The golden hour post-hack: what you should be doing

It’s happened. You’ve just discovered your company has been hacked and are heading into crisis mode. Many organisations already know that the impending General Data Protection Regulation (GDPR) will mean any breach must be reported within 72 hours, but what happens in that ‘golden hour’ – the first hour after discovery of a breach? How will you find out what has happened? How can you be sure the incident is stopped?

There are two ways in which to break down the first hour; what you should do from a technical perspective and what should be done from an organisational one.

The speed of response

With today’s proliferation of malware and malicious actors, it can be difficult to protect against the constant threat of attack. Once breached, what matters is how quickly you find out about it – some breaches aren’t identified until months after the initial attack – and how fast you react to it.

Isolation is essential, quarantining the infected endpoint or endpoints, and removing all network connections to ensure the breach is contained as quickly as possible in order to deal with it.

>See also: Cyber security from a hacker’s perspective 

This is when forensics come into action. It’s important to understand what has happened and which data has been affected, manipulated or removed in order to determine the impact of the breach. These forensics are vital but must be done in a way that does not to make the situation worse. For example, some malware tries to identify when it has been detected and will go into self-destruct mode, removing any information about what it’s done.

Once the breach is isolated, the impact on the organisation and its customers needs to be considered. This is more important than ever in light of the impending GDPR.

Previously, a company could bury its head under the carpet and hope nobody found out – and there is a belief that some companies will still try to do this. However, it’s not worth the risk; they will be found out.

Along with informing the relevant supervisory body, an organisation will also need to notify those affected by the breach in a timely manner. This is just as important as advising the supervisory body to prevent customers from panicking and to preserve the company’s reputation.

Take the recent Equifax breach for example – the company first learned of the breach at the end of July, six weeks before informing the public. During this time, company executives were taking personal protective action – such as selling stock – but many people now want explanations about why its systems were vulnerable and why it didn’t inform stakeholders immediately.

>See also: 5 cyber security predictions for 2017

The company could have positioned itself as a victim in this crime but by not coming clean from the outset, its consumers are left feeling cheated, disillusioned and have lost confidence in Equifax.

Taking control

All organisations operate in the knowledge there is a cyber risk, and the impact of a data breach is just one element of that risk. Whilst there are policies, procedures and products which can be put in place to help reduce this risk, there is always the possibility a rogue piece of malware will slip through, perhaps via a single unprotected device or a misconfigured system.

Even more so if an organisation is only relying on the old guard of signature-based antivirus rather than investing in solutions which can identify behaviours of an attack where little other evidence is seen.

>See also: Italy’s largest bank hacked cyber incident

After all, the threat actors have evolved their attack mechanisms and their arsenal now include file-less memory only malware, document based exploits and ever more script based attacks. All these present very real problems for file based prevention mechanisms.

Cyber attacks have been thrust into the public eye and, while it is hoped organisations have security front of mind, it’s likely the public will not see a decrease in these attacks any time soon.

However, investing in next-generation protection – based on machine learning, artificial intelligence and threat behaviour recognition – combined with timely patch updates and an effective backup system, means organisations can be protected from these malicious actors.


Sourced by Tony Rowan, chief security consultant, SentinelOne


The Women in IT Awards is the technology world’s most prominent and influential diversity program. On 22 March 2018, the event will come to the US for the first time, taking place in one of the world’s most prominent business cities: New York. Nominations are now open for the Women in IT USA Awards 2018. Click here to nominate

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...