We’ve Been Hacked – Now What?

The increase of the world’s appetite for technology and the resultant enhancement of interconnectivity and collaborative abilities has revolutionized the way the world communicates and conducts business. Unfortunately, not every technological advancement of the past few decades has been positive. Several factors such as the decreasing costs of machine time, the relative ease of initiating an attack, and the increasing reward of a successful attack lead to companies of all sizes, in all industries, and of all nations being susceptible to cyberattacks.

A November 2014 study by Vectra Networks based on data collected over five months from more than 100,000 hosts within sample organizations, found that up to 85% of cyberattacks are opportunistic – that is, the perpetrators did not intend to target a specific victim, but rather trawled cyberspace until they found a vulnerability to exploit. Typically, an organisation will have an Incident Response Plan (IRP) in place to effectively address and mitigate the damage caused by a hacking occurrence. If it is discovered that an organisation has been breached, an effective IRP will include the following five important steps that should be taken immediately.

Step 1 – Identify the Infected System(s)

Identifying an infected system can prove to be tricky at times. Malware changes constantly making it difficult to detect by Anti-Virus software. The fact that the virus has the ability to morph and transfer itself means that the attack could be on a single workstation, a server, or it could be the entire network. It is crucial to properly identify the affected system(s) and it is best to err on the side of caution, even if that means taking additional users offline.

Step 2 – Isolate the Infected System(s) from the Rest of the Network

Ideally, the system(s) should be left on and running, in order to analyze the attack in real time. Shutting a machine down certainly stops the threat, but it may also allow the malware to alter the state before an expert has a chance to determine how the malware got into the system(s) and what it planned to do with the access. If malware is unable to contact the host, it is affectively neutralized. Therefore, all connections to the rest of the network and to the Internet should be disabled – the machine should be placed on its own virtual network, akin to a sandbox, where the malware can continue to run but with no access to any other data on the network.

Step 3 – Take Live Acquisitions of the Machine(s)

It is important to capture any and all ongoing activity as well as monitor the live machines to see which access point(s) the attacker is using, how the attacker is communicating with the malicious software, whether the attacker is “staging” data for exfiltration in a certain folder, and what other intelligence is available about the attacker. Intelligence about the attack will be crucial later on, when the organisation is ready to remediate the issues and to ensure that the same attack can not be carried out again. This step should also inform the expert as to how the attacker gained access and whether further education is required for the users about phishing, following bad links, or cybersecurity in general.

Step 4 – Eradicate any Malicious Software from the System(s)

It is imperative that all holes exploited or created by the attacker are closed. Any patching or updating on any applications or machines must be fully up to date, and the organisation must ensure that they are functioning properly.

Step 5 – Conduct a thorough Review of the Incident Response Plan

Assemble the team and discuss which tactics worked well, and which ones were unsuccessful. Analyze the intelligence gathered about the attack, and incorporate that intelligence into future IRPs. Taking the time to do this immediately after a breach will make future responses quicker, more effective, and less intrusive to normal business operations.

Conclusion

The most important thing to do when it comes to cybersecurity is to prepare. No organisation wants to be attacked, but if it is attacked, it will need to have a thorough IRP. It is imperative that an IRP is created that incorporates as many attack scenarios as the organisation could possibly be exposed to, and be prepared to handle any situation that may present itself. Whether it is done in-house or through a service provider, preparing an IRP is a necessary investment that helps ensure adequacy in handling a cyberattack.