You’ve been hacked. What now?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://realbusiness.co.uk/article/31486-youve-been-hacked-what-now/page:1

An IT department may have taken all the necessary precautions to ensure
that they prevent a security breach, and yet shrewd attackers may still get
through. Once you’ve been hacked, how does a business deal with the
fallout?

As hackers have become increasingly intelligent in their approach,
organisations need to be prepared for such situations.

Cybercriminals are constantly looking to new tools and methods, which not
all businesses can anticipate or protect against. Crucially, as criminals
have grown more sophisticated, and as state-sponsored attacks have
increased, the likely motives and methods have changed. This signifies a
shift from the old days where hacks were very visible.

Today, advanced, tenacious threats are the norm. Worryingly, the average
number of days hackers remain undetected on a network is 243 days. Eight
months! That’s a lot of time to steal data.

Often, malware doesn’t want to be detected and generally won’t be seen
directly. Rather, companies will become aware due to its effects. This
could simply be noticing that your computer is doing strange things.
Equally, in financial malware scenarios, employees may notice money missing
from their accounts or on their credit cards.

Companies can also look for signs such as unusual network traffic and
unusual systems access patterns. Savvy companies will use experienced
investigators to analyse their logs for signs of malicious activity, and
log analysis tools like Splunk can help here by providing a layer of
business intelligence on top of otherwise unfathomable system logs.

Put a plan in place

One of the worst things that can happen to a company that has already been
compromised is not knowing what to do next.

As much as we may not want to admit to the possibility of a security
breach, it’s important that organisations have a "what if" plan in place
that allows them to react quickly. This should be detailed and
well-rehearsed so that the business can immediately spring into action.

This playbook should include information about who to call. A very small
percentage of businesses have the skills and expertise in-house to carry
out a forensic analysis of how and why an attack has happened – and how
they can prevent it from taking place in the future.

Specialists will extend beyond forensic security analysts and
infrastructure managers to delve into other areas too. There is of course a
legal and compliant part of the puzzle, as well as involving media and
communications staff to discuss both internal, and external messaging.

These areas can – and should – work in tandem. For instance, technology
staff who analyse lost or compromised data should then inform the legal
team, who can then work out whether the lost data impacts customers and
requires notification. Communications staff can then reach out accordingly.

Some of the worst responses are down to a lack of information, a lack of
transparency, and in the worst cases, complete denial. By having a
premeditated plan in place however, with dedicated teams responsible for
specific areas, the business can work in sync to minimise the impact of the
fallout as best they can.

A mature plan will break down into at least three main parts: containment,
mitigation, and cleanup.

Keeping the attack contained

Once an attack has taken place, it’s crucial it doesn’t go any further – a
kind of digital sandbag if you will, to prevent further injury. After
circling in on the attacker, this is the first action that the response
team should take, largely because it is near impossible to mitigate what
cannot be contained.

This containment can be a difficult task. Attackers are stealthy, making it
difficult for businesses or security experts to see how far hackers have
got in their attack.

You could possibly enlist the response teams for the vendors to navigate
this. Typical candidates are antivirus companies or ethical hackers who can
be brought in to look at patterns that are interesting in terms of who
these attackers are, and where their interest lies.

Mitigation and clean-up

After the containment comes the mitigation. At this stage, the security
response team should have identified the weak spot. In short, how the
attacker got inside.

Was it unpatched Windows workstations? Or a misconfigured web server?
Batten down the hatches and close the door to fresh attacks, unless you
want to find yourself in an endless cycle of cleanup-reinfection.
Completely removing the malware and fixing any compromised user accounts is
the next a crucial step.

Once you’ve carefully extradited the attackers from corporate systems and
surveyed the extent of the damage, an organisation must look to fixing as
much of the damage as possible. This includes reinstalling compromised
systems from known, good media and potentially restoring data from backup.

Added to this, businesses must reconfigure network and server software,
monitoring its operation for a set time in order to ensure that everything
is working as it should.

Lessons learnt

Perhaps the only benefit of having been attacked is that you can learn from
it. This includes carrying out a post-mortem with tangible insights that
can then be fed into a company security policy, as well as the wider
business strategy. You may discover that you need to embark on an internal
education phase that addresses training and awareness for example.

No one likes facing adversity, but one true test of an IT director’s
character lies in how they deal with it. When hackers strike, the truly
savvy IT decision maker will have the tools and contacts in place to get
the job done.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!