Help, hacker attack!
When companies notice an attack, panic quickly spreads: Employees are sent home and attempts are made to limit the damage. However, the key is to remain calm and call in an expert as soon as possible.
Malware must not be deleted once it has been identified. This makes the work of the incident response team more difficult, as traces can be destroyed or manipulated in this way. Further use of the system should also be avoided. It is also not advisable to import backups yourself, as these can also be infected. On the other hand, it can make sense to isolate the infected systems. The attacker then knows that he has been discovered. However, early isolation can prevent them from moving further in the network.
Monitor system behavior centrally
IT managers have the ability to monitor the behavior of systems and processes and collect data from all devices on the network. This allows quick conclusions to be drawn in the event of an attack. With such a central solution, attack patterns can at best be discovered immediately through the evaluation – for example, if hundreds of login attempts accumulate on a device in a few minutes.
All observations and measures taken should be documented in writing for the operations team. This includes all changes made to the system, but also the behavior of the system or tips from employees. These suspicions are relevant, as are answers to the questions: Who was the last person to use the system and what was done in the system after the attack was noticed?
Once the mission team is in the picture, the next step is to define the scope and the mission, the mission objective: What support does the company need? Has data been stolen? Should the course of the attack be determined? Which systems are clean? Does recovery need to take place? The tools the response team brings to the table depend on these answers. Most often, the goal is to find Patient Zero in a root cause analysis and determine which parts of the system are infected.
Provide cyber detectives with information
Cyber detectives use the available information and various data sources to track down the attacker: Optimally, the team needs an overview of the IT systems with servers and clients, the type of systems and needs to know if employees are allowed to work with their own devices – which is not an additional risk for attacks. The logging policy reveals the processes and behavior of security systems, such as which sources are connected and in which cycles logging takes place. Security tools also usually have a logging function and provide further information.
In the best case, networks are segmented and users are assigned roles and access rights, making an attack more difficult. It is also important for the response team to know the patch status of systems such as web servers that can be accessed from outside. If these have not been patched for some time, they can be a likely gateway for hackers.
A hacker attack comes as a shock to many companies. The most important thing is to remain calm and call in experts. The less that is done to the systems, the better – this way no traces are covered and the incident response team can more easily trace the course of the attack, clean up the systems and restore them.