Discovering a cyber attack is stressful. Questions flood your mind and the urge to fix everything immediately feels overwhelming. However, the actions you take in the first minutes and hours determine whether you contain the incident quickly or turn a manageable situation into a catastrophic one. Rushing to delete files, wiping systems, or shutting everything down without proper assessment destroys critical evidence and can make recovery significantly harder. What to do after a cyber attack requires calm, deliberate action focused on three priorities: contain the spread, secure your accounts, and preserve evidence for investigation.
This guide outlines clear, step-by-step incident response actions for the first 48 hours. Whether you are a business owner or an IT manager, following these procedures will help minimize damage and speed recovery.
Quick Signs You May Be Under Attack
Before responding, confirm you’re facing an actual incident rather than a technical glitch or false alarm. Look for these warning signs that require immediate attention during a genuine cyber attack.
Files encrypted with unusual extensions and ransom messages on screens indicate ransomware. Login attempts from unfamiliar locations or times, especially after multiple failed attempts, suggest credential compromise. Email rules that forward messages externally or delete emails without your knowledge signal account takeover.
Bank accounts or payment systems showing unauthorized transactions, modified invoices, or payment redirections indicate business email compromise or financial fraud. Antivirus or endpoint protection alerts that trigger repeatedly, systems running unusually slowly, or unexpected network traffic spikes point to malware activity. Customers or partners reporting suspicious emails appearing to come from your organization, or employees unable to access systems with their normal credentials, also require immediate investigation.
If you observe several of these signs at once, treat the situation as an active incident and follow the response steps below.
The First 60 Minutes (Do This in Order)
1) Remain calm and begin documentation
Begin by preparing yourself mentally. Gather information and start an incident log immediately. Record the current time, your observations, who discovered the issue, and every action you take. This documentation is essential for investigations, recovery planning, insurance claims, and regulatory reporting. Use a simple document or spreadsheet to track timestamps and actions, including brief notes for context. Clear documentation strengthens your incident response and reduces confusion.
2) Contain Without Destroying Evidence
Isolation prevents the incident from spreading, but preservation of evidence remains equally important. Disconnect affected devices from your network by unplugging Ethernet cables and disabling WiFi, but do not power them down or wipe them yet. Shutting off systems destroys valuable forensic data stored in memory that experts need to understand attack methods and scope. For ransomware specifically, disconnecting stops encryption from spreading to additional files and backup systems. If the incident involves compromised email accounts, immediately disconnect those accounts from mobile devices and stop any automatic email forwarding rules. Your goal is to stop further damage without erasing the evidence trail left by attackers.
3) Secure accounts immediately
Compromised identities and access are the primary enablers of most attacks, so account security must be your top priority. For any accounts with suspicious activity, immediately reset passwords using a separate, trusted device rather than the potentially compromised system. Revoke all active sessions and access tokens so existing logins become invalid, even if attackers have the password. Enable or verify multi-factor authentication for all accounts, particularly email, financial systems, and administrative accounts.
4) Preserve All Available Evidence
Before attempting any cleanup, capture evidence systematically. Take screenshots of ransom notes, suspicious emails, unusual system messages, or any other visible indicators of compromise. Save email headers from suspicious messages without deleting them. Headers contain routing information showing message origins. Make copies of any suspicious files rather than deleting them. Document what systems were accessed, when unusual activity began, if known, and what data might have been exposed. This evidence helps forensic specialists reconstruct attack timelines, identify entry points, and determine whether attackers remain in your environment.
5) Identify the type of incident quickly
Identifying the incident type early shapes your response strategy. Phishing and business email compromise use social engineering to steal credentials or manipulate transactions. Ransomware encrypts files, demands payment, and may threaten to publish stolen data. Malware can create backdoors, enable ongoing data theft, or maintain attacker access. Unauthorized access involves compromised accounts used for reconnaissance or data theft without obvious signs. Data leaks may result from accidental exposure or intentional exfiltration. Rapid identification allows you to prioritize affected systems and apply the most effective containment measures.
6) Communicate internally
Inform essential personnel immediately, but avoid broadcasting details company-wide until you understand the situation. Notify your direct manager or business owner, your IT manager or technical support provider and your legal counsel if sensitive data might be involved. Designate one person as the incident coordinator to manage communication flow and prevent contradictory actions. Inform employees only with specific, actionable instructions they need to follow, such as changing passwords or avoiding specific systems. Uncontrolled internal communication about active incidents can create panic, spread misinformation, and alert sophisticated attackers monitoring your channels that you’ve discovered them.
7) Decide what to shut down
When deciding what to disable, balance security containment with business continuity. Shut down only what is necessary to prevent further damage. If ransomware is encrypting files, immediately isolate and hibernate affected systems to stop the spread. For ongoing email compromise, deactivate the compromised account at once. Avoid shutting down the entire network unless absolutely required, as this can disrupt legitimate operations. Assess which systems are compromised, which are at immediate risk, and which can operate safely. Maintain critical business functions whenever possible while ensuring they are protected from infected systems.
The Next 24 Hours
Once immediate containment is achieved, focus on assessment and remediation. Review email systems thoroughly, check for forwarding rules, unusual inbox rules, shared mailbox access, and any administrative account changes in platforms like Microsoft 365. Scan all endpoints and servers with updated security tools to identify malware, backdoors, or other malicious code that may be dormant.
If you’ve identified the exploited vulnerability, apply necessary patches immediately to prevent reinfection during recovery. Work with your IT team or security provider to determine whether data was accessed or exfiltrated by reviewing access logs, download records, and network traffic patterns. If the incident involves vendors or partners with access to your systems, notify them promptly so they can protect their own environments. Prepare customer-facing communication only if data exposure affecting customers is confirmed and after legal counsel reviews messaging premature or inaccurate public statements create additional problems.
Continue detailed documentation of all findings, actions taken, and decisions made throughout this period. The timeline you’re building becomes essential for recovery planning and regulatory reporting requirements.
What NOT to Do After a Cyber Attack
- Avoid paying ransoms immediately without thorough investigation and legal guidance; payment doesn’t guarantee file recovery, may be illegal depending on the attacker’s group, and may encourage further attacks.
- Never reboot or wipe devices before evidence capture, as this destroys forensic data in memory and logs that investigators need to understand the full scope and prevent recurrence.
- Don’t allow many people to “fix” things simultaneously without coordination. Uncoordinated actions create confusion, duplicate efforts, and can interfere with each other.
- Avoid emailing sensitive incident details to broad audiences or discussing the situation on unsecured channels that attackers may be monitoring.
- Don’t assume the incident is over after a simple password reset. Sophisticated attackers establish multiple persistence mechanisms and may have compromised additional accounts or systems.
- Never attempt complex forensics or recovery procedures without proper expertise. Well-intentioned mistakes during DIY incident response often cost significantly more to remediate than the original attack.
- And don’t ignore small warning signs once systems appear stable.
Professional Incident Response Support for Saudi Organizations
While immediate containment actions can be taken internally, comprehensive incident response benefits significantly from expert guidance. Aman provides specialized Incident Response Services designed to help Saudi organizations manage security incidents effectively from first detection through complete recovery.
For organizations seeking to build readiness before incidents occur, Aman offers IT and Cybersecurity Gap Assessment services that identify vulnerabilities and weaknesses in current defenses.
Organizational resilience depends on both technical controls and staff awareness. Aman’s Cybersecurity Training and Awareness programs, including the MOAMMEN platform, equip teams to recognize early warning signs and respond effectively. Cybersecurity Testing and Assurance services, such as vulnerability assessments and penetration testing, identify weaknesses before they can be exploited.
For governance and ongoing protection, Aman’s Cybersecurity GRC Services help organizations establish proper policies, procedures, and controls aligned with Saudi regulations. At the same time, managed security monitoring provides continuous threat detection and response capability.
Conclusion
An effective cyberattack response focuses on three core actions: contain the spread by isolating affected systems, secure accounts by resetting credentials and verifying access controls, and preserve evidence for proper investigation and recovery.
Your actions in the first 60 minutes can mean the difference between a manageable disruption and a major business failure. Act quickly, but follow established procedures to avoid mistakes such as destroying evidence, making uncoordinated changes, or shutting down unnecessary systems. Each incident is also an opportunity to identify security gaps, update response plans, and strengthen organizational resilience.
To strengthen your incident readiness, contact Aman to discuss incident response planning, security assessments, and protection services tailored to your organization. Preparing in advance enables rapid recovery and minimizes disruption.
