What do I do if my Network is Hacked?
Nobody wants to be hacked, but the only thing worse than having an incident is to have one and then botch the incident response procedures. An incorrect response could allow an attacker to gain further access to your network, fail to completely remove the infection, or render evidence of the incident inadmissible in legal proceedings.
By following seven steps, you can ensure that your organization takes the appropriate measures in response to a potential incident.
How do I know if my network was hacked?
Identifying a potential cyber incident or breach is an important first step in remediating it. Identifying and containing a data breach within 30 days of the attack saves an organization an average of $1 million or about one-third of average total losses.
While high-profile “in your face” attacks gain instant headlines, nefarious activities can be occurring on your network with few to no obvious indications.
If you detect or suspect that something anomalous is occurring within your network, it is better to investigate and be proven wrong than to ignore it and potentially suffer the reputational, financial, and regulatory consequences of a breach of sensitive or user personal data.
What is the scope of the attack?
After identifying a potential data breach, the next step in the incident response process should be an analysis of the scope of the potential breach. Depending on the type and scope of the breach, one or more end user machines or services may be affected. If critical services are affected by the breach, implementing the business continuity/disaster relief (BC/DR) procedures for that service may be advisable for the duration of the incident.
How do I contain the threat?
Once the scope of the incident has been identified, steps should be taken to contain the effects of the breach to already affected machines. This process should include taking steps both to isolate the affected machines from the rest of the company network and the Internet and to reduce the possibility of infection by past actions of the infected machine. For example, if analysis revealed that the incident included malware spread via email, other employees, customers, vendors, etc. should be warned not to open mail from affected accounts until further notice and to be on high alert for similar attacks.
How do I eradicate the breach?
Once the threat of further infection has been removed, attention can finally be paid to the affected computers. At this point, digital forensics procedures should be followed to identify the scope of the incident and gather evidence for legal proceedings if necessary. Once the necessary evidence has been gathered and any required backups have been created, any tools, malware, user accounts, etc. related to the breach should be eradicated.
How do I write an information security incident report?
A complete, detailed report should be generated and stored for any information security incident that an organization experiences. This report should include all details of the incident discovered through forensic analysis, the steps taken in the containment and eradication stages, and recommendations for improving security and preventing future incidents. Reports of the incident should be prepared and sent to the appropriate parties both internally (C-suite, etc.) and externally (regulators, customers, suppliers, etc.).
How do I fix a hack?
The effects of the cyber incident and the steps taken to recover from it may leave affected machines in a degraded or non-operational state. At this point in the process, affected machines should be restored from known-clean backups or the necessary actions taken to return them to a functional state. After all affected machines are functional and verified to be clear of infection the quarantine protocols can be lifted.
How do I keep a cyberattack from happening again?
According to FireEye’s M-Trends 2018 report, 49% of organizations that suffered at least one cyber incident were breached again within a year. The “lightning never strikes the same place twice” rule does not apply in cybersecurity and taking steps to improve security is a necessary component of incident response. At a minimum, the security holes exploited by the incident should be patched and the security improvement recommendations included in the report should be implemented. After these steps are taken, it may be wise to bring in a professional penetration testing team to test the effectiveness of current defenses and offer recommendations for improvement.
When do I need to Call in Information Security Experts?
The demand for experts in cybersecurity far outweighs the supply and many organizations do not have the resources in-house to appropriately respond to a suspected cyber incident. If this is the case for your organization, it would be wise to proactively establish a relationship with a reputable cybersecurity and incident response organization as a precaution rather than scrambling to find one available to help once an incident has occurred.
Sword and Shield has teams of cybersecurity experts that can help both with improving cyber defenses before an incident occurs and with taking the necessary steps to effectively clean up after an incident occurs. Contact us for a free consultation to find out how.