Agile Cyber

How to respond to a cyber incident

While all cyber attacks are unique and require bespoke solutions there are a few key steps in every response that should be followed.  Much of the advice below is circular, for example what is learned during the investigative phase might require you to revisit your data preservation strategy.

Data preservation

Cyber attacks  often result in data loss, at the earliest opportunity there should be a strong focus on data preservation, what this looks like will be highly dependent on the type of attack and your pre-existing data storage systems.

First determine what data is at risk or potentially at risk, this could include data stored in on-premises systems, within private data centres and in third party cloud hosted systems.  Create a list of all possible at risk data including file storage, databases, email data.  Consider all of your business software systems and make a determination if that data is possibly at risk, don’t ignore systems hosted by third-party vendors, for example small business accounting software such as Xero, MYOB, and Reckon Accounts.

Take immediate steps to restrict access to all at-risk data storage systems to only those personnel who need access for incident response.

Take immediate steps to disconnect backup systems, for on-premises systems this means taking your backup systems off-line, for other systems this might mean shutting down VPN links or disabling API keys.



Cyber Incident investigations are often highly complex and always unique.  While investigating you must try to answer the following questions-

  1. What needs to be done in order to be confident the attackers no longer have access to your systems both now and after systems are brought back online?
  2. Is this a Notifiable data breach which must be reported to authorities and victims?
  3. What data was accessed or potentially accessed?
  4. What was the initial entry point?  In other words, how did the attackers first gain access to your systems?
  5. What payloads or backdoors were left behind by the attackers?


Remediation, monitoring and prevention

As your investigation continues steps need to be formulated and actioned always with the end goal in mind- What needs to be done to bring our systems back to normal operation?  Don’t be tempted to rush to remediation though, your investigation needs to be thorough to give you confidence that all vulnerabilities have been addressed.  Bringing still-compromised systems back online will likely lead to further data data loss and further down time.

As systems are brought back online it is imperative to monitor them closely, once a system has been compromised it is almost certain it will be targeted again in the future.

Most cyber attacks begin with human error often in the form of a successful phishing attack, don’t underestimate the importance of staff training as a part of your overall cyber security strategy.

Cyber security is a game of cat and mouse, it is nearly impossible to create a perfectly secure and impenetrable information technology system.  You should engage cyber security experts to assess your systems at least every 12 months to give yourself the best chance of avoiding further attacks.