< Overview
Perhaps a compromised mail was opened or attackers exploited a broad security gap like the one in the Microsoft Exchange Server in the spring of 2021: hacker attacks are a real threat to companies and can quickly become expensive. If the worst case scenario occurs, it is important to avoid destroying evidence if possible. Then an incident response team can get to work restoring the integrity of systems.

Help, hacker attack! What companies should do in case of emergency

Help, hacker attack!

When companies notice an attack, panic quickly spreads: Employees are sent home and attempts are made to limit the damage. However, the key is to remain calm and call in an expert as soon as possible.

Malware must not be deleted once it has been identified. This makes the work of the incident response team more difficult, as traces can be destroyed or manipulated in this way. Further use of the system should also be avoided. It is also not advisable to import backups yourself, as these can also be infected. On the other hand, it can make sense to isolate the infected systems. The attacker then knows that he has been discovered. However, early isolation can prevent them from moving further in the network.

Monitor system behavior centrally

IT managers have the ability to monitor the behavior of systems and processes and collect data from all devices on the network. This allows quick conclusions to be drawn in the event of an attack. With such a central solution, attack patterns can at best be discovered immediately through the evaluation – for example, if hundreds of login attempts accumulate on a device in a few minutes.

All observations and measures taken should be documented in writing for the operations team. This includes all changes made to the system, but also the behavior of the system or tips from employees. These suspicions are relevant, as are answers to the questions: Who was the last person to use the system and what was done in the system after the attack was noticed?

Source: SECUINFRA

Once the mission team is in the picture, the next step is to define the scope and the mission, the mission objective: What support does the company need? Has data been stolen? Should the course of the attack be determined? Which systems are clean? Does recovery need to take place? The tools the response team brings to the table depend on these answers. Most often, the goal is to find Patient Zero in a root cause analysis and determine which parts of the system are infected.

Provide cyber detectives with information

Cyber detectives use the available information and various data sources to track down the attacker: Optimally, the team needs an overview of the IT systems with servers and clients, the type of systems and needs to know if employees are allowed to work with their own devices – which is not an additional risk for attacks. The logging policy reveals the processes and behavior of security systems, such as which sources are connected and in which cycles logging takes place. Security tools also usually have a logging function and provide further information.

In the best case, networks are segmented and users are assigned roles and access rights, making an attack more difficult. It is also important for the response team to know the patch status of systems such as web servers that can be accessed from outside. If these have not been patched for some time, they can be a likely gateway for hackers.

Conclusion

A hacker attack comes as a shock to many companies. The most important thing is to remain calm and call in experts. The less that is done to the systems, the better – this way no traces are covered and the incident response team can more easily trace the course of the attack, clean up the systems and restore them.

SECUINFRA Falcon Team · Author

Digital Forensics & Incident Response Experten

Neben den Tätigkeiten, die im Rahmen von Kundenaufträgen zu verantworten sind, kümmert sich das Falcon Team um den Betrieb, die Weiterentwicklung und die Forschung zu diversen Projekten und Themen im DF/IR Bereich.

Das SECUINFRA Falcon Team ist auf die Bereiche Digital Forensics (DF) und Incident Response (IR) spezialisiert. Hierzu zählen die klassische Host-Based Forensik, aber auch Themen wie Malware Analysis oder Compromise Assessment gehören zu diesem Aufgabengebiet. Neben den Tätigkeiten, die im Rahmen von Kundenaufträgen zu verantworten sind, kümmert sich das Falcon Team um den Betrieb, die Weiterentwicklung und die Forschung zu diversen Projekten und Themen im DF/IR Bereich.  Dazu zählen beispielsweise Threat Intelligence oder die Erstellung von Erkennungsregeln auf Basis von Yara.

Digital Forensics & Incident Response experts

In addition to the activities that are the responsibility of customer orders, the Falcon team takes care of the operation, further development and research of various projects and topics in the DF/IR area.

The SECUINFRA Falcon Team is specialized in the areas of Digital Forensics (DF) and Incident Response (IR). This includes classic host-based forensics, but also topics such as malware analysis or compromise assessment. In addition to the activities for which we are responsible within the scope of customer orders, the Falcon team is also responsible for the operation, further development and research of various projects and topics in the DF/IR area. These include, for example, threat intelligence or the creation of detection rules based on Yara.

> All posts

Beitrag teilen auf: