CastleCops® - You've been hacked: What to do in the first five minutes

There's nothing quite like the mix of fear and adrenaline you get when you realise your system has been hacked. Here's how to best use that rush of energy during the first five minutes.

Sitting at your desk, you notice some odd activity in a log while you're looking into a user problem. The more you step through it, the more you are convinced that something is just not right. Your heart skips a beat when you realise that the system has been hacked. At this point, you enter a stage of shock as you ask yourself, “How could this happen?” and “What do I do now?”

By Robert L. Bogue, Techrepublic
20 May 2003

Although you'll find plenty of advice on how to keep your systems from being hacked, there are relatively few articles that will help you sort things out in the aftermath of an attack. So for the next three weeks, I'll present a series of articles that will explain what you should do in the first five minutes, in the first hour, and in the first week after you’ve discovered that an interloper has compromised your systems. This article will focus on the most immediate actions you must take to secure your system: evaluate, communicate, and disconnect.

Evaluate

The first question that you must answer after an attack (or preferably before) is what your objectives are. In most cases, the objectives are simple: prevent further intrusion and resolve the problem. However, in some cases, you will want to be able to positively identify the intruder and, in others, you will be focused on figuring out which vulnerability the hacker exploited.

Identify the intruder

It may be necessary to positively identify the intruder so that you can refer the matter to the FBI for further investigation and possible prosecution. Of course, this is not the most expedient way to get the systems back online and prevent further infection. Identifying intruders can be difficult, particularly if they have covered their tracks well. Despite Hollywood’s portrayal of hackers easily being traced, someone who is routing traffic through several systems is not only difficult to find, but might be—in all practical terms—impossible to track down.

Identify the vulnerability

Another approach that some organisations take is to try to identify the specific vulnerability exploited. The thinking is that you want to patch the specific hole that allowed this intruder to gain access. By and large, this approaches the problem from a suboptimal perspective. A far better strategy is to attempt to identify all vulnerabilities and prevent any intruder from gaining access to your systems, rather than focusing on the one vulnerability this particular hacker exploited. Many of today’s security assessment tools will allow you to quickly test and resolve all vulnerabilities.

Return systems to operation

If this is the first time you have been attacked, you may find it simpler to forgo trying to pinpoint the intruder or the specific vulnerability that was exploited. In general, it is unlikely that you will be able to easily generate the logs you might need to target the origin of the intrusion.

Patching the vulnerabilities and returning systems to operation as soon as possible is the most straightforward approach. It reduces your risk and allows you to fortify your defenses without worrying about the intruder continuing to take advantage of your systems.

Plan ahead

In many cases, organisations determine their course of action prior to an attack. But in an equal number of cases, organisations must make this their first order of business after an attack. In addition to determining your specific goals after an attack, you should consider executing a disaster recovery plan, if one exists for your organisation. Depending on the severity of the situation, it may make sense to treat the situation as if the data center had been destroyed.

The one unique complication to activating a disaster recovery plan for an organisation is that it is typically centered on a known event with a known time. But with an intrusion into your network, you may not know exactly when the system was first compromised. This can complicate the recovery process because it may not be clear what set of backups should be restored for each system. Further complicating matters is the fact that some systems may have been compromised before others, so it may be necessary to repeat the restoration process several times while trying to determine when the first intrusion occurred and on which system.

Article continues...
ZDNet


	2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 177ppm 0.193s (0.016s) Making cybercriminals unhappy since 2002*