period of the first 24 hours after a breach. It is during this time that your response sets the slate either to contain a breach or make it into headlines.

1. Activate the Incident Response Plan

If a predefined plan does not exist, that right there is a red flag. The predefined plan should include the following:

  • Who sits on the IRT (information technology, legal, others such as public relations, or compliance)?
  • Communication chains.
  • External partners (e.g., forensic firms, law enforcement).

2. Contain the Breach

To isolate the affected systems immediately so they stop propagating, take actions such as:

  • Disconnect the affected servers.
  • Disable the user accounts.
  • Block outbound connections from the affected machines.

3. Preserve Evidence

While it may be hard not to start “cleaning up,” the preservation of digital evidence is paramount.

Secure:

  • System logs
  • Firewall/VPN logs
  • Disk images of affected endpoints

Forensic teams use this to reconstruct the attack timeline, discover backdoors, and give support for any future legal or compliance needs.

 

Forensic Analysis & Containment Strategies

An investigation of forensic nature is not only about the question ‘what happened’ but also attempts to capture the more intricate questions of how and why it happened and to ensure it does not happen again.

Key Forensic Steps:

  •  Attack vector identification: Phishing? Zero-day? Insider?
  •  Map the attacker’s movements: lateral movement, privilege escalations, exfiltration.
  • Damage Assessment: Which data was accessed, what changed, or what was stolen? Were systems modified or backdoored?
  • Patch and monitor: There should be remediation with monitoring of systems by the end of the analysis to search any signs of return.

Containment should happen not alerting their presence, particularly in cases but where monitoring ongoing behavior will give evidence of a deeper compromise.

 

Legal & Compliance Requirements

Dissimilar rules govern regions, but one thing is universal: it is not an optional timely breach notification.

GDPR (EU)
Supposed to notify the relevant data protection authority within 72 hours of becoming aware of
the breach.

  • Notifying applicable individuals may also be necessary for high-risk detection cases.
  • PDPA (Singapore and similar jurisdictions): They require notification “as soon as
    practicable,” generally within 72 hours.

Organizations need to assess whether harm is likely before initiating any notifications.

Other Frameworks

  • CCPA (California): mandates certain proportions of personal data compromised.
  • HIPAA (Healthcare, U.S.): Have rigid timelines and content specifications for breach
    notifications.

Big fines and reputational damages need to be incurred for non-compliance with these laws.

 

Lessons from High-Profile Breaches

Let’s look at some recent breaches that made global headlines — and what could’ve been done
differently:

Optus (Australia, 2022)

Data of 10 million customers was exposed in a large breach.

  • What went wrong: An unsecured API leaked sensitive customer data.
  • What might have helped: Hardening of the API, external penetration testing, and stringent access controls.

T-Mobile (US, multiple incidents)
40 million records have been snatched across multiple breaches.

  • Root causes were: lack of segmentation, weak SSID swap protections, and inconsistent threat detection.
  • Lesson: Mature endpoint detection & segmentation count, however big a corporation is.

Facebook/Cambridge Analytica (2018)
Rarely a hack, more like a huge case of data misuse.

  • Key takeaway: Security is not just about restricting access to data; it is also about the treatment of data that is legitimately accessible

 

Prepare Before You’re the Next Headline

Whether an entity gets ready for a forensic response after an incident occurs is a choice it has made. But here are the things that any company should have:

  • Detailed and tested incident-response plan
  • Regular penetration tests and vulnerability assessments
  •  Log retention and monitoring capacity
  • Legal and compliance playbooks, depending on the national legislation and sector
  • Relationships with external forensic and legal professionals

Cyberattacks may be inevitable, but chaos does not need to be. Get ready before the breach: make decisions smartly, make moves quickly.
April 5th, 2025

Strategic Cybersecurity Post-Incident Leadership: Navigating the Aftermath and Building Resilience
March 31st, 2025

Cybersecurity in Financial Fraud: How Attackers Bypass MFA & Social Engineering Defenses
March 24th, 2025

The Dark Side of SaaS: Hidden Security Risks in Cloud Applications

© 2021 BY CYBER LABS SERVICES (PVT) LTD

[email protected]

Sri Lanka Office:
No: 57/3 Flower Road, Colombo 07, Sri Lanka.

Melbourne Office:
No 08, Cubbie way Clyde, North Victoria 3978