No Time to Google It: What to Do the Moment You’re Under Attack

The Clock Starts Now

It begins with a ping. A strange login. Files vanishing. Systems freezing.

Suddenly, your team is staring at screens they can't access. Emails stop sending. A ransom note appears. The network is under siege.

This is not the time to Google “What to do in a cyberattack.”
This is the time to act—with a plan you’ve already practiced.

Here’s what to do when seconds matter.

Step 1: Freeze the Blast Radius

Your first priority is containment, not analysis. You don’t need to know exactly how it happened—yet. You just need to stop the spread.

Do this immediately:

• Physically disconnect impacted systems from the network, if necessary.
• Disable user accounts that appear compromised
• Block malicious IPs or domains through your firewall

• If in doubt, disable access to sensitive data.

Don’t reboot anything unless instructed by your IR lead or forensic team.

Step 2: Activate Your Incident Response Plan

If you’ve built (and tested) an IR plan, now is its moment to shine.

Your plan should cover:

• Who’s in charge (Incident Commander)

• Who handles technical triage, legal, communications, and recovery

• How the team will communicate securely (not email or compromised channels)

• The decision tree for escalation and reporting

If you’re building the plan now—you’re already behind.

Step 3: Switch to Secure Comms

Assume your internal messaging and email may be compromised. Never discuss sensitive details on potentially infected systems.

Use:

• Encrypted messaging apps (e.g., Signal)

• Out-of-band communication (personal phones, secure Slack instances)

• A designated, offline war room if needed

Silence is safer than exposing more information to attackers.

Step 4: Log Everything. Investigate Nothing (Yet)

You’ll need evidence for forensics, insurance, and legal—but now’s not the time to dive deep.

What to log:

• Timestamps of events (alerts, actions, anomalies)

• Who took what action and when

• Systems affected and users involved

Leave full investigation to professionals—don’t tamper with evidence or you may compromise recovery.

Step 5: Control the Message

Misinformation spreads faster than malware.

Do not let team members “guess” on Slack or email.
Designate one person to lead all internal and external communications, with legal and PR oversight.

Good messaging is:

• Timely, factual, and calm

• Focused on known facts—not speculation

• Consistent across internal and public channels

You don’t need to know everything to say something responsibly.

Step 6: Prepare to Restore (But Don’t Rush)

Your backups may be your saving grace—or your downfall if they’re infected too.

Confirm before restoring:

• Do backups originate from a clean point in time?

• Have they been tested?

• Can they be restored safely in an isolated environment?

Never restore blindly. You could reinfect your systems instantly.

Step 7: Debrief, Recover, Learn

When the dust settles, the real work begins.

Conduct a postmortem that covers:

• Entry point and attacker method

• Timeline of actions taken

• Gaps in detection, containment, and response

• Clear, actionable next steps

No blame. Just facts, lessons, and improvements.

TL; DR – The “Under Attack” Checklist

1. Isolate affected systems

2. Revoke access and accounts

3. Activate your IR team

4. Use secure comms

5. Log everything

6. Assign a comms lead

7. Validate backups

8. Plan your recovery

9. Run a postmortem

10. Improve for next time

Final Thought: Train Like It’s Real—Because One Day, It Will Be

You won’t rise to the occasion.
You’ll fall to your level of preparation.

The best teams don’t Google what to do during an attack—they’ve rehearsed it, drilled it, and committed it to muscle memory.

So, the real question isn’t “What will you do when you’re attacked?”
It’s: “Will you be ready?”

Want a free printable version of this checklist, an IR playbook template, or a tabletop simulation guide? Just let me know—I'll send it your way.