Detection of hacking attacks:
To detect if your system has been hacked, only a combination of detailed log protocols, general network monitoring, as well as granular control of data flow, and also the granting of permissions within the corporate infrastructure and ultimately the watchful eye of administrators will help. Through IT Security Consulting, you can get expert advice or a vulnerability analysis of your system even before an incident occurs.
The following steps should be completed if you have been hacked to be able to prevent further damage:
Step 1: Start a documentation and disconnect the compromised devices from the Internet and networks (intranet).
Disconnecting from the network & Internet should be the first step and must be done to avoid further damage if you have been hacked. This will prevent the malware or black hats from spreading and jumping to other IT devices on the network or contacting command & control servers on the Internet. Common malware, such as encryption Trojans, cannot send a key to the extortionist or attacker with the connection broken, even to that extent. This denies the attacker(s) access to the encrypted data. For later forensic analysis, an image of the infected system, as well as the RAM, should be created in order to be able to access critical information about the malware or the activities of the black hats, which can be found in log files or the RAM.
Accurate documentation of what happened after you discovered you were hacked and the steps taken must be done. Not only will it be helpful in later reviews related to this incident, but it will also serve as evidence in possible legal follow-ups.
Step 2: Check dependencies, inform third parties
If the hacked systems serve as an exit or entry point to or for other companies and their networks, they must be notified in order to counteract any possible propagation into their network or to launch an incident response in case of the origin of the compromise.
Devices that are of essential importance to the company must be closely inspected, closely monitored from then on, and their communication with the rest of the network must be limited to the absolute minimum, or, if necessary, shut down until a clean network can be established in which a compromise can be ruled out, in order to reduce potential consequential damage caused by an undetected infected or hacked device.
Particularly in the case of a suspected compromise or hacking attack that has already been going on for some time, consideration must be given to restoring a backup from a long time ago, or to a complete reset. Potentially affected customers must be informed quickly to prevent damage to them and to avoid further damage to their reputation.
Step 3: Verify and change computer, service, and user accounts.
This can prevent accounts that have already been hacked from being used for further attacks. Newly created accounts should be analyzed. Accounts suspected of being hacked, as well as legacy accounts, should be deactivated and their privileges revoked. The change of existing credentials of all accounts should be implemented and an in-depth review of existing privileges should be performed to minimize the risk from over-privileged accounts. This not only applies to corporate services but may also apply to private services (e.g., social media platforms, exchange platforms) that are used with the same credentials.
Step 4: Forensic examination of the compromised system
It will be essential to have the hacked system forensically analyzed by a competent IT professional, especially if legal action is taken.
It is important for a forensic analysis that the original data is not altered in order to exclude any advantageous manipulation by the forensic expert or by third parties.
As a rule, the examination will take place using images in a sandbox environment.
In the forensic part, detailed checks are performed to log the nature and impact of the compromise caused by the hack, to find out the vulnerabilities through which the systems were hacked, and thus to initiate further steps. For example, security updates can be applied to the services that were hacked to prevent further systems in the corporate network from being compromised.
After the analysis, the forensic expert can make a recommendation as to whether data can possibly still be saved or whether a further infestation, for example through the spread of a captured worm through a backup, could be imminent and should therefore be discouraged.
Step 5: Cleaning up the infected systems, closing vulnerabilities, security hardening
In this phase, the infected systems are scanned for remnants of black hats and malware and freed from them.
It is important to make sure that the hacked systems are really clean.
Depending on the severity and nature of the compromise, the systems can be reinstalled after deleting and reformatting the memory – preferably with a backup that was definitely created before the compromise. However, it may be necessary to revert to the image of the system that was created before it was brought into the production environment. Subsequently, all necessary patches are applied, unused services are shut down and vulnerabilities that were exploited are eliminated.
In particularly severe cases, it may also be necessary to procure new systems from an economic point of view and in line with operational requirements.
Step 6: Reintegration
Before reintegrating the affected systems that have been made ready into the production environment, measures and phases must be defined to ensure that there is no compromise of the systems or compromise of the other systems due to the reintegration.
This primarily includes items such as the period of incorporation, how to test, and whether the systems are fully functional and clean. It also includes the duration of monitoring for abnormal behavior, as well as what tools are used to monitor and test the systems for behavior.
Conclusion: Consequences of a successful incident:
The most important step in an incident response is the lessons learned and consequences.
This includes, at the latest, bringing any documentation on the Incident to a close.
The documentation of the incident itself should be designed in such a way that the following questions can be answered at any time during the incident: Who, What, Where, Why and How.
On the one hand, the documentation should serve as a basis for drawing consequences for the company’s IT environment. However, it should also serve as a basis to train IT personnel and serve as reference material for future incidents. Secondly, the documentation serves to have an already successful guide should a similar incident happen, as well as to improve the incident response process.
Finally, a lessons learned meeting should be held that should include the following based on the documentation:
- When was the compromise first noticed and by whom?
- The extent of the incident
- How was the compromise contained and remediated?
- What recovery actions were taken?
- Areas that need to be improved
Additionally, include a roundtable discussion where IT staff can discuss suggestions and issues to improve IT and the organization to increase overall and future effectiveness for future incidents.
Source reference to the SANS Institute’s Incident Handlers Handbook: