Resilience After the Breach: 6 Cyber Incident Response Best Practices

Audio Recap

Overview

In its 2025 State of the Underground report, Bitsight TRACE found that ransomware activity continued to escalate in 2024, with a 25% increase in unique victims listed on leak sites and a 53% increase in the number of ransomware group-operated leak sites. The report also observed a 43% increase in data breaches shared on underground forums, with nearly one in five victims based in the United States.

These findings highlight a continued upward trend in cyberattack activity. Even organizations with strong defenses may experience compromises. What often separates resilient organizations from those that struggle is not the attack itself, but the effectiveness of their response.

According to Bitsight threat intelligence, organizations that adopt structured after-action processes tend to recover faster, minimize operational and reputational damage, and reduce the likelihood of repeat compromises. This report outlines key steps enterprises can take immediately following a cyber incident.

Phishing: The most common door attackers walk through

We know that phishing remains the most common entry point for attackers, and for good reason. It’s easy to execute, hard to detect, and often relies on tricking employees into taking the bait. So, how do you defend your organization against phishing?

Two of the most effective approaches are employee training and brand protection.

• Employee training builds awareness. Teaching staff how to recognize and report phishing attempts can dramatically reduce the chances of a successful attack.
• Brand protection, on the other hand, tackles phishing at its source. It helps identify and remove fake landing pages, spoofed login portals, malicious websites, and even impersonated social media profiles that attackers use to lure victims.

This is crucial because attackers often exploit your brand to appear trustworthy, tricking users into handing over personal information (PII), credentials, or even money. By proactively monitoring and taking down these fake assets, brand protection plays a critical role in reducing the impact of phishing beyond just your internal users, it protects your customers, partners, and reputation too. 

How Bitsight helps defend against phishing

At Bitsight, we go beyond detection, we help you take phishing threats off the map entirely. Through our Brand Intelligence module, organizations have access to automated takedown services that actively remove malicious content targeting your brand.

Here’s how it makes a difference:

• Speed matters: The median lifetime of a phishing attack is just 6 hours. Fast action is critical.
• Rapid disruption: Over 73% of takedowns see their first outage within 24 hours of detection.
• Massive scale: Bitsight has executed over 25 million successful automated takedowns to date.
• Global reach: We are not limited by geolocation. Our takedowns include success in high-friction regions like China and Russia.
• High success on social: We achieve over 85% success rates on average across supported social media platforms.

By removing fake login pages, impersonated domains, and malicious social media profiles, Bitsight helps stop phishing attacks before they can trick victims, protecting both your organization and the people who trust your brand. 

6 Best practices for your cyber incident response

But what happens if you do get attacked and what are the lessons you can learn? 

Step 1: Containment and eradication

The initial priority is to limit further damage.

• Containment: Isolate affected systems to prevent adversaries from moving laterally. If lateral movement has already occurred, organizations may need to segment entire network environments (e.g., finance systems vs. HR systems), revoke compromised accounts, block known command-and-control (C2) infrastructure, and hunt for persistence mechanisms.
• Eradication: Remove malware, revoke or reset compromised accounts, and patch exploited vulnerabilities.

Relevant MITRE ATT&CK Techniques:

• Lateral Movement: Lateral Tool Transfer (T1570), Remote Services (T1021)
• Persistence: Scheduled Task/Job (T1053), Registry Run Keys (T1547.001)
• Credential Access: OS Credential Dumping (T1003.001)

Step 2: Forensic investigation and root cause analysis

Understanding how the intrusion occurred is essential for preventing recurrence.

• Identify the initial access vector (e.g., phishing, vulnerable services, credential theft).
• Map tactics, techniques, and procedures (TTPs) to MITRE ATT&CK to identify defensive gaps.
• Preserve forensic evidence, including logs and system images.

Relevant MITRE ATT&CK Techniques:

• Initial Access: Phishing (T1566.001), Exploit Public-Facing Application (T1190), Valid Accounts (T1078)
• Discovery: File and Directory Discovery (T1083), Network Share Discovery (T1135)
• Collection: Data from Information Repositories (T1213)

Step 3: Communication and notification

Clear and timely communication reduces confusion and reputational impact.

• Internal: Keep executives and employees aligned.
• External: Ensure compliance with regulatory and contractual obligations (e.g., SEC, GDPR).
• Customers: Provide transparent updates to maintain trust.

Relevant MITRE ATT&CK Techniques:

• Impact: Data Manipulation (T1565), Defacement (T1491)
• Exfiltration: Exfiltration Over Web Services (T1567.002)

Step 4: Recovery and business continuity

Organizations must restore operations securely, while ensuring systems are free from compromise.

• Restore systems from verified clean backups.
• Prioritize recovery of business-critical services.
• Monitor closely for attempted re-entry or persistence mechanisms.

Relevant MITRE ATT&CK Techniques:

• Impact: Data Encrypted for Impact (T1486), Inhibit System Recovery (T1490)
• Persistence: Account Manipulation (T1098)
• Command and Control: Application Layer Protocol (T1071)

Step 5: Lessons learned and security improvements

Each incident provides an opportunity to strengthen defenses.

• Review incident response performance (what worked, what failed, where delays occurred).
• Update playbooks and detection rules to align with observed attacker behaviors.
• Benchmark recovery speed and outcomes against industry peers.

Relevant MITRE ATT&CK Techniques:

• Defense Evasion: Indicator Removal on Host (T1070)
• Persistence: Boot or Logon Autostart Execution (T1547)
• Privilege Escalation: Abuse Elevation Control Mechanism (T1548)

Step 6: Continuous monitoring and threat hunting

The immediate incident may be contained, but risks often remain.

• Continue monitoring for suspicious logins, C2 traffic, or re-entry attempts.
• Conduct proactive hunts for persistence mechanisms.
• Incorporate threat intelligence to monitor for stolen data on the dark web.

Relevant MITRE ATT&CK Techniques:

• Command and Control: Encrypted Channel (T1573), Web Protocols (T1071.001)
• Exfiltration: Exfiltration Over Alternative Protocol (T1048)
• Persistence: Modify Registry (T1112), Scheduled Task/Job (T1053)

Threat actor mapping and tracking

Mapping attacker behavior to known threat groups provides valuable context.

• Technical perspective: Align observed TTPs with MITRE ATT&CK groups or ransomware collectives. For example, the use of Cobalt Strike for lateral movement (T1570), double extortion ransomware (T1486), and leak site publishing is consistent with tactics used by ransomware groups such as Clop or Medusa.
• Executive perspective: Identify whether the intrusion was opportunistic cybercrime, a financially motivated group, or potentially linked to nation-state activity. This context supports better business risk framing.

Example scenario: Financial services breach

A mid-sized financial services firm experienced a ransomware attack after attackers exploited an unpatched VPN vulnerability.

• Technical view: Attackers gained access via a public-facing application exploit (T1190), escalated privileges using credential dumping (T1003.001), and deployed ransomware (T1486). Containment was delayed due to limited east-west traffic monitoring.
• Non-technical view: Internal communications were inconsistent, executives lacked a clear response framework, and customers received delayed updates on data safety.

How Bitsight helps

For Technical teams:
Bitsight’s continuous monitoring helps detect exposed services, like unsecured VPNs or cloud infrastructure, before they can be exploited. After an incident, our platform provides alerts on any lingering exposures or risky configurations, helping teams close gaps quickly and prevent repeat attacks.

For executives and boards:
Bitsight translates complex technical data into easy-to-understand cyber risk ratings. These ratings, along with industry benchmarking, give leadership a clear view of the company’s risk posture, track recovery progress, and support more informed decisions about security investments and remediation priorities.

For the company as a whole:
Bitsight’s Brand Intelligence module offers proactive protection against phishing and brand impersonation. Through automated takedown services, it removes fake websites, login pages, and malicious social media profiles, helping safeguard your brand, customers, and reputation across the globe.

Responding to a cyber incident

A cyberattack does not end once systems are restored. The true measure of resilience is how well an organization learns and adapts. By embedding structured after-action processes into security operations, enterprises can strengthen defenses, reduce the risk of recurrence, and build long-term resilience.

According to Bitsight threat intelligence, the most resilient organizations are not those that avoid incidents entirely, but those that effectively transform each incident into actionable intelligence. Lessons learned are critical in enhancing your security posture.