The tell-tale signs that your network has been hacked are all too familiar, or at least they should be. You may think it’s just a fluke (don’t we always get bombarded with pop-ups?), but if your systems seem more sluggish than usual, you notice unauthorized content posted on your website, or passwords have been changed without authorization, chances are your network’s been hacked. Don’t panic! It’s important to remain calm, retain your professional demeanor, and act decisively.
In addition to seeking guidance from a data security professional, follow these five steps for quickly responding to and recovering from a network attack.
In addition to seeking guidance from a data security professional, follow these five steps for quickly responding to and recovering from a network attack.
1. Verify the attack on your network.
You should gather information as quickly as possible to confirm which systems were compromised, determine the IP addresses that were used in the attack, and identify the type of attack, such as malware, a virus, or a phishing page tacked onto your website. Use the diagnostic tools available in your routers and firewalls such as traffic logs and syslog messages. Your Internet service provider (ISP) and any out-of-house IT provider may also be able to provide useful information. In addition, a security professional can help you gather and make sense of all the information collected.
2. Contain the damage and preserve your business assets.
Your initial reaction may be to take your entire network offline, but that could actually cause additional damage to your company’s operations, not to mention relationships with customers and reputation in the marketplace. Instead, isolate the systems that you already identified. If possible, take offline just the impacted applications; or, if necessary, take down the servers or computers those applications live on. This will quarantine the affected applications and devices while still allowing your company to continue to do business.
Also, you need to identify the exact damage done to individual devices. Compare the configurations and data sets for each compromised computer and server with the last known stable and clean backup for each system.
You need to delete any offensive content that the hacker left on your site or wipe your systems clean of malware, but you also need to preserve evidence of the crime that was committed against your company—a practice recommended by the Anti-Phishing Working Group (APWG). The APWG also recommends making safe copies of the illegal content or unauthorized applications, separate from any systems that could be further damaged by that content. Make sure to check with your company’s legal counsel before doing so. Some content shouldn’t be copied, particularly child pornography, and must be immediately reported to authorities before you proceed with cleaning up those systems.
Also, you need to identify the exact damage done to individual devices. Compare the configurations and data sets for each compromised computer and server with the last known stable and clean backup for each system.
You need to delete any offensive content that the hacker left on your site or wipe your systems clean of malware, but you also need to preserve evidence of the crime that was committed against your company—a practice recommended by the Anti-Phishing Working Group (APWG). The APWG also recommends making safe copies of the illegal content or unauthorized applications, separate from any systems that could be further damaged by that content. Make sure to check with your company’s legal counsel before doing so. Some content shouldn’t be copied, particularly child pornography, and must be immediately reported to authorities before you proceed with cleaning up those systems.
3. Decide if you need to make a public statement about the incident.
Depending on the kind of attack and the damage your network sustained, you may need to communicate with customers, partners, or authorities. For example, if the security breach affects your compliance with a governmental regulation, you may be required by law to hire a security investigator who will guide you through your response to the breach. If customer or partner data was affected, you’ll need to notify them that their information was compromised.
4. Clean up and restore the affected systems.
If more than one computer or server was hit in the security attack, you should first prioritize the order in which you’ll clean and then restore them to their previous states—starting with business-critical systems, of course. Replace the current, compromised data, configurations, and applications with the most recent clean backup. Change the passwords for all affected systems, users, and applications, including the root password. At the same time, require that all passwords company-wide be changed, even on systems that weren’t impacted by the attack.
5. Close the vulnerability used to access your network and amp up security.
Make sure you fix the hole that the hacker used to gain access to your network, whether it was a configuration error, an email download, or another vulnerability. You should also increase your network security. For example, patch and update all systems and software to the most current versions and make sure the security settings on all of your network hardware are set appropriately.