In September 2023, MGM Resorts International watched helplessly as a single social engineering phone call spiraled into a cyberattack that cost the company over $100 million. Slot machines went dark. Hotel room keys stopped working. Reservations collapsed. And it all started because a threat actor called the help desk and convinced an employee to reset credentials. If you're reading this, you're probably wondering how to respond to a cyberattack — and more importantly, how to avoid becoming the next cautionary tale on the evening news.

I've worked incident response cases where the difference between a manageable security event and a catastrophic data breach came down to what happened in the first 60 minutes. Not the first week. Not the first day. The first hour. Your response playbook matters more than almost any security tool you own.

This guide walks you through exactly what to do — step by step — when your organization is under attack. No theory. No fluff. Just the actions that actually reduce damage.

Why the First 60 Minutes Define Everything

According to the 2023 IBM Cost of a Data Breach Report, organizations that contained a breach in under 200 days saved an average of $1.02 million compared to those that took longer. The global average cost of a data breach in 2023 hit $4.45 million — a record high.

Here's what I've seen firsthand: most organizations don't fail because they lack security tools. They fail because nobody knows what to do when the alert fires. People panic. Decisions stall. Evidence gets destroyed. And the threat actor keeps moving laterally through your network while your team argues about who to call first.

Knowing how to respond to a cyberattack isn't optional anymore. It's a survival skill.

Step 1: Confirm the Incident Is Real

Not every anomaly is an attack. Before you activate your full incident response plan, take 10 minutes to triage. Is this a false positive from your SIEM? A misconfigured application? Or genuine malicious activity?

Quick Triage Checklist

  • Check whether multiple detection systems are firing on the same event.
  • Look for indicators of compromise (IOCs) — unusual outbound traffic, unexpected privileged account usage, or credential theft patterns.
  • Verify with the affected user or system owner. Did they actually perform the flagged action?
  • Check threat intelligence feeds for known campaigns targeting your industry.

If two or more of these checks point to real malicious activity, escalate immediately. Don't wait for certainty. In my experience, the organizations that wait for a "smoking gun" are the ones that end up on the FBI's Internet Crime Complaint Center (IC3) reports.

Step 2: Activate Your Incident Response Team

You should already have an incident response (IR) team defined. If you don't, that's a problem we'll address in a moment. When you activate the team, here's who needs to be in the room — physically or virtually — within 30 minutes:

  • IR Lead: The person who makes tactical decisions and assigns tasks.
  • IT/Network Operations: The people who can isolate systems and pull logs.
  • Legal Counsel: Breach notification laws vary by state and industry. You need legal guidance from minute one.
  • Communications/PR: If this goes public, you need messaging ready — not reactive.
  • Executive Sponsor: Someone with authority to approve spending, shut down systems, or engage external forensics.

Don't have a formal IR team? The CISA Incident Response Plan Basics guide is a solid starting framework. Build one this week. Not next quarter.

Step 3: Contain the Threat — Fast, Not Perfect

Containment is where most organizations either save themselves or seal their fate. The goal isn't perfection. The goal is stopping the bleeding.

Short-Term Containment Actions

  • Isolate affected systems from the network. Unplug the cable. Disable the Wi-Fi adapter. Don't power off — you'll lose volatile memory evidence.
  • Disable compromised accounts. If credential theft is suspected, force password resets on affected accounts and revoke active sessions.
  • Block known malicious IPs, domains, and hashes at your firewall and endpoint protection layer.
  • Enable enhanced logging on critical systems that aren't yet affected. You need visibility into lateral movement.

If you're dealing with ransomware, do not pay the ransom immediately. The FBI consistently advises against it. Payment doesn't guarantee data recovery, and it funds further criminal operations. Focus on containment and backup verification first.

Long-Term Containment

Once the immediate bleeding stops, move to long-term containment. This might mean standing up clean network segments, rebuilding compromised servers from known-good images, or implementing emergency multi-factor authentication on all privileged accounts.

This is also where a zero trust approach pays dividends. Organizations that had already segmented their networks and enforced least-privilege access consistently contain breaches faster. If you haven't started a zero trust journey, this incident is your wake-up call.

Step 4: Eradicate the Root Cause

Containment stops the spread. Eradication removes the attacker's foothold entirely. These are different things, and I've seen teams confuse them with expensive consequences.

Eradication means finding and eliminating:

  • Malware, backdoors, and persistence mechanisms (scheduled tasks, registry modifications, rogue services).
  • Compromised credentials — all of them, not just the ones you've confirmed.
  • Vulnerable software or misconfigurations the threat actor exploited for initial access.

Run a full forensic sweep before you declare eradication complete. Threat actors frequently leave multiple backdoors. The Verizon 2023 Data Breach Investigations Report found that 74% of all breaches involved the human element — including social engineering, errors, and misuse. If a phishing email was the initial vector, you need to confirm no other employees clicked the same campaign.

Step 5: Recover and Restore Operations

Recovery isn't just flipping systems back on. It's a controlled, verified process.

Recovery Priorities

  • Restore systems from clean, verified backups — not from snapshots taken after the compromise began.
  • Rebuild rather than clean when possible. If a server was fully compromised, assume rootkit-level persistence and start from a known-good image.
  • Monitor restored systems intensely for 72 hours. Threat actors often test whether their access survived remediation.
  • Gradually restore network connectivity. Don't reconnect everything at once.

Document every step. Your legal team, your insurer, and potentially regulators will want a detailed timeline of what happened and what you did about it.

Step 6: Notify the Right People at the Right Time

Breach notification is a legal obligation, not a choice. And the rules are getting stricter.

As of 2023, all 50 U.S. states have data breach notification laws. Many require notification within 30 to 72 hours of discovery. HIPAA, PCI-DSS, and GDPR each have their own requirements. Your legal counsel should be guiding this from Step 2.

Who to Notify

  • Affected individuals whose personal data was exposed.
  • State attorneys general as required by your state(s) of operation.
  • Federal regulators (HHS for healthcare, FTC for consumer data, SEC for publicly traded companies).
  • Law enforcement — file a report with the FBI's IC3 and contact your local FBI field office.
  • Your cyber insurance carrier — most policies require notification within 24-72 hours.

Delayed notification consistently increases costs and legal exposure. The FTC has taken enforcement action against companies that waited too long. Don't be one of them.

What If You Don't Have an Incident Response Plan?

If you're reading this during an active incident and you don't have a plan — focus on containment. Isolate affected systems. Call your IT provider or a reputable incident response firm. Contact the FBI's IC3. Then, once the dust settles, build the plan you should have had.

If you're reading this proactively — good. You still have time. The single most effective thing you can do right now is train your people. The MGM breach started with a phone call. The vast majority of breaches start with a human making a mistake.

Investing in cybersecurity awareness training for your entire organization directly reduces the likelihood that a threat actor's social engineering attempt succeeds. And because phishing remains the number-one initial attack vector, dedicated phishing awareness training with realistic simulations gives your employees the pattern recognition skills to spot attacks before they click.

How to Respond to a Cyberattack: Quick-Reference Summary

Here's the sequence, condensed for fast reference during an actual incident:

  • Minute 0-10: Triage and confirm the incident is real.
  • Minute 10-30: Activate your IR team. Assign roles. Open a secure communication channel.
  • Minute 30-120: Execute short-term containment. Isolate systems. Disable compromised accounts.
  • Hours 2-24: Move to long-term containment. Begin forensic investigation. Notify legal and insurance.
  • Days 1-7: Eradicate the root cause. Restore from clean backups. Monitor aggressively.
  • Days 7-30: Complete notifications. Conduct a thorough post-incident review. Update your IR plan.

The Post-Incident Review Nobody Wants to Do

After the crisis passes, your team will want to move on. Don't let them. The post-incident review (sometimes called a "lessons learned" or "after-action report") is where you turn a painful experience into organizational resilience.

Key Questions to Answer

  • How did the threat actor gain initial access? Was it a phishing email, an unpatched vulnerability, compromised credentials, or something else?
  • How long was the attacker in the environment before detection? (This is your "dwell time" — shorter is better.)
  • What worked in your response? What broke down?
  • Did your security awareness training cover the attack vector used? If not, update it immediately.
  • What technical controls — endpoint detection, network segmentation, multi-factor authentication — would have prevented or limited the damage?

Write it up. Share it with leadership. Use it to justify the budget you've been asking for. Nothing gets security funding approved like a real incident report with a dollar figure attached.

Build the Muscle Before You Need It

The organizations that recover fastest from cyberattacks aren't the ones with the biggest budgets. They're the ones that practiced. They ran tabletop exercises. They tested their backups. They trained their employees to recognize phishing and social engineering before it was too late.

I've seen a 50-person company recover from ransomware in 48 hours because they had a tested plan and trained people. I've also seen a Fortune 500 company paralyzed for weeks because nobody knew who was in charge.

Knowing how to respond to a cyberattack is a team skill, not an IT skill. Every employee — from the receptionist to the CEO — plays a role. Start building that readiness now with structured cybersecurity awareness training and role-specific phishing simulation exercises.

The next breach attempt is already in someone's inbox. The only question is whether your team is ready for it.