You Have Been Breached, Now What?

Posted on by Martin Quinn in Security Blog Leave a comment

By Samantha Woollard (Internet Security Specialist) 20 February 2017

So you have identified that you are under attack or have already been breached. What should you do now? First of all, breathe. Do not panic. There is a chance it will happen to everyone; it is how severe the attack is that will come into play.

Identify what type of attack it is. There are various types of attacks; such as DDoS attack, malware has been installed, you do not have control of your machine; someone is accessing a port that is not normally accessed, to list a few.

Identify where it is coming from. Is the threat coming from an inside host that has been compromised or from an outside source.

Stop the attack. If a specific machine is slow, you notice phishing attempts within your emails, random programs have been installed, your anti-virus has stopped running or anything else suspicious, report the problem to your security team or equivalent as soon as possible. Henceforth, let them handle everything.

Remember to never turn off any machine until the scenario has been checked out and any evidence existing is gathered, as turning it off may erase some important information needed. Remove the affected machine from the network until the situation is dealt with. You can also place it in sleep mode. This will remove the attacker’s ability to remotely access your machine. It may be worthwhile to look for other compromised machines within the work place as it may be the case that more than one machine has been attacked.

After gathering any evidence needed, back up all files and logs. Remember to take notes about what has happened throughout the day, what you found and the actions you took. Run a couple of anti-virus and anti-malware software to find and remove any malware that may be causing the problem and restart the machine to fully remove the malware. Reboot in safe mode, so that only the minimum amount of programs needed are ran. If the machine is still not functioning properly, do a complete system restore and update the computer.

Call your incident response team as soon as possible, either in-house or external company to initiate the incident response plan you should have in place. The first seven days could be tedious, depending on when the attack happened. You may only notice it in June but in fact the breach could have been in October. Log entries will need to be filtered through to find the source of the attack.

After the source of the attack is found and how the attackers were able to infiltrate into your network is uncovered, steps can then be constructed in order to fix and prevent this from happening again.

Revisit your security plan: Make any changes to your plan that will stop that type of attack from happening again. If your security is not strong enough, add another layer of security and make sure it is implemented properly. It is important to have an incident response plan in place for reacting to a breach within the company.

Other Tips

  • Change all work related passwords.
  • Seek professional help (US! – The Intact Security Team)
  • Ensure your IDS is up to date.
  • Ensure your OS and other software used is patched regularly.

Relax. Your security is Intact.

Author: Intact Security


How To Tell If You Are Under Attack!

Posted on by Martin Quinn in Security Blog Leave a comment

By Samantha Woollard (Internet Security Specialist) 13 February 2017

35% of all cyber attacks are never detected and 54% of attacks go unnoticed for months, even years, leaving the bad guy to continually access your systems to steal more and more information every day. Not sure if you have been breached? Don’t know how to identify an attack within your systems? Below is a list of advice to help discover if your company is under attack.

  • There has been a sudden rise in your network traffic. It could be one of two things; your new blog post is extremely interesting or you are under attack.
  • An escalation of malformed data packets has been sent through your network and a large amount have been caught by your firewall.
  • An increase in failed log in attempts have been logged. An attacker may be trying to brute force into your network or application.
  • After monitoring your network for some time, day-to-day trends appear. However, lately the patterns in your traffic have been inaccurate. You should investigate further into this matter.
  • Alerts have been picked up by your Intrusion Detection System (IDS), but IT have not had the time to examine them all. Ensure that all priority alerts are handled first.
  • There has been unusual activity within accounts including administrative, such as the time they authenticated, actions that were carried out, what information they were accessing/editing.
  • Everything within System32 has a Microsoft signature. If something is running from System32 without the signature then it is malware.

Other behaviour all employees should be aware of:

  • Your work machine has got extremely slow at even completing the simplest of tasks.
  • New programs that you did not install are now present.
  • Your anti-virus has stopped running. To avoid detection, an attacker may disable your anti-virus so they can continue being undetected.
  • Fake emails from co-workers that contain attachments. These attachments could contain malicious software such as ransomware.
  • Random acts happening on your screen that are not in your control; e.g movement of your cursor which is landing correctly and performing actions.
  • Passwords for accounts have been changed.
  • Your web camera light comes on when you are not using it.

Even if your computer is functioning, does not mean that you have not been breached. It is important to report any peculiar signs to your IT team.

In 2017, cyber attacks are becoming as common as breathing. There is no way to completely obliterate the risk of being hacked but if you are smart about your security and vigilant of the pit falls, you will certainly decrease your chance of attack greatly. What do you do if you have been breached? Read next week’s issue to find out.

Still not convinced that you will get breached? Fortinet track real-time threats across the world that our caught by their customers’ FortiGate firewalls. To see the live global threat map, click here!

Relax. Your security is Intact.

Author: Intact Security