Hacker attack! What now?
A company has been targeted by hackers, error messages are popping up, perhaps initial system parts have already been locked down and extortion messages have been sent. The attacker will try to advance to accounts with more privileges to steal data or use a Trojan to encrypt systems. If he reaches domain controller privileges, this is the worst case for companies, as it literally opens all doors for the attacker.
When companies notice an attack, panic quickly spreads, employees are sent home and attempts are made to limit the damage. The key here is to remain calm and call in an expert as quickly as possible who, with an incident response team, can retrace the course of the attack and make recommendations as to which systems can be restored and with which backups. To make the cyberdetectives’ job easier, companies should keep a few things in mind. It is optimal if an IT expert can already estimate the extent of the damage.
DO NOT DELETE MALWARE, ISOLATE SYSTEMS IF POSSIBLE
Malware must not be deleted once it has been identified. This makes the response team’s work more difficult, as traces can be destroyed or manipulated in this way. In addition, the deletion process usually comes too late, and the probability of identifying all affected systems is low. It is better to leave the system in its as-is state so that the experts can recover and analyze evidence and draw conclusions about the attacker’s modus operandi and tools. Further use of the system should also be avoided if possible. It is also not advisable to import backups yourself, as these can also be infected.
On the other hand, it can make sense to isolate the infected systems if possible. Although the attacker then knows that he has been detected, early isolation can prevent him from moving further in the network. However, there is a risk that isolation will not be fully successful if the scope of the attack is not yet known. It is therefore important to be able to give a valid assessment of how far the hacker has penetrated – not an easy task for most system administrators.
It also makes sense to disconnect the network, and in the case of a laptop, to switch off the WLAN and connect it to the power supply. The procedure for servers depends on how they work and how they are used: If a server is business-critical because it provides the online store, for example, it would be advisable to isolate the device, otherwise an attacker could spread across the network. The affected company must make the decision – in principle, however, it is usually advisable to isolate more rather than less.
In the case of ransomware attacks, backups are the only way to restore systems. Therefore, they must be backed up separately outside the network and be available offline. Only in this way do companies not run the risk of their back-ups being encrypted as well in the event of an attack and thus becoming worthless.
MONITOR SYSTEM BEHAVIOR AND QUICKLY IDENTIFY ANOMALIES
IT managers can monitor the behavior of systems and processes, collect and visualize data from all devices in the network, which allows quick conclusions to be drawn in the event of an attack and provides a solid basis for decision-making. For example, messages from antivirus scanners can be communicated to the admin, about which otherwise only the user is aware. With such a central solution, at best, attack patterns can be discovered immediately through the evaluation, for example, if hundreds of log-in attempts accumulate on a device in a few minutes.
All observations and measures taken should be documented informally and in writing for the response team. They should be as accurate as possible and are welcome to be detailed. This includes all changes made to the system, such as a reboot, but also the behavior of the system or tips from employees, for example, if phishing emails were received, which continue to be the central gateway for hacker attacks. These suspicions are relevant, as are answers to the questions: Who was the last person to use the system, and what was done in the system after the attack was noticed? Central here is the question of what happened when. This is because if there is clarity about the start of the attack, the security of backups can be assessed, for example, if they were made before the attack.
KEEP CYBER DETECTIVES FULLY INFORMED
Once the response team is in the picture, the next step is to determine the scope and the mission, the mission objective: What support does the company need – has data been stolen, should the attack history be determined, which systems are clean, does recovery or reconstruction need to occur? The tools that the response team brings with them depend on the answers. Most often, the goal is to find patient zero in a root-cause analysis and determine which parts of the system are infected.
The cyber detectives then use the available information and various data sources to track down the attacker: Optimally, the team needs an overview of the IT systems with servers and clients, the type of systems – Windows, Linux or Mac – and needs to know whether employees are allowed to work with their own devices, which not only poses an additional risk for attacks but also complicates data protection. The logging policy reveals the processes and behavior of security systems, such as which sources are connected and in which cycles logging takes place. Security tools also usually have a logging function and provide additional information.
In the best case, networks are segmented and users are assigned roles and access rights, making an attack more difficult. It is also important for the response team to know the patch status of the systems, especially the web servers that can be accessed from outside. If these have not been patched for a long time, they can be a likely gateway for hackers. Threat intelligence in the form of a technical description of traces of past attacks potentially allow conclusions to be drawn about the current case: in the spring of 2021, for example, a vulnerability in Microsoft Exchange Server caused a wave of successful attacks.
An incident response team should be deployed early after an attack to trace the entry point and the attack and restore the integrity of the systems. (Source: SECUINFRA)
STAY IN THE LOOP AND LEARN FROM MISTAKES
IT managers and response experts stay in close communication during the deployment. On the one hand, this ensures that the response team receives all the necessary information and, on the other, that the IT managers remain up to date. Informal telephone calls are suitable for daily exchanges. It is helpful for the response team to have the participation of an IT specialist who can answer questions about systems, so that the team does not first have to open up this information with a time-consuming analysis. The time it takes to avert an attack depends on a number of factors.
An incident is always a shock and usually expensive – it costs time, money, resources and brings negative PR. That’s why it’s all the more important to learn from it and take away recommendations for action on how to prevent attacks in the future and secure your systems. The importance of cyber security usually only becomes clear to companies once an attack has occurred. Again, the response team can provide an initial recommendation on what tools are needed to increase the level of security.
Companies should also consider communication with authorities and their reporting obligations. Depending on the damage, such as data leakage, various agencies must be notified; for companies with KRITIS status, for example, the BSI (German Federal Office for Information Security).
The company decides whether a crisis manager is deployed. In some cases, this role is also filled by external service providers. Their function is to provide organizational support and to work in an interdisciplinary manner. After all, a company’s legal department is usually just as affected by an attack as its communications department.
A hacker attack paralyzes many companies. It is better to remain calm and call in experts. The less that is done to the systems, the better – this way, no traces are covered and the incident response team can more easily trace the course of the attack, clean up the systems and restore them.