Sponsored by Keepnet Labs

Are you under cyberattack ? 8 Free Steps to check

Are you under cyberattack ? 8 Steps to check

Dear Blog readers,

In the last few months I started to receive more and more questions such as: “We are Hacked , please help” . As I have experienced this as a professional many many times and helped many customers during my career I decided to write this short blog post to help you start from somewhere.

Even though this “ We are powned” question could have many different answers depending on the scenario , they are some key things which you can do regardless of the details.

Below is a short list of TO DO if you experience an attack in your network / computer.

Please note, this blog post is not technical, if you want some technical information you can watch my prerecorded sessions, training classes , to make your life easier I am including the links on the appendix section of this post as well

1.Don’t Panic

Yes, this is easy to write and recommend but hard to do, keep in mind panicking won’t help you at al. So what should you do next?

2. Implement the incidence response plan (if you have it)

If you have a Computer Incidence Response Team, get them on the phone and let them know what you think has happened. If you have a vendor contract such as Microsoft Premier ,log the event and notify them ASAP. Inform also the management. If you not have any of those, make sure you know what you are doing, if not call for a professional help.

3. Check the “infected system” and verify if there is a compromised system

Make sure to scan the system and mitigate the below possible issues

  • Patch the Operating System, any application which is running on the systems
  • Scan with an Offline Anti-Virus (Av)
  • Cross check the scan with a Microsoft
  • Restrict domain administrator accounts and other privileged accounts from authenticating to lower trust servers and workstations

If the system is infected, make sure to ISOLATE the System to contain the damage.

Make sure also to check “lateral movement/s” where attackers might have accessed your other systems in the network. This can help you to understand what happened, which data was compromised and how.

4. Check your Logs (Security, Network & system)

A good place to start to be able to see what happened in your network, server or client is usually checking the security logs of your Firewall’s, AV’s and System Security logs. They should give you a good indication on what is happening. This logs can be also used as evidence

  • Revisit the list of ports requirement for each software and deviate from Standard ports wherever possible.
  • Implement Auditing of Domain Admin/local Admin Accounts via any SIEM or event forwarding

5.Reset your Passwords

Immediately change the passwords of the any key accounts including Service accounts

Make sure the passwords are not a reused one and they meet the password complexity.

 

6.Build a Tactical Recovery Plan

Prioritize the order in which you’ll clean and then restore them to their previous states—starting with business-critical systems. Replace the current, compromised data, configurations, and applications with the most recent clean backup. As we recommended in previous step make sure to change the passwords for all affected systems, users, and applications, including the root password/s.

 

7. Check the “infected system”

Make sure to scan the system and mitigate the below possible issues

  • Patch the Operating System
  • Scan with an Offline Anti Virus (Av)
  • Cross check the scan with a different AV
  • If the system is infected, make sure to ISOLATE it
  • Implement Sysmon (free Sysinternal utility) to analyze if there is some malicious activity over the critical servers

Cleaning the compromised system :

https://technet.microsoft.com/en-us/library/cc512587.aspx

https://technet.microsoft.com/en-us/library/cc512595.aspx

 

8.Revise your security policies and strategy

 

How to verify if the PC is hacked?

  • Any unauthorized program is installed
  • Suspicious DDLs, registry keys, network activities, spam e-mails
  • Disabled AV
  • Unable to connect to Security Vendor web sites
  • Slow performance
  • Internet browser acting wired

Are you under cyberattack

Learn about Forensic Investigation :

https://www.erdalozkaya.com/forensic-investigation-from-real-life/

Links consider to read

https://technet.microsoft.com/library/cc716274.aspx

 

Cyber incident response by Erdal

Related Incident Response Book

Anyone can be hacked. It is just a matter of time. Even the right technology, e.g. the best firewall or anti-virus application, can fall short of protecting your system against cyber-attacks since cybercriminals are always in search of finding new methods and ways to infiltrate into systems. Responding to an incident quickly will help an organization to minimise its losses, decrease vulnerabilities, rebuild services and processes. Therefore, at this very moment, it is significant to know the best practices to respond to a successful cyber attack.

Organization’s should have skilled employees and sophisticated tools to identify the threats or to respond and eliminate them. Without knowing the best practices of an incident response process, the organization will be an easy target for cybercriminals and be vulnerable to a cyber attack.

This book will be a guideline for organizations on how to address and manage the aftermath of a cyber attack, and how to control the cybersecurity breach in a way that decreases damage, recovery time and costs.

TARGET AUDIENCE

The book targets programmers, system administrators and all levels of users who deal with security of an organisation (IT, SOC, CSIRT or other teams). Our book will help them to identify a security incident, to build a series of best practices to stop an attack before it creates serious consequences.

WHAT YOU WILL LEARN?

  1. What is an Incident Response and Why it is important
  2. How to organize an incident response (IR) team
  3. Best practices for managing attack situations with your IR team
  4. Learn how to form, organize, and operate a product security team to deal with product vulnerabilities and assess their severity
  5. How to organize all the entities involved in product security response
  6. Responding to a security vulnerability based on Keepnet Labs processes and practices
  7. How to adapt all the above learnings for the cloud

The book is planned to have 17 chapters

1. The Cybersecurity landscape and why Incident Response matters
2. Incident Response – Evolution and Current challenges
3. How to organize an Incident Response Team
4. Understanding the IR lifecycle with a Phishing Incident scenario
5. Key Metrics for a Phishing Incident Response
6. Incident Alerting and Reporting
7. Incident Handling
8. Incident Investigation
9. Incident Response – Containment and Eradication
10. Incident Recovery and Reporting
11. Real World Case Studies
12. Incident Response in the Cloud – Challenges and Opportunities
13. Handling a Phishing Incident in the Cloud
14. Building a Proactive Incident Readiness Culture
16. Incident Response Best Practices
17.Bonus : Ask the Expert Opinion

 

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *