Just Been Hacked?
Call our emergency response line anytime: 1300 884 218
As attacks are designed to cause maximum impact, cybercrime often occurs out of business hours, on weekends and public holidays. If your business or department has just been hacked and you need security expertise to help contain and stop the attack, we offer a 24/7 emergency response service.
Pure Hacking has a comprehensive IT security recovery strategy and action plan. We can help you and your team to get a full picture of what’s happened, including how the hackers got in, which computers and accounts were compromised, what data was accessed or stolen and whether any other parties — such as customers or business partners — were affected.
And most importantly, we help you can get back online and back in business.
If your business or department has just been hacked and a breach discovered, these are the immediate steps we recommend you take:
Step 1: Confirm the attack
Check if your systems or networks have been breached. If you have logs, this is the best place to start. Confirmation can be as blatant as a defacement or extortion attempt, through to systems behaving abnormally or malicious files found on your servers. Skilled attackers cover their tracks so this can be problematic.
Once you’ve confirmed the attack, the choice is to perform either a Forensic Assessment or Incident Response. Use forensics when you want to prosecute an individual or organisation and prove who hacked you. Alternatively, use incident response if you just want to get back up and running again.
Forensic assessments are generally larger projects requiring significantly more time and investment. If you choose forensics, please leave things exactly “as is” and seek external independent assistance. This is where Pure Hacking is able to assist, please contact us. The process and evidence trails need to be precise.
Step 2: Contain the attack
When investigating security breaches, valuable “volatile data” is lost when servers are shut down, including server memory contents and existing network connections. This may not be avoidable depending upon the type of attack, but it is important to understand this when determining your initial response.
If you decide to handle the security incident in-house, then you need to take action to contain and stop the attack. This may involve shutting down servers or blocking access to the services being compromised.
To limit the damage, you may need to take disruptive and costly steps, such as removing infected computers and shutting down your website. Consider reformatting hacked computers and restoring data from clean backups.
Your backups will be critical in this step.
If hackers exploited a software flaw, apply a "patch" from the software maker that fixes the problem, implement a recommended workaround or compensating controls. Secure your accounts by setting new, complex passwords that will be hard to crack.
Allocate quite a few days to this activity. Two to four weeks is not uncommon.
Step 3: Understand and investigate the attack
Find out how far the hacker gained access into your systems and networks and what was breached, stolen or damaged. Using off-site logs will give you certainty. By using a LiveCD to investigate the hard drives of the affected systems, you can also gain an “untampered” insight into what has changed on the server.
Step 4: Report the attack
Depending upon the type of attack and what is at risk, you may need to report the attack to authorities. For example, money laundering, extortion or other forms of financial fraud must be reported immediately to your local police. You should also report the incident to AusCERT: https://www.auscert.org.au/15970
Depending on the nature of the attack you might also want to report it to your ISP (e.g. for a DOS/DDOS attack).
Step 5: Determine the cause
Importantly, you need to pinpoint how the hacker initially accessed your system. Identifying the entry point is essential. Often hackers will break in and leave doors open in order to regain access. It is critical to find out if the hackers can still access your systems.
Step 6: Do you need to communicate the attack?
Consider how you want to communicate with affected employees, customers and partners about what happened, what you're doing about the problem and what they need to do. In some cases there is a legal requirement to do this. This may also be necessary to salvage your business.
Step 7: Remediation
Develop an action plan for increasing your IT security so you can identify and repel future attacks. Make sure your applications and operating systems are current, patched and receiving automatic updates to fix bugs. Risky web applications may warrant having a Web Application Firewall and PureWAF in front of them to protect against web-based attacks.
Step 8: Proactive Security Protection
There is a real benefit and better ROI on IT security budgets if you develop a roadmap for monitoring, analysing and remediation. Once the attack has been addressed and managed, we recommend you move your focus from reactive issues and crisis management to proactive security protection. Early detection of data attacks greatly reduces the impact and cost of cybercrime on an organisation. Future prevention will come down to people, processes and technology all working together to keep you safe.
Pure Hacking can assist you at every step. Contact us now.
Australian Federal Police http://www.police.act.gov.au/
Department of Defence (Intelligence and Security) http://www.dsd.gov.au/infosec/reportincident.htm