Malicious programs or activities of black hats cannot always be immediately recognized by endpoint protection or antivirus programs due to their topicality or obfuscation techniques. A combination of different measures is required here in order to nevertheless notice attackers in good time:
Not to be forgotten here is the timely reporting of abnormalities by your users.
By IT security consulting you can get advice from experts before an incident or a Vulnerability Analysis of your system.
If you've been hacked, you can prevent further damage by doing the following:
There are a number of official emergency numbers for victims of cybercrime in Germany. You can view the list here - and it's best to write down the numbers relevant to you BEFORE an incident: Emergency numbers cyber attack
As soon as you discover a hacking attack on your company, you should start with the documentation immediately: Write down exactly what steps you take to process the attack and what information you collect. This documentation is not only helpful for later reviews in connection with this incident, but it also serves as evidence in possible subsequent legal proceedings.
The first step is to stop the data leak and deny the attacker access to your system. The obvious measure is to separate infected devices from the intranet and the internet. The following sections clarify which alternatives there are and what advantages and disadvantages the variants have.
The First Response topics change depending on the variant selected. Ideally, you have a checklist that makes it easy to make a decision and makes all further steps clear. Otherwise, this can lead to resources working incorrectly or not in a targeted manner to protect the company.
With the first variant, all infected devices remain switched on and connected to the Internet, but they are cleanly separated from the rest of your company's network. The decisive advantage of this variant relates to the forensic analysis of the attack: Extensive information about the attacker can be obtained from the information about which IP addresses and domains were accessed and which processes were executed.
The suspicion of a compromise usually does not initially provide any detailed information about the attack. If the connection is maintained, valuable data can be gathered to answer the following questions: who are the attackers and how did they proceed? How long have you been on the network? Which other systems have already been compromised?
The more information you can collect, the more efficiently you can ensure that the attacker has finally been removed from the network.
From a forensic point of view, this variant enables the greatest possible preservation of evidence. However, the prerequisite is that you or your IT partner have the necessary expertise to cleanly separate the affected machines from the rest of the network when there is an existing Internet connection.
With Azure, acting quickly can stop data leakage. By adjusting the settings for conditional access, rolling out 2FA for all employees and a session revoke, you can most likely deny the attacker access. After the reaction, an extensive evaluation of the log files is now required to ensure that the attacker has not changed any settings and thus made access possible elsewhere.
If you do not have the necessary expertise to safely carry out the first variant, the second variant is the right one for you.
In this case, infected devices must be taken offline immediately. Otherwise, the attacker has longer access to the systems and a larger data leak or spread would be possible.
If the affected devices are offline, they can Malware and hackers do not redistribute and spread to other IT devices on the network or contact Command & Control servers on the Internet. Common malicious software, such as encryption Trojans, cannot send a key to the blackmailer or attacker if the connection is interrupted. This prevents attackers from accessing the encrypted data.
For later forensic analysis, you should create an image of the infected system and the main memory. In this way, you can later access critical information about the malware or the activities of the black hats, which is located in log files or the main memory.
As the IT manager or responsible person in your company, you have to decide which variant is the right one for you and classify your specialist knowledge correctly. It is important that you act decisively and quickly.
If the hacked systems serve as an exit or entry point to or for other company(s) and their network(s), they must be notified. On the one hand you can counteract a possible spread in their network and on the other hand you can start an incident response if the origin of the compromise lies in another network.
Devices that are essential to the business should be closely inspected and monitored. Limit their communication with the rest of the network to the bare minimum or, if necessary, shut them down entirely until a clean network can be established without compromise. This reduces potential consequential damage caused by an undetected infected or hacked device.
If there is a suspicion of a compromise or hacking attack that has been going on for some time, you should think about restoring a backup from a long time ago or even a complete reset. Promptly notify potentially affected customers to prevent harm to them and reputational damage.
The next step is to review and change computer, service, and user accounts. This prevents accounts that have already been hacked from being used for further attacks.
Newly created accounts should be analyzed. You should deactivate accounts that are suspected of being hacked and legacy accounts and revoke their permissions. Change the existing credentials of all other accounts and double-check existing permissions. This is how you minimize the risk of overprivileged accounts.
Include in these changes and reviews not only corporate services, but also private services (e.g. social media platforms, exchange platforms) that are used with the same credentials, where appropriate.
After a hacking incident, it is essential to have your system forensically analyzed by a competent IT professional, especially if legal action is taken.
It is important for a forensic analysis that the original data is not changed in order to rule out advantageous manipulation by the forensic scientist or third parties. As a rule, the verification using images will take place in a sandbox environment.
Detailed checks are carried out in the forensic part to log the nature and impact of the compromise caused by the hack. The vulnerabilities through which the systems were hacked are identified. This results in further steps such as installing security updates for the hacked services to prevent other systems in the company network from being infected.
After the analysis, the forensic scientist can make a recommendation as to whether data can still be saved under certain circumstances, or whether there is a risk of another attack (e.g. through the spread of a worm in a backup) and is therefore not advisable.
Following the forensic examination, the infected systems are searched for and cleaned of the remains of the hackers and malware. It is important to ensure that the hacked systems are really clean.
Depending on the severity and type of compromise, you can reinstall the systems after wiping and reformatting the storage - preferably with a backup that was definitely created before the compromise. However, you may need to revert to the image of the system that was created prior to going live.
All necessary patches are then installed, unused services are switched off and vulnerabilities that have been exploited are eliminated. In particularly difficult cases, it may also be necessary to procure new systems from an economic point of view and operational requirements.
Another important step is necessary before the affected and restored systems can be reintegrated into the productive environment: define measures and phases to ensure that the systems are not compromised again. These should include the following points:
After successfully completing the previous steps, you must finally make the decision to switch from emergency mode to normal mode. Depending on the previous results and after completing the checklists, carry out this step together in your company.
It is important here to also integrate and pick up the users. Communicates the upcoming change cleanly and asks for special awareness during the implementation in case it was a directed attack or an attack from the inside. This is the only way to avoid another incident occurring immediately afterwards.
The most important step in an incident response is the lessons and consequences that are drawn from it. This includes completing all documentation on the incident now at the latest.
Design the documentation of the incident in such a way that you can answer the following questions at any point during the incident:
Who? What? Where? Why? How?
On the one hand, the documentation should serve as a basis for drawing conclusions for your company's IT environment. On the other hand, you can use them for training your IT staff and as reference material in case you get hacked again.
The documentation serves to have a proven track record should a similar incident occur and to improve the incident response process.
Finally, you should hold a Lessons Learned Meeting, which includes the following points based on the documentation:
In addition, a round table should be included where IT staff can discuss suggestions and topics for improving IT and organization to increase overall effectiveness for future incidents.
Here you will find an overview of all 7 steps for processing a hacking incident:
From now on, note down all steps taken and all information collected. Stop the data flow and deny the attacker access to your system.
Variant 1: Leave infected devices online, but cleanly separate them from the rest of the company network.
Variant 2: Take infected devices offline.
SANS Institute Incident Handbook:
https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
