My team recently received a call from a company in Europe that had received warnings from law enforcement that it might be targeted by hackers. We found evidence through our data forensics that an attacker had entered the company’s network, taken credentials, and then left. From what we found, the attacker had just as much access and knowledge as the CISO — maybe even more.
And this was likely not the end of the story; attackers usually spend weeks or months inside networks (known as dwell time) before actually doing anything. There was a good chance the attacker would come back. That should be top of mind for any company that’s dealing with the aftermath of an attack or intrusion, and the response requires a holistic, active approach even if an incident appears to be over. Often referred to as the “recovery” period, the hours, days, and weeks after a detected intrusion or attack are anything but passive. This period demands action; in fact, it should be called “post-incident response,” not “recovery.” Not only is this a crucial period of every cyber incident, but it can also be an important growth opportunity for cybersecurity posture and the company in general.