Remember the good ol’ days when most of our time and energy went into preventing a hack? How times change. Now we’re dedicating a substantial amount of time to eradication and restoration. For those of you that haven’t found yourself racing to recover from a breach, this article is for you. I’m Jovianna Gonzalez, CEO at Digital Forensics Now and I’d like to share what it really looks like when you get hacked.
I typically work with clients who have been targeted by cybercriminals. And the two incidents that rise to the top of the list in severity are Business Email Compromise and Ransomware Attacks.
For Business Email Compromise, this attack appears in many forms ranging from simple to elaborate. A simple but successful scenario is for an employee to receive an email which appears to be sent from their Chief Financial Officer. The employee is directed to pay an invoice to an updated bank account. Here, the CFO’s account is actually compromised and controlled by a criminal.
With Ransomware, we find criminals not only hold information hostage until after payment is made, but also threaten to publish sensitive data online if the victim doesn’t pay.
Although law enforcement works diligently to disrupt cybercriminal activity, attacks from threat actors continue. When one criminal group is caught, another is quick to fill the void and to resume operations. Based on my experience, these cyber criminals are masters of adaptation. They’re well-versed in applying advanced technology. They’re also well-versed in using social engineering tactics. By social engineering, I mean tricking employees into aiding them in carrying out the attack.
But what should you do when you get hacked? Remember, prevention only goes so far.
Don’t touch that power button!
Even if you’ve invested in the latest security tools, a security team and a dedicated security operations centre; your teams and tools must still unerringly sift through all the noise in your network, at your perimeter and on your machines. So, when you realise you’ve been breached, it’s likely you’ve already been breached for at least a few hours, if not days. It might be tempting to shut everything down because you may think that stops the malicious activity, but I recommend you resist that temptation. Powering down your system or deleting malicious files could destroy evidence that would be beneficial to a forensic investigation. The best course of action is to disconnect any internet connections on your system and in your environment…ASAP!
Grab a journal!
As soon as you realise your system has been breached, take notes to ensure every action taken is recorded. Document information such as who has altered or interacted with the system and when. These notes could become a valuable resource for post-breach analysis and may help your organisation’s case in the event of any legal action. Also consider, we sometimes hear of insider threats as causal to the breach, so keep this journal close to those you trust.
This was probably how you were breached…so change all those passwords now!
To start, change all passwords everywhere. I recommend forcing password changes and not leaving it up to individuals to take care of this. Service accounts, email, cloud and perhaps even personal account passwords should be changed especially considering how passwords are known to be reused across multiple services. Start by changing your password manager password if that’s in use.
Cyber insurance: Hey, that sounds familiar…do we have that?
Now is the time to reach out to your insurance provider. If you planned ahead, your provider might now be able to send in a rescue squad. Benefits under these policies may include legal services for advising you through the incident and handling of any self-reporting obligations, computer forensics, eradication and restoration and enrollment in credit monitoring services for those affected.
Call an expert and rebuild…and while we’re at it, let’s try to avoid this again!
When was the last time you reviewed your business continuity plan? It’s highly advisable for organisations to find a trusted cybersecurity partner before a breach occurs and to include this trusted advisor’s information into their plan. Time is of the essence, so we must concurrently ensure the criminal doesn’t maintain persistence in your environment, rebuild and perform a computer forensic analysis.
Let’s discuss this with our team while keeping an open mind
I’ve been on more than one customer engagement and observed organisations blame, yell and make firing decisions during the meeting. As long as a computer remains powered on, it’s vulnerable to hardware compromise, software compromise, misconfigurations and general human error. Consider the multitude of known and unknown security issues that will never be 100% secure and also consider the fact that you still need to maintain a positive organisational culture after the incident has been resolved.
Be transparent with your customers…really…this is quite important
From my perspective, the stigma of being breached has been reduced by the sheer volume of breaches reported in the news. True, there’s the potential for reputational damage by disclosing a sensitive data breach, but the consequences for not reporting could be far worse.
You can’t guarantee you won’t ever get hacked again, but you will lower the risk considerably by being diligent and keeping all security measures up to date. Don’t just assume it can’t happen to you, it can and will. Protect yourself and your customers.
Jovianna Gonzalez
By Jovianna Gonzalez, CEO at Digital Forensics Now
You can connect with Jovianna on LinkedIn here