Back in June, we published a post titled 15 signs you’ve been hacked which talked about exactly that. In today’s post, we are going to talk about what to do once you determine that you have been hacked. Some of this will be more corporate focused, while other parts will be squarely targeted to home users, but all of the advice will help you make the right decisions about what to do about it.
Whether you are dealing with a system on the corporate network, or your own personal computer at home, this first one is for you.
1. Don’t Panic
Yes, you have been hacked. Welcome to the club. It happens to many more people than you might think. Panicking won’t help anything at all, so don’t do it. You’re a professional, and this will help you figure out what to do next.
Now, if you are at work, go through the next section on corporate incidents. If this is your personal computer, jump down to the personal incidents section.
2. Implement your incidence response procedures
If you’re in the office, and you have a Computer Incidence Response Team, get them on the phone and let them know what you think has happened. If you are the CIRT, kick it into gear and start working your plan. Don’t have a CIRT or a plan? Okay, well, we will work on that later. Let’s get you through this event first.
3. Isolate the system
If the system has been hacked, you need to isolate it to contain the damage. Take if off the network, meaning unplug the network cable. Look, if an attacker is on the system, he or she will know you have a clue as soon as they see you log on. You’re not going to “keep them talking” until you can run a trace, or get tools on to see just what they are doing. Disconnect it from the network to stop them from using it as a foothold to do worse, or to cover their tracks.
4. Inform management
The bosses need to know. Now. Let them know that something has happened, and that you are investigating, and you need them to back burner everything else until you can figure out what is going on. Get someone to help you if they want updates, so you can focus on figuring out what has happened instead of having to provide 15 minute status updates.
5. Determine if there are legal or contractual requirements you must fulfil
Odds are good that the company is going to have to notify somebody else about this. If you are under legal or contractual obligations, if any customers’ data was accessed, if any employee data was accessed…somewhere a report needs to be filed. You may also need to notify law enforcement. Don’t guess at any of this stuff. Contact your legal department and let them figure out what needs to be done. If there is any interest in preserving evidence for criminal or civil legal action, let them tell you to touch nothing until a professional forensic service can be engaged to capture images and maintain chain of custody. You don’t want to try to figure that out on your own.
Let’s assume though, that evidence is not the goal, restoring service is. So…
6. Take an image
Grab a big external USB drive and a boot disk, and image the machine. You want to get everything so you can crawl through the logs to determine what happened, when it happened, how it happened, and if anything else was done once the hack occurred. That can take days to dig through, so get an image you can review at your leisure.
7. Recover data
Now, with a different drive, save off what data you need. That could be log files, or databases, or other content, but keep in mind a couple of things. First, take no binaries. You can’t trust any of them not to be infected with malware left behind by the attacker. Second, you will need to verify that all of the data you retrieve is valid and hasn’t been altered by the attacker.
8. Check for lateral or escalation
Was the hacked system the end target, or just a foothold the attacker used to get access to the rest of the network? You may never know, but you better do all you can to figure that out. Check the security logs on all domain controllers to see if the attacker tried to access them. Look at every account in the compromised system’s logs and figure any of them may have been compromised, so reset passwords on them all. Check security logs on all other servers to see if the attacker accessed a second system from the first, and evaluate each system.
9. Nuke it
That box has been pwned…you have no choice but to dust off and nuke it from high orbit. It’s the only way to be sure. Once you have the image, and any data that you had to get from the server (as opposed to from backups) flatten the system and reinstall from scratch.
You’re at home, and you determined your personal computer has been compromised. Or maybe your neighbor asks you to take a look at their system because it’s running slow and you determine it’s crawling. Either way, how you deal with personal incidents is not that much different from professional ones, save the resources and reporting issues are different.
2. Isolate the system
Same thing applies here. Get it off the Internet until you can figure out what you are going to do with it. If it’s now a zombie, you don’t want it spewing out spam. If a RAT is installed, you don’t want to let the attacker get anything else from the system.
3. Recover data
There’s probably all sorts of data on that system you will need to save, either to a USB hard drive or memory key. Save what you can, but leave all binaries on the box. Grab your pictures and music and tax records and home videos, or use another computer to verify that your cloud backups are good.
4. Check for lateral or escalation
If you have a home network, make sure the attacker didn’t pull a lateral and get onto other systems. Else, check your email accounts, bank accounts, credit card accounts, etc. to make sure the attacker didn’t use a keylogger to capture your credentials and attack online resources using your creds.
5. To cleanse or to nuke, that is the question
It’s a lot more effort to reinstall a personal computer from scratch than to reimage a corporate computer, but can you ever really trust that machine again? It’s your call, but if you choose to cleanse, make sure you are using a major name brand antivirus system, perform a second scan by booting to emergency media to make sure no root kits are on the system, and then maybe do a couple of the online scans just to be sure. Me? I could never trust the system again, and would have to format and reinstall.
6. Change your passwords
And I do mean all of them. Whether you saved them on a file, or have them memorized, most home computer hacks involve keyloggers and that means anything you logged onto could be a target. Change all your passwords, and then stop putting it off…enable multi-factor authentication on everything you can.
7. Check your sent items
Make sure the attacker or malware didn’t use your email to try to phish or fool your contacts into clicking a link or opening an attachment. You may want to let your friends and family know just in case they stole contact information for later use and to be suspicious of anything they get from you that they weren’t expecting.
8, or 10. Lessons learned
Hopefully, you figured out how the attacker got in, and have closed that hole not only in the newly built system, but in every other system on your network. Was it a missed patch, or a poorly configured application, or just a lame password and no MFA? Whatever it was, learn from this and ensure the same thing cannot happen again. Update your build docs and SOPs to ensure that however the attacker got in, that’s the last time they will be able to use that path. Or make sure the entire family knows what happened and how, so that they are all aware and won’t be a victim next time.
Hacks happen to all of us eventually. It’s how we learn from the incident that matters. In our next Security 101 post, we will look at how to set up a Computer Incidence Response Team. Stay tuned.