A company has been targeted by hackers, error messages are popping up, perhaps initial system parts have already been locked down and extortion messages have been sent. The attacker will try to advance to accounts with more privileges to steal data or use a Trojan to encrypt systems. If he reaches domain controller privileges, this is the worst case for companies, as it literally opens all doors for the attacker.
When companies notice an attack, panic quickly spreads, employees are sent home and attempts are made to limit the damage. The key here is to remain calm and call in an expert as quickly as possible, who can work with an incident response team to retrace the course of the attack and make recommendations about which systems can be restored and with which backups. To make the cyber detectives’ job easier, companies should keep a few things in mind. It is optimal if an IT expert can already estimate the extent of the damage.
Do not delete malware, isolate systems if possible
Malware must not be deleted once it has been identified. This makes the response team’s work more difficult, as traces can be destroyed or manipulated in this way. In addition, the deletion process usually comes too late and the probability of identifying all affected systems is low.
It is better to leave the system in its as-is state so that experts can recover and analyze evidence and draw conclusions about the attacker’s modus operandi and tools. Further use of the system should also be avoided, if possible. It is also not advisable to import backups yourself, as these can also be infected.
On the other hand, it can make sense to isolate the infected systems, if possible. Although the attacker then knows that he has been detected, early isolation can prevent him from moving further in the network. However, you run the risk that the isolation is not complete if you do not yet know the scope of the attack. It is therefore important to be able to give a valid assessment of how far the hacker has penetrated. This is not an easy task for most system administrators.
It also makes sense to disconnect the network, and in the case of a laptop, to switch off the WLAN and connect it to the power supply. The procedure for servers depends on how they work and how they are used: If it is business-critical, because it provides the online store, for example, it would be advisable to isolate the device, otherwise an attacker can spread in the network. The customer must make the decision, but it is usually advisable to isolate more rather than less.
In case of ransomware attacks, backups are the only way to recover the systems. That’s why they need to be backed up separately outside the network and available offline. Only in this way do companies not run the risk of their backups being encrypted as well in the event of an attack and thus becoming worthless.
Monitor system behavior and quickly detect anomalies
IT managers have the option of monitoring the behavior of systems and processes, collecting and visualizing data from all devices in the network, which allows quick conclusions to be drawn in the event of an attack and provides a solid basis for decision-making. For example, messages from antivirus scanners can be communicated to the admin, about which otherwise only the user is aware. With such a centralized solution, at best, attack patterns can be detected immediately through the evaluation, for example, if hundreds of login attempts accumulate on a device in a few minutes.
All observations and measures taken should be documented informally and in writing for the operations team. They should be as accurate as possible and are welcome to be detailed. This includes all changes made to the system, such as a reboot, but also the behavior of the system or tips from employees, for example, if phishing emails were received, which continue to be the central gateway for hacker attacks.
These suspicions are relevant, as are answers to the questions: Who was the last person to use the system and what was done in the system after the attack was noticed? Central here is the question of what happened when. Because if there is clarity about the start of the attack, the security of backups can be assessed, for example, if they were made before the attack.
Provide the cyber detectives with full information
Once the response team is in the picture, the next step is to determine the scope and mission, the mission objective: What support does the company need – has data been stolen, should the attack history be determined, which systems are clean, does recovery or reconstruction need to occur? The tools that the response team brings to the table depend on these answers. Most often, the goal is to find “patient zero” in a root cause analysis and determine which parts of the system are infected.
Cyber detectives then use the available information and various data sources to track down the attacker: Optimally, the team needs an overview of the IT systems with servers and clients, the type of systems – Linux or Mac – and needs to know whether employees are allowed to work with their own devices, which not only poses an additional risk for attacks but also complicates data protection.
The logging policy reveals the processes and behavior of security systems, such as which sources are connected and in which cycles logging takes place. Security tools also usually have a logging function and provide further information.
In the best case, networks are segmented and users are assigned roles and access rights, making an attack more difficult. It is also important for the response team to know the patch status of systems such as web servers that can be accessed from outside. If these have not been patched for a long time, they can be a likely gateway for hackers. Threat intelligence in the form of technical descriptions of traces of past attacks potentially allow conclusions to be drawn about the current case: in the spring of 2021, for example, a vulnerability in Microsoft Exchange Server caused a wave of successful attacks.
Stay in touch and learn from mistakes
IT managers and response experts maintain a close exchange during the operation. On the one hand, this ensures that the response team receives all the necessary information and, on the other, that the IT managers remain up to date. Several informal telephone calls are held daily to exchange information.
It is helpful for the response team to have the participation of an IT specialist who can answer questions about systems, so that the team does not have to open them up with a time-consuming analysis. The time it takes to avert an attack depends on a number of factors.
An incident is always a shock and usually expensive – it costs time, money, resources and negative PR. That’s why it’s all the more important to learn from it and take away recommendations for action on how to prevent attacks in the future and secure your systems. The importance of cyber security usually only becomes clear to companies once an attack has occurred. Again, the response team can provide an initial recommendation on what tools are needed to increase the level of security.
Companies should also consider communication with authorities and their reporting obligations. Depending on the damage, such as data leakage, different agencies must be notified, for example, the BSI for companies with CRITIS.
The company decides whether to deploy a crisis manager. In some cases, this role is also filled by external service providers. Its function is to provide organizational support and to work in an interdisciplinary manner. This is because a company’s legal department is usually just as affected by an attack as its communications department.
A hacker attack comes as a shock to many companies. The most important thing is to remain calm and call in experts. The less that is done to the systems, the better – this way, no traces are covered and the incident response team can more easily trace the course of the attack, clean up the systems and restore them.