You arrive at work on Monday morning and immediately find that the network server’s Event Viewer lists hundreds of failed login attempts over the weekend. They occurred consistently in two minute intervals, and then Sunday afternoon the attempts seem to abruptly stop. Is this the work of hackers? Does the abrupt stop mean that hackers have abandoned their attack, or have they successfully logged in and infiltrated your network? It’s imperative that you do not panic, but most importantly, do not take your investigation forward on your own.
- First and foremost, don’t power anything down! You’ll want to preserve the data in RAM. RAM is volatile memory, meaning that whatever data is present will be lost as soon as the machine is turned off (non-volatile memory, such hard disk storage, remains even when the machine is turned off).
- Next, if it hasn’t been done already, take the server and/or workstation offline until the problem can be diagnosed. The preservation of the digital crime scene is necessary to make further deductions. Additionally, remove the wired connection to ensure that malware cannot propagate throughout the network. Worms are a type of malware that are self-propagating, meaning they do not even require any sort of user interaction to spread like wildfire.
- Let someone know immediately. Preferably an employee who has been designated to spearhead the incident response plan (which is hopefully in place!). This may fall on the chief information security officer. Keep in mind, it is important to foster a work environment in which employees feel encouraged, or even that they will be rewarded, for reporting a breach. If an employee is the root cause of the breach, perhaps in accidentally downloading ransomware, they may not come forward out of fear of disciplinary repercussions. If, however, the employee feels that they are able to point to the root cause of the breach without fear, this could be key in mitigating the breach and avoiding them in the future.
- As surreptitious as a hack can be, breadcrumbs are usually left in its wake. These breadcrumbs are known as Indicators of Compromise (IOCs) that are indicative of intrusion. In addition to failed login attempts, IOCs may present themselves as unusual outbound network traffic, malicious URLs, IP addresses, unexpected spikes in database read volume (a telling sign of data extraction), system file changes, etc. Not only will identifying IOCs help to figure out exactly what damage hackers have caused, but it will be helpful in understanding any future breaches. Uncovering IOCs will most likely require the help of a cyber forensics team. Members of the forensic team should copy the contents of the originally affected machine’s memory and an image of the hard disk to a second machine for examination. Isolating and examining the scene of the crime will help to pinpoint exactly how the hacker infiltrated the network and what data may have been exfiltrated. Attack vectors, the timing of the breach, the value of the information stolen and how it could benefit the attacker are also huge pieces to solving the “whodunnit” puzzle. If you have not retained the services of a cyber forensics team, and you run into a situation in which you require their help, you may run up a costly bill at the time of a breach. It is far more cost-effective to have forensic services on retainer and request their assistance when you need it.
- The security team will look at the data captured prior to the incident if this information is readily available. A network recording will store all packets for post-incident and/or forensic analysis. Designated security personnel will search and inspect archived network traffic for the presence of any anomalies. The results of the investigation should be logged and network vulnerabilities will be reviewed, analyzed and defended.
- Time to tell the world. It’s not only important to disclose the details of the incident and take responsibility, but depending on your industry, you may be legally obligated to inform clients of what happened and how they will be affected. Investment firms registered with the SEC are compelled to do so to remain compliant. It may even be a good idea to hire a PR firm to assist with the fallout of a breach.
Moving Forward and Bolstering Defenses
In order to forge ahead, it’s necessary to reassess defense strategies and mechanisms. Some of the most important items that you should check off your list include the following:
- Ensure that firewall configurations have been reviewed recently.
- Disable unnecessary ports and services.
- Implement an Intrusion Detection/Prevention System (IDS/IPS).
- Implement full packet capture.
- Hire an outsourced Security Operations Center (SOC) to monitor network traffic for anomalous activity.
- Install antivirus across all devices.
- Use Multi-Factor Authentication to authenticate and validate users prior to authorizing access to services or applications.
- Maintain a network map of the devices on the network, as well as data flows and connections between those devices. This map will become vital to understanding and protecting the devices on the network.
- Implement a Vulnerability Management Program to identify and remediate issues.
- Enforce cybersecurity awareness training for all employees.
- Have an Incident Response Plan in place.
- As mentioned, have a forensics team on retainer so that you are not ultimately forced to pay for their services in desperation.
- Participate in information sharing cybersecurity organizations.
The response to a breach needs to be handled very delicately. Do not wait until a breach occurs to figure out how to respond appropriately. The best way to thwart hacking is to have a plan in place for when you are faced with a security crisis, immediately inform anyone who it may have been affected and strengthen cyber defenses.
For a customized cybersecurity assessment, click here.