Got attacked? Steps to Recover

December 28, 2020

Recovery plans describe how companies should respond to an incident. Working internally and externally to maintain the integrity of your networks, operations, process controls, and corporate reputation is imperative to reduce the risks posed by attacks. If cybersecurity plans are well developed and structured, they become the best insurance your company can acquire.

As we know, the human factor is a critical component of information security. In most cases, hackers implement ransomware or phishing techniques to obtain sensitive information, causing employees to download or click on fake links. Educating staff regularly is important, as they are a hacker’s best entry point into your IT systems.

Understanding the magnitude of an attack is critical, and knowing how to successfully carry out a cybersecurity recovery plan will save you unnecessary expense and risk.

Understand the actor of the attack

The first step is to understand who the threat actor is. Cybersecurity experts can research attack techniques and identify the tools they used. One way to do this is to consult the accounts or pages where known hackers openly discuss the methods and vulnerabilities they find.

Develop a containment plan

If your business is susceptible to an attack, we recommend that you organize an incident containment team to manage your security solutions and efforts, preferably available 24/7. Depending on the possibility and impact that the attack may cause, the best option is to assign a special team to respond to threats immediately, composed of an agent from your specialized agency and a member of your team.

Evaluate servers and applications

Once the network architecture of the servers has been identified, it should be scanned for threats. Application developers or QA testers may have created web applications or databases that are susceptible to attacks. Without a review of the network and the location of threats, risks cannot be fully assessed.

Tighten up/Enforce

After you have assessed and corrected server and application failures, defense procedures must be implemented. To prevent an attack on your web, security policies must be enforced at the server, network, and web applications level.


Attacks happen when you least expect them. Once the attack is underway, the security response team must dedicate all available resources to monitor and control it. Shifts may need to be allocated to ensure coverage at night and on weekends if attacks are heavy. The security response team should continually review security alerts from web application firewalls.

Get advice from specialists: Outsource cybersecurity services

You can always consider hiring outside consultants to help you through the process. Security advisors can help you prepare for an attack by assessing the weaknesses in your network infrastructure.

They can also review application defenses and adjust security policies currently installed in the network, such as the firewall. Security advisors can act as an extension of your security response team during the attack, helping to monitor web attack traffic and adjusting mitigation rules accordingly.

Forensic Analysis

After the attack, it is best to conduct a forensic study by reviewing the impact, analyzing firewall security reports for trends, and examining alert logs and network monitoring tools.

Communication is essential

It is essential to make communication a central component of the plan in order to define clear roles and responsibilities to avoid ambiguities and confusion. When an attack occurs, members of the C-suite security team must focus on reacting rather than responding.

To do this quickly and effectively, the entire team needs a well-managed communication and execution plan. There must be a two-way communication system in place, be it an email address, a phone number, or a contact person to address the violation. At the same time, an investigation should start to find out why the incident occurred. Once the reasons are understood and the communication system is implemented, measures to avoid future breaches and attacks can be executed.

Take no breaks

Dealing with cyberattacks can be exhausting. Unfortunately, there is no time to rest, even when the attacks are contained. Studying the event and its metrics to understand what happened is the next step in preparing for future attacks. Companies must document the findings, the gaps, control the deficiencies, and prioritize them until the end. These must occur not only within the environment, but also within the incident response program itself.

Final notes

In today's world, there is no reason for a business to fall victim to this type of attack if right protocols are implemented.

Customers will forgive an organization that has been clear about its protocols and incident response. If the company responds quickly, transparently, and demonstrates corrective actions to future incidents, customers are more likely to understand and keep business relationships strong.

THETA432 investigates, monitors, and advocates for the security of companies against attacks of any magnitude. We complement our clients' recovery plans and ensure that damages are kept to a minimum until fully resolved. We achieve this with effective management and communication and by demonstrating the effectiveness of our resources and services.

Request more information about our cybersecurity tools and see why we are your most reliable option.

Request a demo today!


  • Saleh, A. (2017. August 30). Antes, durante y después: Cómo lidiar con ciberataques aplicando una gestión eficaz de incidentes. Retrieved from:
  • Alonso Rebolledo, R. (2017, June 29). 7 estrategias para sobrevivir un ciberataque. Retrieved from:
  • Serman. (2018, February 02). Cómo proteger sus datos y actuar después de ataques cibernéticos. Retrieved from:

Authored by
Jorge Daniel Tejeda