March 28, 2023
If you're concerned with IT security, you can't miss the OWASP Top 10. The non-profit organization Open Web Application Security
Malware or the activities of black hats cannot always be detected immediately by Endpoint Protections or antivirus programs due to their topicality or due to obfuscation techniques. A combination of different measures is required here to detect attackers in good time nonetheless:
Not to forget the prompt reporting of anomalies by your users.
Through IT security consultations, you can get expert advice or a vulnerability assessment of your system before an incident occurs.
If you have been hacked, you can prevent further damage by following these steps:
As soon as you detect a hacking attack on your company, you should immediately start documenting it: Note exactly what steps you take to handle the attack and what information you collect. This documentation will not only be helpful in later reviews related to the incident, but it will also serve as evidence in potential legal proceedings.
The first step is to stop the data leakage and deprive the attacker of access to your system. The obvious measure is to disconnect infected devices from the intranet and Internet. The following sections explain the alternatives and the advantages and disadvantages of each option.
Depending on the selected variant, the first response topics change. Ideally, you should have a checklist that makes it easy to make a decision and clearly shows all further steps. Otherwise, this can lead to resources working incorrectly or not in a targeted manner to protect the company.
In the first variant, all infected devices remain switched on and connected to the Internet, but they are cleanly disconnected from the rest of your company's network. The key advantage of this variant relates to the forensic analysis of the attack: information about which IP addresses and domains are accessed and which processes are executed can be used to obtain far-reaching information about the attacker.
Suspicion of compromise usually does not initially provide detailed information about the attack. If the connection is maintained, valuable data can be collected to answer the following questions: Who are the attackers and how did they go about it? How long have they been on the network? Which other systems have already been compromised?
The more information you can gather, the more efficiently you can ensure that you have finally removed the attacker from the network.
From a forensic point of view, this variant allows the best possible preservation of evidence. However, you or your IT partner must have the necessary expertise to cleanly disconnect the affected machines from the rest of the network while the Internet connection is active.
In Azure, quick action can stop the data leak. By adjusting the conditional access settings, rolling out 2FA to all employees, and performing a session revoke, you can most likely revoke the attacker's access. After responding, you now need to extensively evaluate the log files to ensure that the attacker did not change any settings anywhere and thus gained access elsewhere.
If you do not have the necessary expertise to perform the first variant safely, the second variant is the right one for you.
In this case, infected devices must be taken offline immediately. Otherwise, the attacker will have prolonged access to the systems and a major data leak or spread would be possible.
When the compromised devices are offline, malware and hackers cannot spread and jump to other IT devices on the network or contact command and control servers on the Internet. Common malware, such as encryption Trojans, also cannot send a key to the extortionist or attacker with the disconnection. This prevents the attackers from accessing the encrypted data.
For later forensic analysis, you should create an image of the infected system and memory. This way, you can later get critical information about the malware or the activities of the black hats that can be found in log files or memory.
As the IT manager or person responsible in your company, you must decide which variant is the right one for you and correctly classify your expertise. The important thing is that you act decisively and quickly.
If the hacked systems serve as an exit or entry point to or for other company(ies) and their network(s), they must be notified. This way, you can counteract possible propagation into their network on the one hand, and start an incident response on the other hand, if the origin of the compromise is in another network.
Devices that are essential to the business should be closely monitored. Limit their communication with the rest of the network to the absolute minimum or, if necessary, shut them down completely until a clean network can be established without compromise. This reduces potential consequential damage from an undetected infected or hacked device.
Particularly if you suspect that a compromise or hacking attack has been going on for a long time, you should consider restoring a backup from a long time ago or even performing a complete reset. Inform potentially affected customers quickly in order to avert damage from them and avoid damage to your reputation.
The next step is to check and change computer, service and user accounts. This will prevent already hacked accounts from being used for further attacks.
Newly created accounts should be analyzed. Accounts suspected of being hacked and legacy accounts should be deactivated and their permissions revoked. Change the existing credentials of all remaining accounts and thoroughly review existing permissions. This will minimize the risk of over-privileged accounts.
Include in these changes and reviews not only corporate services, but also private services (e.g., social media platforms, sharing platforms) used with the same credentials, if applicable.
After a hacking incident, it is essential to have your system forensically analyzed by a competent IT professional, especially if legal action is to be taken.
It is important for a forensic analysis that the original data is not changed in order to exclude any advantageous manipulation by the forensic expert or by third parties. As a rule, the examination will take place using images in a sandbox environment.
In the forensic part, detailed checks are performed to record the nature and impact of the compromise caused by the hack. The vulnerabilities through which the systems were hacked are identified. This results in further steps, such as applying security updates to the hacked services to prevent further systems in the corporate network from being infected.
After the analysis, the forensic expert can make a recommendation as to whether data can possibly still be salvaged or whether a further infestation could be imminent (for example, due to the spread of a worm in a backup) and should therefore be discouraged.
Following the forensic scan, the infected systems are scanned for remnants of the hackers and malware and freed of them. It is important to ensure that the hacked systems are truly clean.
Depending on the severity and nature of the compromise, you can reinstall the systems after wiping and reformatting the storage - preferably with a backup that was definitely created before the compromise. However, you may need to revert to the image of the system that was created before it was brought into the production environment.
Subsequently, all necessary patches are applied, unused services are switched off, and vulnerabilities that have been exploited are eliminated. In particularly severe cases, economic considerations and operational requirements may also necessitate a new procurement of the systems.
Before reintegrating the affected and re-provisioned systems into the production environment, another important step is necessary: Establish measures and phases to ensure that no new compromise of systems occurs. These should include the following:
After successfully completing the previous steps, you must finally make the decision to switch from emergency mode to normal mode. Carry out this step jointly in your company depending on the previous results and after working through the checklists.
It is important here to integrate and pick up the users as well. Communicate the upcoming change cleanly and ask for special awareness during the implementation in case it was a directed or inside attack. This is the only way to avoid another incident immediately afterwards.
The most important step in an incident response is the lessons learned and consequences drawn. This includes, at the latest, finalizing any documentation on the incident.
Design the incident documentation so that you can answer the following questions at any point during the incident:
Who? What? Where? Why? How?
On the one hand, the documentation should serve as a basis for drawing conclusions for your company's IT environment. On the other hand, you can use it for training your IT staff and as reference material in case you are hacked again.
The documentation is used to have a proven successful guide should a similar incident happen, as well as to improve the incident response process.
Finally, you should hold a lessons learned meeting based on the documentation that includes the following:
In addition, a roundtable discussion should be included where IT staff can discuss suggestions and issues to improve IT and the organization to increase overall effectiveness for future incidents.
Here you can find all 7 steps for handling a hacking incident as an overview:
From now on, write down all the steps taken and all the information collected. Stop the data leak and deny the attacker access to your system.
Variant 1: Leave infected devices online, but separate them cleanly from the rest of the company network.
Variant 2: Take infected devices offline.
SANS Institute's Incident Handlers Handbook:
https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
If you're concerned with IT security, you can't miss the OWASP Top 10. The non-profit organization Open Web Application Security
Burp Suite by Portswigger and OWASP ZAP are both programs with a proxy server that run on your local device. With
Our co-founder Immanuel was a guest at Radio Bonn/ Rhein-Sieg and told the presenter team Nico Jansen and Jasmin Lenz and