You’ve been hacked. What now?
7 min read
23 September 2015
For IT directors, there is perhaps one telephone call that will stop them in their tracks: the "we’ve been hacked" call.
An IT department may have taken all the necessary precautions to ensure that they prevent a security breach, and yet shrewd attackers may still get through. Once you’ve been hacked, how does a business deal with the fallout?
As hackers have become increasingly intelligent in their approach, organisations need to be prepared for such situations.
Cybercriminals are constantly looking to new tools and methods, which not all businesses can anticipate or protect against. Crucially, as criminals have grown more sophisticated, and as state-sponsored attacks have increased, the likely motives and methods have changed. This signifies a shift from the old days where hacks were very visible.
Today, advanced, tenacious threats are the norm. Worryingly, the average number of days hackers remain undetected on a network is 243 days. Eight months! That’s a lot of time to steal data.
Often, malware doesn’t want to be detected and generally won’t be seen directly. Rather, companies will become aware due to its effects. This could simply be noticing that your computer is doing strange things. Equally, in financial malware scenarios, employees may notice money missing from their accounts or on their credit cards.
Companies can also look for signs such as unusual network traffic and unusual systems access patterns. Savvy companies will use experienced investigators to analyse their logs for signs of malicious activity, and log analysis tools like Splunk can help here by providing a layer of business intelligence on top of otherwise unfathomable system logs.
Put a plan in place
One of the worst things that can happen to a company that has already been compromised is not knowing what to do next.
As much as we may not want to admit to the possibility of a security breach, it’s important that organisations have a “what if” plan in place that allows them to react quickly. This should be detailed and well-rehearsed so that the business can immediately spring into action.
This playbook should include information about who to call. A very small percentage of businesses have the skills and expertise in-house to carry out a forensic analysis of how and why an attack has happened – and how they can prevent it from taking place in the future.
Continue reading on page two…
Specialists will extend beyond forensic security analysts and infrastructure managers to delve into other areas too. There is of course a legal and compliant part of the puzzle, as well as involving media and communications staff to discuss both internal, and external messaging.
These areas can – and should – work in tandem. For instance, technology staff who analyse lost or compromised data should then inform the legal team, who can then work out whether the lost data impacts customers and requires notification. Communications staff can then reach out accordingly.
Some of the worst responses are down to a lack of information, a lack of transparency, and in the worst cases, complete denial. By having a premeditated plan in place however, with dedicated teams responsible for specific areas, the business can work in sync to minimise the impact of the fallout as best they can.
A mature plan will break down into at least three main parts: containment, mitigation, and cleanup.
Keeping the attack contained
Once an attack has taken place, it’s crucial it doesn’t go any further – a kind of digital sandbag if you will, to prevent further injury. After circling in on the attacker, this is the first action that the response team should take, largely because it is near impossible to mitigate what cannot be contained.
This containment can be a difficult task. Attackers are stealthy, making it difficult for businesses or security experts to see how far hackers have got in their attack.
You could possibly enlist the response teams for the vendors to navigate this. Typical candidates are antivirus companies or ethical hackers who can be brought in to look at patterns that are interesting in terms of who these attackers are, and where their interest lies.
Mitigation and clean-up
After the containment comes the mitigation. At this stage, the security response team should have identified the weak spot. In short, how the attacker got inside.
Was it unpatched Windows workstations? Or a misconfigured web server? Batten down the hatches and close the door to fresh attacks, unless you want to find yourself in an endless cycle of cleanup-reinfection. Completely removing the malware and fixing any compromised user accounts is the next a crucial step.
Once you’ve carefully extradited the attackers from corporate systems and surveyed the extent of the damage, an organisation must look to fixing as much of the damage as possible. This includes reinstalling compromised systems from known, good media and potentially restoring data from backup.
Added to this, businesses must reconfigure network and server software, monitoring its operation for a set time in order to ensure that everything is working as it should.
Perhaps the only benefit of having been attacked is that you can learn from it. This includes carrying out a post-mortem with tangible insights that can then be fed into a company security policy, as well as the wider business strategy. You may discover that you need to embark on an internal education phase that addresses training and awareness for example.
No one likes facing adversity, but one true test of an IT director’s character lies in how they deal with it. When hackers strike, the truly savvy IT decision maker will have the tools and contacts in place to get the job done.
Mark Lomas is an IT consultant at Icomm Technologiesu2028.