blog posts

Cyber Attack

What Should We Do After A Cyber Attack?

In Early March 1999, News Broke Of An Attack On A Large Cloud Infrastructure Company In Iran. Shortly Afterward, Cyberspace Users Expressed Their Personal Views On The Incident, Its Effects, And The Measures The Company Should Take.

Shortly afterward, it was announced that the attack was carried out to delete the information of the company’s customers, no data leakage occurred, and the company’s employees are trying to restore the situation to its original state.

Regardless of the type of attack and the direct and indirect effects, it has left, an important point to note is the basic premise that states that large and sensitive organizations and companies need a security response plan to counter hacking threats. Be able to get everything back to normal in the short term.

Responding to security incidents that affect the performance and assets of an organization requires a coordinated and executable plan. In this article, we are going to explain how to react to cyber-attacks in simple language and the form of executive steps.

Do’s and Don’ts of Responding to Events

When a cyberattack occurs without wasting time, do not act hastily and unplanned. In such a situation, steps must be taken based on a comprehensive solution already prepared so that the signs do not disappear or new doors are inadvertently opened to hackers.

At the time of the incident, teams and staff should communicate with each other in such a way that information confidentiality is maintained.

The incident response manager should be the main focus of all communications, and only those who need to be informed about the details of the incident, the signs of intrusion, the methods, and the techniques used by the hackers.

Securing communications so that attackers are not able to see the messages is very important so that information about the investigation process is not provided to hackers.

Any sign that you are looking for them (hackers) will cause them to change their tactics and carry out their activities with more secrecy.

5 Things You Should Not Do

  1. Do not panic: Fear is the worst feeling that comes to you. Keep calm and go for it if you have a plan to respond to events. Having such a plan gives you a predefined route to do the best you can at the time of the accident.
  2. انیDo does not make public: Do not talk to anyone about the incident unless you have received an explicit order from a higher authority. Be careful about who you talk to about the incident.
  3. Do not use the system administrator account: Do not use the administrator account to access the systems. Hackers may wait for the user to log in with this account to obtain a password and take full control of the environment.
  4. Infected systems should not be turned off: Do not turn off infected systems. Shutting down systems may destroy data that is critical to memory detection. This information plays an important role in incident investigation.
  5. Do not use miscellaneous tools for criminology: Do not install any software other than criminology tools on infected systems, this will cause the attack information in the Master File Table to be overwritten and deleted.

5 actions to take after an accident

  1. Data collection: Criminology tools collect data that is in the main memory of the system along with important data stored in systems. Criminology tools can connect to systems without changing any timestamp.
  2. External information: Collect external information based on known signs of intrusion. It is best to research MD5 encryption algorithms, IP addresses, and domains encountered during initial checks. The purpose of this is to identify the type of infection or malware that may have entered the systems.
  3. Systems protection: Protect the systems and data storage equipment used in connection with the collection of criminological information.
  4. Collect reports: Collectrelevant reports that have valuable information. These reports should be related to Windows incidents, firewalls, network traffic flow, anti-virus software, proxies, and network-related software. In addition, endpoint reports should be collected.

Create an accident response team

Once you have started your business, the first step is to prepare your response team. An accident response team is a central team that is responsible for responding to events that occur at the organization or company level. The team receives and analyzes the security breach report and prepares the necessary response.

The disaster response team should consist of the following people:

  1. AccidentResponse Manager: The AccidentResponse Manager monitors the necessary steps of diagnosis, analysis, and response to the accident and prioritizes these steps. In addition, in the event of a high-risk incident, it will interact with other parts of the organization, such as the security unit, human resources, etc., to discuss findings, status, and needs.
  2. Security Analyst: Security analysts are experts who try to identify the time of the accident and the activities that took place during the accident by careful investigation. In large organizations, a group of analysts is formed who are a subset of the disaster response team. The members of this group are as follows:
  3. Triage Analyzer: Removes false-positive diagnoses and warns relevant units if it detects a possible intrusion.
  4. Criminologist: collects important data and takes care to maintain the comprehensiveness and accuracy of the information so that the investigation and inspection process does not face any problems.
  5. Threat researchers: Threatresearchers are people who have sufficient skills in threat intelligence and can determine the conditions of the attack and greatly help analysts. These people are constantly researching and evaluating information reported by various sources. They then create an in-house database of internal intelligence derived from current and previous incidents.

Get support for one or more specialized teams

  • Business partners and stakeholders must fully understand and support the disaster response plan. With the proper implementation of this plan, in the event of a hacker attack, it is possible to direct traffic to another destination and at the same time do the necessary work to counter the attack, without the need for full service from Get out of reach.


  • Another important step that needs to be taken is to get the support of the manager or board to receive the resources, budget, staff, and time needed to plan and execute the disaster response plan.

human resources

  • If it is determined that one of the employees was involved in the accident, the human resources department should act immediately. For example, an employee who opens an e-mail on a very important server and paves the way for malware or hackers to gain access to accounts should be identified immediately.

Risk management and inspection specialists

  • These people are responsible for identifying vulnerabilities and designing metrics that simplify the threat identification process.


  • The role of the legal advisor is to investigate and ensure that all the evidence gathered after the incident is of sufficient value to be presented to the legal community. One of the duties of a legal advisor is to explain the company’s responsibilities to customers, sellers, and the general public concerning the accident in the event of a complaint, citing the provisions of the contract.

public relations

  • The role of public relations is to communicate with team leaders and explain the problem in simple language so that everyone has an accurate knowledge of the problem and the situation of the company. In addition, it should keep shareholders informed of the current status and, if necessary, give users the necessary warnings.

What are the responsibilities of the incident response team?

The most important tasks of the accident response team should be mentioned as follows:

  • Determine the impact or area of ​​the accident
  • Do the necessary work to minimize the impact of the attack
  • Security intelligence analysis
  • Identification of vulnerable assets
  • Perform criminological analyzes
  • Change security controls to prevent similar incidents in the future
  • Implement reforms based on past experiences
  • Collect data to assess the situation

Develop an event classification framework

  • Implementing an event classification framework plays an important role in prioritizing them. In addition, it helps the business identify meaningful metrics for future use. Security experts suggest that the comprehensive disaster response plan be divided into two categories, classification, and classification, each with its own subset.

Classification of security incidents

During the accident management cycle and at the same time as receiving information about it, the accident classification may be rewritten and changed several times. The classification of events consists of three important subsets as follows.

  1. Categorization: This subcategory should address unauthorized access to the network, malware, deprivation of service, abuse or neglect of some IT managers, unsuccessful access attempts, loss of physical assets, and explainable anomalies.
  2. Type: This subset should address topics such as targeted or opportunistic threats, advanced mana threats, spy-backed spy attacks, hacktivism threats, internal threats, and intrusive threats.

3 Intensity: In this subset, causes issues such as critical impact, life threat or public safety, high impact, the threat against sensitive data, medium impact, a threat to computer systems, low impact, and disruption of services.

Classification of security incidents

Incident classification helps teams deal purposefully with the side effects of an attack and prevent future attacks. Accordingly, it is necessary to carefully consider the following when compiling the classification. Given that the classification of the accident provides more information to identify the root cause, the course of the accident and the threat intelligence and the information needed to determine the necessary response strategies should be carefully compiled.

The classification consists of the following sections:

  1. Detection method: In this subset, important items such as user, specific solutions, requesting help from legal entities such as FATA policy, intrusion detection, and systems, data leakage prevention systems, firewall, anti-virus, proxy, and Netflow protocol should be examined.
  2. Attack route: The above subset is important because it provides accurate information about the type and route of the attack. Sufficient information should be obtained about viruses, email attachments, web pages, pop-up windows, messaging systems, user tasks, exploiting system vulnerabilities and third-party companies, and so on.
  3. Impact: When an attack is carried out, it has different effects, so it should be included in the comprehensive plan such as the dismissal of employees, violation of rules, loss of productivity, unauthorized access, defects in the website, destruction of brand reputation, legal cases, deprivation of Check the service, create a threat to one or more IPs, and execute malicious code.
  4. Intention and purpose of the attack: Given that all cyber attacks are targeted, this section should be considered items such as non-destructive, malicious, theft, accidental, physical harm, fraud, defamation, scandal, and espionage.
  5. Disclosed data: It is rare for a cyber attack to not affect data disclosure. Therefore, it should be addressed in the comprehensive plan in which section or sections the data disclosure has caused the problem.
  6. The root cause of the attack: In this section, the cause of the attack must be determined to take appropriate action. Therefore, unauthorized actions, vulnerability management, theft, error or breach of security controls, policy disregard, user negligence, non-compliance with standards such as PII, PCI, HIPAA, or negligence of a service provider concerning security protocols should be investigated.

Tracking hackers through reports filed by antivirus

Some security experts believe that anti-virus software used by organizations may not detect 10 to 15 percent of malware, but they do collect important reports on important signs of an attack. When hackers break into an organization’s network, their first goal is to collect passwords using software to steal login information.

Antiviruses are usually able to detect this quickly and prevent malicious software from running, but sometimes fail. However, in most cases, any activity related to malicious devices is recorded in the form of reports. It is important to have a report on the first attempt, as you may be able to identify a possible accident with the same clue.

5 steps to react to the accident

When an attack occurs, you must respond to the incident in a five-step plan. These five steps include preparedness, diagnosis and reporting, prioritization (triage) and analysis, countering the attack and clearing it up, and post-accident measures.

  1. Preparation

Preparedness plays an important role in responding to an accident.

Accident response team members should be prepared for the following issues:
  • Setting up and documenting accident response policies: The necessary policies, procedures, and frameworks for disaster response management must be carefully formulated.
  • Instructions for communication should be specified: Standards and guidelines for preparation for communication during the accident should be developed.
  • Use threat intelligence feeds: Gathering, analyzing, and integrating threat intelligence feeds should be done continuously.
  • Cyber-hunting maneuvers must be carried out regularly: It is essential to carry out operational threat-hunting maneuvers to identify incidents that occur in the organization’s environment. In such a situation, you can use a precautionary approach to respond to accidents.
  1. Diagnosis and reporting

At this stage, the focus should be on monitoring security incidents and identifying their relevance to detect, report, and warn of security incidents. One of the most important things to look out for is monitoring. Monitoring the various security incidents that occur in different systems of the organization and identifying their relationship with each other plays an important role in accurately identifying the cause of the attack.

These systems may include firewalls, intrusion control systems, and leak prevention systems. Another important factor that should not be overlooked is diagnosis. By identifying the relationship between events and alerts in a SIEM-based solution, you can identify potential security incidents.

After completing the previous two steps, it is time to warn. At this stage, analysts prepare an incident alert, document all initial findings, provide a preliminary estimate of the incident classification and prepare initial reports for legal entities.

It is essential to have a central SIEM solution that receives aggregate reports from all security systems (anti-virus, firewall, intrusion, and data leak prevention). Note that a SIEM solution allows you to scan all the resources in the organization and identify potential malicious activity.

  1. Prioritization (triage) and analysis

In the triage and analysis phase, the goal is to determine the scope and understanding of the incident. Analysts should use a variety of tools to collect data, make more accurate analyzes, and identify signs of intrusion. These people must have sufficient skills and understanding of systems, digital criminology, memory analysis, and malware analysis.

While collecting cues, the analyst should focus on the three important areas of endpoint analysis, smoky code analysis (execution files), and threat hunting at the organization level. Endpoint analysis helps analysts identify residual traces of attackers, collect data needed to schedule activities and copy from systems, and collect bit by bit data used in criminology, and collect cache information.

Concerning binary analysis, it is important to note that the tools used by the attacker should be examined to identify the performance of these programs.

  1. Deal and neutralize

Dealing with and neutralizing is one of the most important steps in an accident response program, as it ensures that pollution from the environment is eliminated.

The strategy of counteraction and neutralization is based on intelligence and threat signs that have been obtained in the analysis phase of the incident. After restoring the system and confirming that there is no security risk, all services will be reset. One of the most important things to look out for at this point is coordinated blackout.

After identifying all the systems that hackers have infiltrated, all systems (after collecting documents and tokens) should be shut down simultaneously. Public notification must be sent to all emergency response team members when the systems are shut down.

At this stage, a cleanup and reconstruction are performed, in which all infected systems are cleaned and the operating systems are reinstalled. In addition, all hacked accounts must be changed.

  1. Final activities

Once all the necessary steps have been taken, the next step is to complete the accident report. Recording and disseminating information about an accident is essential to improving and developing an accident response plan and adding security solutions to prevent similar incidents. At this point, you need to carefully monitor post-accident activity, as hackers may return twice.

We suggest re-analyzing the SIEM data to identify any signs that may be related to the previous incident. At this point, it is essential to update the organization’s threat intelligence feeds and adopt new security solutions to prevent future incidents.