By Samantha Woollard (Internet Security Specialist) 20 February 2017
So you have identified that you are under attack or have already been breached. What should you do now? First of all, breathe. Do not panic. There is a chance it will happen to everyone; it is how severe the attack is that will come into play.
Identify what type of attack it is. There are various types of attacks; such as DDoS attack, malware has been installed, you do not have control of your machine; someone is accessing a port that is not normally accessed, to list a few.
Identify where it is coming from. Is the threat coming from an inside host that has been compromised or from an outside source.
Stop the attack. If a specific machine is slow, you notice phishing attempts within your emails, random programs have been installed, your anti-virus has stopped running or anything else suspicious, report the problem to your security team or equivalent as soon as possible. Henceforth, let them handle everything.
Remember to never turn off any machine until the scenario has been checked out and any evidence existing is gathered, as turning it off may erase some important information needed. Remove the affected machine from the network until the situation is dealt with. You can also place it in sleep mode. This will remove the attacker’s ability to remotely access your machine. It may be worthwhile to look for other compromised machines within the work place as it may be the case that more than one machine has been attacked.
After gathering any evidence needed, back up all files and logs. Remember to take notes about what has happened throughout the day, what you found and the actions you took. Run a couple of anti-virus and anti-malware software to find and remove any malware that may be causing the problem and restart the machine to fully remove the malware. Reboot in safe mode, so that only the minimum amount of programs needed are ran. If the machine is still not functioning properly, do a complete system restore and update the computer.
Call your incident response team as soon as possible, either in-house or external company to initiate the incident response plan you should have in place. The first seven days could be tedious, depending on when the attack happened. You may only notice it in June but in fact the breach could have been in October. Log entries will need to be filtered through to find the source of the attack.
After the source of the attack is found and how the attackers were able to infiltrate into your network is uncovered, steps can then be constructed in order to fix and prevent this from happening again.
Revisit your security plan: Make any changes to your plan that will stop that type of attack from happening again. If your security is not strong enough, add another layer of security and make sure it is implemented properly. It is important to have an incident response plan in place for reacting to a breach within the company.
Other Tips
- Change all work related passwords.
- Seek professional help (US! – The Intact Security Team)
- Ensure your IDS is up to date.
- Ensure your OS and other software used is patched regularly.
Relax. Your security is Intact.
Author: Intact Security
