Hacked, what to do?

If you've been hacked, you should immediately begin mitigation and documentation efforts. In this article, we'll take you step-by-step through the process of handling a hacking incident.

Table of contents

Detection of hacking attacks

Malware or the activities of black hats cannot always be detected immediately by Endpoint Protections or antivirus programs due to their topicality or due to obfuscation techniques. A combination of different measures is required here to detect attackers in good time nonetheless:

  • detailed log protocols
  • General network monitoring
  • Granular control of the data flow and the assignment of authorizations within the corporate infrastructure
  • the watchful eye of the administrators


Not to forget the prompt reporting of anomalies by your users.

Through IT security consultations, you can get expert advice or a vulnerability assessment of your system before an incident occurs.

You want to spare yourself the consequences of a successful attack on your system?
Test your system now with a professional penetration test!
More information about penetration testing

Damage control steps if you've been hacked

If you have been hacked, you can prevent further damage by following these steps:

chopped flowchart

1. start documentation, stop data leakage and infiltration.

As soon as you detect a hacking attack on your company, you should immediately start documenting it: Note exactly what steps you take to handle the attack and what information you collect. This documentation will not only be helpful in later reviews related to the incident, but it will also serve as evidence in potential legal proceedings.

The first step is to stop the data leakage and deprive the attacker of access to your system. The obvious measure is to disconnect infected devices from the intranet and Internet. The following sections explain the alternatives and the advantages and disadvantages of each option.

Depending on the selected variant, the first response topics change. Ideally, you should have a checklist that makes it easy to make a decision and clearly shows all further steps. Otherwise, this can lead to resources working incorrectly or not in a targeted manner to protect the company.

Variant 1: Deny access and leave devices online

In the first variant, all infected devices remain switched on and connected to the Internet, but they are cleanly disconnected from the rest of your company's network. The key advantage of this variant relates to the forensic analysis of the attack: information about which IP addresses and domains are accessed and which processes are executed can be used to obtain far-reaching information about the attacker.

Suspicion of compromise usually does not initially provide detailed information about the attack. If the connection is maintained, valuable data can be collected to answer the following questions: Who are the attackers and how did they go about it? How long have they been on the network? Which other systems have already been compromised?

The more information you can gather, the more efficiently you can ensure that you have finally removed the attacker from the network.

From a forensic point of view, this variant allows the best possible preservation of evidence. However, you or your IT partner must have the necessary expertise to cleanly disconnect the affected machines from the rest of the network while the Internet connection is active.

In Azure, quick action can stop the data leak. By adjusting the conditional access settings, rolling out 2FA to all employees, and performing a session revoke, you can most likely revoke the attacker's access. After responding, you now need to extensively evaluate the log files to ensure that the attacker did not change any settings anywhere and thus gained access elsewhere.

Variant 2: Take infected devices completely offline

If you do not have the necessary expertise to perform the first variant safely, the second variant is the right one for you.

In this case, infected devices must be taken offline immediately. Otherwise, the attacker will have prolonged access to the systems and a major data leak or spread would be possible.

When the compromised devices are offline, malware and hackers cannot spread and jump to other IT devices on the network or contact command and control servers on the Internet. Common malware, such as encryption Trojans, also cannot send a key to the extortionist or attacker with the disconnection. This prevents the attackers from accessing the encrypted data.

For later forensic analysis, you should create an image of the infected system and memory. This way, you can later get critical information about the malware or the activities of the black hats that can be found in log files or memory.

As the IT manager or person responsible in your company, you must decide which variant is the right one for you and correctly classify your expertise. The important thing is that you act decisively and quickly.

2. check dependencies, inform third parties

If the hacked systems serve as an exit or entry point to or for other company(ies) and their network(s), they must be notified. This way, you can counteract possible propagation into their network on the one hand, and start an incident response on the other hand, if the origin of the compromise is in another network.

Devices that are essential to the business should be closely monitored. Limit their communication with the rest of the network to the absolute minimum or, if necessary, shut them down completely until a clean network can be established without compromise. This reduces potential consequential damage from an undetected infected or hacked device.

Particularly if you suspect that a compromise or hacking attack has been going on for a long time, you should consider restoring a backup from a long time ago or even performing a complete reset. Inform potentially affected customers quickly in order to avert damage from them and avoid damage to your reputation.

3. check and change accounts

The next step is to check and change computer, service and user accounts. This will prevent already hacked accounts from being used for further attacks.

Newly created accounts should be analyzed. Accounts suspected of being hacked and legacy accounts should be deactivated and their permissions revoked. Change the existing credentials of all remaining accounts and thoroughly review existing permissions. This will minimize the risk of over-privileged accounts.

Include in these changes and reviews not only corporate services, but also private services (e.g., social media platforms, sharing platforms) used with the same credentials, if applicable.

4. forensically check (have checked) hacked system

After a hacking incident, it is essential to have your system forensically analyzed by a competent IT professional, especially if legal action is to be taken.

It is important for a forensic analysis that the original data is not changed in order to exclude any advantageous manipulation by the forensic expert or by third parties. As a rule, the examination will take place using images in a sandbox environment.

In the forensic part, detailed checks are performed to record the nature and impact of the compromise caused by the hack. The vulnerabilities through which the systems were hacked are identified. This results in further steps, such as applying security updates to the hacked services to prevent further systems in the corporate network from being infected.

After the analysis, the forensic expert can make a recommendation as to whether data can possibly still be salvaged or whether a further infestation could be imminent (for example, due to the spread of a worm in a backup) and should therefore be discouraged.

5. clean up infected systems, close vulnerabilities, security hardening

Following the forensic scan, the infected systems are scanned for remnants of the hackers and malware and freed of them. It is important to ensure that the hacked systems are truly clean.

Depending on the severity and nature of the compromise, you can reinstall the systems after wiping and reformatting the storage - preferably with a backup that was definitely created before the compromise. However, you may need to revert to the image of the system that was created before it was brought into the production environment.

Subsequently, all necessary patches are applied, unused services are switched off, and vulnerabilities that have been exploited are eliminated. In particularly severe cases, economic considerations and operational requirements may also necessitate a new procurement of the systems.

You want more information?
We are happy to advise you on the protection of your IT
Request Now

6. reintegrate systems

Before reintegrating the affected and re-provisioned systems into the production environment, another important step is necessary: Establish measures and phases to ensure that no new compromise of systems occurs. These should include the following:

  • Integration period
  • Determination of how to test and whether the systems are fully functional and clean
  • Duration of monitoring for abnormal behavior
  • Information on which tools are used to monitor and test the systems for their behavior

7. normal operation

After successfully completing the previous steps, you must finally make the decision to switch from emergency mode to normal mode. Carry out this step jointly in your company depending on the previous results and after working through the checklists.

It is important here to integrate and pick up the users as well. Communicate the upcoming change cleanly and ask for special awareness during the implementation in case it was a directed or inside attack. This is the only way to avoid another incident immediately afterwards.

Take consequences if you have been hacked

Conclude documentation cleanly

The most important step in an incident response is the lessons learned and consequences drawn. This includes, at the latest, finalizing any documentation on the incident.

Design the incident documentation so that you can answer the following questions at any point during the incident:

Who? What? Where? Why? How?

On the one hand, the documentation should serve as a basis for drawing conclusions for your company's IT environment. On the other hand, you can use it for training your IT staff and as reference material in case you are hacked again.

The documentation is used to have a proven successful guide should a similar incident happen, as well as to improve the incident response process.

Meeting: Lessons Learned

Finally, you should hold a lessons learned meeting based on the documentation that includes the following:

  • When was the compromise first noticed and by whom?
  • What was the scale of the Incident?
  • How was compromise contained and eliminated?
  • What measures have been taken for reintegration?
  • Which areas need to be improved in the future?


In addition, a roundtable discussion should be included where IT staff can discuss suggestions and issues to improve IT and the organization to increase overall effectiveness for future incidents.

TL;DR

Here you can find all 7 steps for handling a hacking incident as an overview:

From now on, write down all the steps taken and all the information collected. Stop the data leak and deny the attacker access to your system.

Variant 1: Leave infected devices online, but separate them cleanly from the rest of the company network.

Variant 2: Take infected devices offline.

Notify all companies for which your compromised systems serve as an exit or entry point. Also inform potentially affected customers about the incident.
Check all computer, service and user accounts and change all credentials. Analyze newly created accounts and deactivate accounts that are no longer needed. Check all existing permissions and adjust them if necessary. In addition to corporate services, also include private services such as social media platforms.
Have your IT system forensically examined by experts to log the type and impact of the hack and find vulnerabilities. Be sure to leave original data unchanged for the forensic audit. The check is usually performed using images in a sandbox environment.
IT security experts make sure that your systems are cleaned of all remnants of hackers. They close all vulnerabilities, for example by applying patches, and thus secure your network from future attacks.
Prior to reintegration of affected systems, determine actions and phases to prevent recompromise: Period of engagement; Determine how to test systems for functionality; Duration of monitoring for abnormal behavior; List of tools used to monitor systems.
Make a joint decision in your company to switch from emergency operation to normal operation. Involve users in the process and ask them for special awareness during the transition phase.
OTHER CONTRIBUTIONS

Table of contents

Hacked, what to do ?

Do you want to be part of our team?