There is a cyber attack in progress. The attacker is inside your network, roaming freely, collecting data, and installing a command and control (C&C) node for future communications. Only this time you are watching them – you can see what they are doing. The dilemma remains: what to do? Should you let them continue to navigate the network while you work, wait for the forensic experts to arrive, or find a way to stop them?
Earlier this year BBC news report on Co-op incident said the British retailer's IT team “made the decision to shut down computer services, preventing criminals from continuing to hack.”
The criminals sent a message to BBCsaying: “The Co-op network has never been hit by ransomware. They pulled their own plug, resulting in falling sales, burning logistics and eroding shareholder value.”
In its statement, Co-op said it “took early and decisive action to protect our Co-op, including restricting access to certain systems,” which helped contain the problem, prevent further access to data and protect the organization as a whole.
When questioned by the Business and Commerce Subcommittee in July, co-op representatives did not directly use the phrase “pulling the plug.” But Rob Elsey, Co-op's chief digital officer, said VPN and remote access were limited “as a way to ensure that we can keep criminals out of our systems.”
Elsie explained that software on her network was “actually trying to contact the attacker's website” and after identifying the source, the team took preventative measures and suspended all communications in the area.
This, he stressed, is not “pulling the plug.” The Co-op's systems were “highly compartmentalized, meaning they were largely focused on one specific area.” He told the committee: “However, all of our online businesses continued to operate normally and our retail stores and payments were segmented so they were not part of this attack.”
Which plug are you pulling?
Whether the Co-op actually went offline is open to interpretation. But with recent rulings on ransomware payments, the ability to take immediate action may lead to more pragmatic solutions.
Ev Kontsevoy, CEO of Teleport“, says that while shutting down the power grid can be an effective short-term tactic, “it's a sledgehammer approach, not a strategy,” adding, “Turning off systems may stop lateral movement or data leakage in the moment, but it doesn't address the underlying problem: how the attackers got in, how long they were there, and what they gained access to. It also causes unnecessary business disruption, which is one of the most tangible impacts of cyber attacks these days. We shouldn't encourage more destruction by shutting down systems.”
Tim Rawlins, Director and Senior Advisor NCC GroupComputer Weekly reports that it's not as simple as just “pulling the plug.” The critical question, he says, is which plug is connected to the outside world or to the internal network?
“When people talk about turning off the power, we don't want them to turn off systems completely, because then we lose all the unstable forensic evidence – the data in memory. If you turn off the power in the classic 'turn it off, turn it back on' sense, that's what we lose,” he says.
Instead, Rawlins advises correctly network segmentation: “You're trying to make it difficult to move from this segment to another. It's either completely physically separated or has firewalls with additional role-based access controls.”
Network segmentation, he adds, is best practice anyway. In the event of an attack, this makes lateral movement difficult. “If you can pull the plug on the network rather than the socket, you can reduce the likelihood of a virus spreading from one host to multiple hosts—and that's where the need to pull the plug comes in,” Rawlins says.
“There is an element of shutting down things that you don't think have been compromised. If you can see the path they came in, you can get ahead of it and stop access to it. But you need to make sure that it doesn't work correctly. If you just turn off the system—literally pull the plug—a lot of systems will fail.”
“Instead, you can disable them so they are dormant and unattackable – which is what many organizations do. In short, you need to pull the plug; in short: you need to think about it a little more carefully.”
Context matters
The question is not simply whether to turn off the power, but what the situation requires. In a LinkedIn survey conducted by this reporter on the topic, 55% of respondents said stopping an attack was the best way to stop an attack. However, comments to the survey made it clear that things are not so binary. One respondent said these were “drastic measures, extreme measures.” Others emphasized the need to consider “architecture, segmentation, critical servers, incident type, and many other data points” before taking action.
Tim Anderson, UK Account Director, CyberCXexplains that while shutting down servers is a common and often effective step, it is not an easy task and can introduce new risks.
“It's important to choose the right systems,” he says. “Given how interconnected modern computer systems are—both within a company and with the Internet—unplugging everything can be a complex, time-consuming and disruptive process.
“Where possible, our digital forensics experts and incident responders prefer 'surgical' network isolation of specific systems or parts of the network. This effectively disconnects affected systems from the Internet rather than cutting off power. This can contain an attack and give investigators crucial time to understand the scope and impact.”
He admits that pulling the plug can sometimes be effective, but it is not advisable. This can be very destructive, and sophisticated attackers often use methods to regain access once systems are back online.
Admitting failure?
Another aspect is perception. If you do pull the plug, are you really admitting failure? Rafal Los, podcast host and head of GTM at ExtraHopsuggests yes. “This is one of the few things I would fire a CISO for: You have a security problem and you have to close the business? You're fired,” he says.
you quote them 2003 SQL Slammer worm as an example of when networks collapsed completely, leaving shutdown the only option. But after just 18 months, he said, better techniques allowed for more surgical interventions, such as shutting down certain network segments or ports.
“This may not be a workable strategy in 2025,” Los argues. “If the answer is 'turn it all off,' then you have what you think is uncontrollable bleeding in one of your fingers, and your answer is to cut it off.”
He notes that microsegmentation and zero trust have been discussed for many years. If the action book still ends with the power cord being pulled, it signals that you have lost visibility and control. “This is every cybersecurity expert's worst nightmare right now,” he says. “I can't imagine giving anyone advice to just shut it down. It sounds, dare I say, just irresponsible.”
Precedent
Despite these warnings, high-profile examples of outages exist. According to NewsweekThe 2012 cyberattack on Saudi Aramco resulted in the Shamoon virus erasing hard drives, forcing the company to destroy more than 30,000 computers.
Likewise, attack on the Colonial Pipeline in 2021 resulted in several systems being taken offline to contain the hack. The move temporarily halted pipeline operations and disrupted several IT systems.
Los acknowledges that there are extreme cases where complete closure is the only option. But, he said, if this is the only solution, then it reflects “the organization’s complete unpreparedness.”
Rawlins agreed that cutting off Internet access during an attack can sometimes make sense because it deprives the attackers of a command and control node. But the broader implications need to be weighed—what else depends on this connection.
Final Thoughts
Fictional depictions of cybersecurity often depict blackouts. as a dramatic solution. But in reality, this is rarely the final or best option. Most often this reflects poor network architecture or insufficient segmentation.
The true solution lies in preparedness: segmentation, scenarios and proven incident response plans. In cybersecurity, turning it off and on again may solve some problems, but when it comes to an active attack, it's rarely the best option.
