11 Things To Do After You've Been Hacked

From

  A Post-Hack Checklist 

The worst has happened. One or more of your systems have been hacked. Now that you're aware of this, what do you do next? That largely depends upon how well you've prepared for this sort of event. If you're a practitioner of Total System Management as described in this site's intro to data safety and security, you'll worry a great deal less and you'll have the foundation for a good shot at recovery.  While there are 11 items in our checklist, you'll get very little value from that checklist unless you have a handle on what 'normal' is for your systems. And if you are practicing Total System Management, then you'll have no trouble with the following directive:

Get a picture of your network and systems before the event.

You might not be able to do this before a breach, but a significant part of effective computer forensics is practicing symmetrical security. This means that you need to be able to determine the normal function and level of activity on your network and computers before the event in order to detect the anomalies post-hack. This topic alone is worth a decent book and/or a college-level class or two. But for those of us who don't have time for that, there are special applications that will do this work for you. The Ecora Software Enterprise Auditor and Patch Manager are two excellent and complimentary packages that will accomplish this for you.

Without this knowledge, you're whistling in the dark. Seriously. If you've got more than 5 workstations and servers, you need the Ecora packages now!

Now, on to the checklist.

1. Isolate the suspected system. Either disconnect it from your network or route packets around it -- put it in a protected VLAN or somehow guard your other networked systems from being similarly infected. Make sure to observe chain of evidence -- who touched the system when, and what did that person do? Document everything
2. Preserve the scene of the crime. Often clues that will lead you to either the cracker's activities or the cracker himself are subtle and indirect, found mainly in the state of things as you discovered the hack. Further, data in a computer is very volatile, and the evidence you seek may be erased by continued usage of the system. For the same reason investigators wear plastic gloves while handling evidence -- to both preserve and not pollute -- tread carefully on your systems and rope them off while the investigation is underway. This means that, at a minimum, you must disconnect any compromised systems from your network. Instantly!
3. Take some initial steps to notify stakeholders and other important people. You'll want to get in touch with senior management, your firm's attorney, security experts, and local or federal law enforcement. Alert them that you suspect your network's (or servers') integrity has been compromised and you would appreciate their assistance. Note that law enforcement may not be able to immediately help you, but in my experience it's a good idea to alert them of your suspicions.
4. Understand where your threats may be coming from. You might think you've been cracked from the outside, but it's a fact that a large number of events requiring forensic assistance are perpetrated by an insider. Don't assume you're dealing with someone outside your firewall.
5. Isolate the suspected system.

 

 Either disconnect it from your network or route packets around it -- put it in a protected VLAN or somehow guard your other networked systems from being similarly infected. Make sure to observe chain of evidence -- who touched the system when, and what did that person do? Document everything.
6. Shut down the system.

 

 This preserves the state of the machine for further investigation. However, before shutting down, if possible observe background processes that are running. An inexperienced or less sophisticated cracker may leave evidence that you can later use to determine what was penetrated and how.
7. Make an exact, bit-for-bit copy of the hard drive in the suspected system. This can be used to compare with the baseline image mentioned in the first item above.

 
8. Take a look at audit logs.

 

 Figure out exactly when certain events occurred. Document them.
9. Look for passwords / password prompts around and throughout the operating system and hard drive.

 

 These can be ticking time bombs, in that if you enter an incorrect phrase a destructive process could be launched erasing the drive. The presence of unauthorized passwords, and their location, is significant to your investigation. Note what action you're trying to perform when you stumble upon the password prompt.
10. Look for strange files.

 

 Are there a lot of graphics or text files that aren't ordinarily present? Run a time/date scan to find recently created or modified files and determine if there are any anomalies.
11. Know when to quit.

 

 Sometimes law enforcement won't get involved, you've wasted three weeks without finding any sort of conclusive evidence, and your users are beginning to notice the down time. In this case, blow the operating system away, reinstall from scratch, and focus on preemptive security. Sometimes the fish aren't big enough to fry.

Hopefully, you'll never have to resort to this checklist. But if you do, give us a call. We can help.

Back to Educate Me

Back to Top

 

  | Sat Services | Networks | Data Security | Products | Solutions |                                                | Educate Me | Home |  
Copyright 2003 - StarLAN Consulting Services