Dr. Erdal Ozkaya
Search
  • Home
  • About Me
  • Home
  • About Me
  • Home
  • Cybersecurity
  • Have you been Hacked ?

Have you been Hacked ?

Have you been Hacked
Erdal2021-10-02T02:06:54-04:00

Have you been Hacked

Dear Blog readers,

In the last few months I started to receive more and more questions such as: “We are Hacked , please help” . As I have experienced this as a professional many many times and helped many customers during my career I decided to write this short blog post to help you start from somewhere.

Even though this “ We are powned” question could have many different answers depending on the scenario , they are some key things which you can do regardless of the details.

Below is a short list of TO DO if you experience an attack in your network / computer.

Please note, this blog post is not technical, if you want some technical information you can watch my prerecorded sessions, training classes , to make your life easier I am including the links on the appendix section of this post as well

 

1)      Don’t Panic

Yes, this is easy to write and recommend but hard to do, keep in mind panicking won’t help you at al. So what should you do next?

 

2)      Implement the incidence response plan (if you have it)

If you have a Computer Incidence Response Team, get them on the phone and let them know what you think has happened. If you have a vendor contract such as Microsoft Premier ,log the event and notify them ASAP. Inform also the management. If you not have any of those, make sure you know what you are doing, if not call for a professional help.

Microsoft Enterprise Cybersecurity Group has also a Service which is called “ Persistent Adversary Detection Service” (PADS) (http://download.microsoft.com/download/5/0/8/50856745-C5AE-451A-80DC-47A920B9D545/AFCEA_PADS_Datasheet.pdf) which may help you proactively.

 

3)      Check the “infected system” and verify if there is a compromised system

Make sure to scan the system and mitigate the below possible issues

–          Patch the Operating System, any application which is running on the systems

–          Scan with an Offline Anti-Virus (Av)

–          Cross check the scan with a Microsoft

–          Restrict domain administrator accounts and other privileged accounts from authenticating to lower trust servers and workstations

–         

If the system is infected, make sure to ISOLATE the System to contain the damage.

Make sure also to check “lateral movement/s” where attackers might have accessed your other systems in the network. This can help you to understand what happened, which data was compromised and how.

Pass the Hash is a common attack method. Make sure you read the whitepaper from Microsoft, to learn how you can mitigate it (http://www.microsoft.com/en-us/download/details.aspx?id=36036)

4)      Check your Logs (Security, Network & system)

A good place to start to be able to see what happened in your network, server or client is usually checking the security logs of your Firewall’s, AV’s and System Security logs. They should give you a good indication on what is happening. This logs can be also used as evidence

–          Revisit the list of ports requirement for each software and deviate from Standard ports wherever possible.

–          Implement Auditing of Domain Admin/local Admin Accounts via any SIEM or event forwarding

–         

5)      Reset your Passwords

Immediately change the passwords of the any key accounts including Service accounts

Make sure the passwords are not a reused one and they meet the password complexity.

–          Local Passwords

–          Admin Passwords (https://technet.microsoft.com/en-us/library/ff629480.aspx)

–          Service Account Passwords (https://technet.microsoft.com/en-us/library/dd391923(v=ws.10).aspx)

–          VIP account passwords

–          Resetting Windows Passwords (https://support.microsoft.com/en-us/kb/216393)

–          Kerberos and Self-Service Password Reset (https://technet.microsoft.com/en-us/library/jj134304(v=ws.10).aspx)

–          Ensure separate accounts are used by people who own administrative privileges forest wide or domain wide

–          Ensure the passwords are unique and not reused

       

6)      Build a Tactical Recovery Plan

Prioritize the order in which you’ll clean and then restore them to their previous states—starting with business-critical systems. Replace the current, compromised data, configurations, and applications with the most recent clean backup. As we recommended in previous step make sure to change the passwords for all affected systems, users, and applications, including the root password/s.

 

7)      Check the “infected system”

      Make sure to scan the system and mitigate the below possible issues

–          Patch the Operating System

–          Scan with an Offline Anti Virus (Av)

–          Cross check the scan with a different AV

–          If the system is infected, make sure to ISOLATE it

–          Implement Sysmon (free Sysinternal utility) to analyze if there is some malicious activity over the critical servers

Cleaning the compromised system :

https://technet.microsoft.com/en-us/library/cc512587.aspx

https://technet.microsoft.com/en-us/library/cc512595.aspx

8)      Revise your security policies and strategy

             How to verify if the PC is hacked?

–          Any unauthorized program is installed

–          Suspicious DDLs, registry keys, network activities, spam e-mails

–          Disabled AV

–          Unable to connect to Security Vendor web sites

–          Slow performance

–          Internet browser acting wired

 

Free Vulnerability Scan / Patch Management

https://www.qualys.com/forms/freescan/

https://www.acunetix.com/free-network-security-scanner/

http://www.openvas.org

https://www.flexerasoftware.com/enterprise/products/software-vulnerability-management/personal-software-inspector/

http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard

https://www.tenable.com/products/nessus-vulnerability-scanner

 

Free Security Analyzers

Hacked
Hacked

Microsoft Baseline Security Anaylser

http://technet.microsoft.com/en-gb/security/cc184923

Attack Surface Analyzer

https://blogs.microsoft.com/microsoftsecure/archive/2012/08/02/microsoft-s-free-security-tools-attack-surface-analyzer

Theart Modeling Tool

https://www.microsoft.com/en-us/sdl/adopt/threatmodeling.aspx

Microsoft Security Software ( PROTECT)

https://www.microsoft.com/en-us/security/portal/mmpc/products/default.aspx

Anti Malware for Home

Zemana Anti Key Logger and Malware

https://zemana.com/#

 

Links consider to read

https://technet.microsoft.com/library/cc716274.aspx

http://www.bigdataforensic.net

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *


Related Posts

EC-Council Global Instructor of the Year Award Erdal Ozkaya

Global Instructor of the Year by EC-Council

Global Instructor of the Year by EC-Council I am proud to announce that I am selected "Global Instructor of the year... read more
Experts covered Cybersecurity end to end Erdal

Experts covered Cybersecurity end to end : 1

Experts covered Cybersecurity end to end The First Global Cybersecurity Research Center Conference was held in Istanbul, Turkey this year, and... read more
Windows Security and Forensics Erdal

Windows Security & Forensics: Coming Soon

Windows Security & Forensics: Coming Soon Windows Security & Forensics Very soon there will be a new Microsoft Virtual Academy Course available... read more
Hacker Halted Feedback Erdal

Hacker Halted Feedback – 15

Hacker Halted Feedback EC Council's Hacker Halted feedback to Wayne Bruce and I, from their official twitter account Erdal (more…) read more
Global Transformation Summit Erdal Ozkaya

Global Workforce Transformation Web Summit Free opportunity 2020

Global Workforce Transformation (GCF) Web Summit I am happy to announce that I will be delivering a session at the GCF... read more
Hacking Trends 2023

Cybersecurity Predictions for 2023 : free video tutorial

Cybersecurity Predictions for 2023 The world of cybersecurity is rapidly changing, and it's important for the industry to accurately forecast the... read more
Cyber Security Symposium Africa Erdal Ozkaya

Cyber Security Symposium Africa 2019

Cyber Security Symposium Africa 2019 I am proud to announce, that I will be speaking this year in Africa's most comprehensive... read more
Most Prevalent Discovery Technique Picus Erdal Ozkaya

Most Prevalent Discovery Technique Free Webinar 20

Most Prevalent Discovery Technique Free Webinar 20 Join me with Picus Security where we will talk about t "The Most Prevalent... read more
Cybersecurity The Beginner’s Guide

Cybersecurity The Beginners Guide for FREE For a Limited Time ($29.99 Value)

Cybersecurity The Beginners Guide for FREE It’s not a secret that there is a huge talent gap in the cybersecurity industry.... read more
Network Security Administrator Erdal

Network Security Administrator (ENSA) Free Certification Week 2

Network Security Administrator Lecture 2: Security Standards Security Policy Network Security Threats DEMO: Network security threats from real life Delivered by Erdal Ozkaya Week 1 : https://www.erdalozkaya.com/network-security-administrator/ ... read more

Categories

  • About Dr Erdal Ozkaya (298)
    • Awards (96)
    • Erdal in the news (118)
    • Feedback (90)
    • My Books (54)
    • Who is Dr Erdal Ozkaya ? (2)
  • Announcemets (302)
  • Artificial Intelligence AI (10)
  • Certification (52)
  • Cloud Computing (72)
  • Cybersecurity (322)
  • Cybersecurity Leadership (52)
  • Financial Sector (31)
  • Forensics (17)
  • Free Events (156)
  • General (133)
  • How to …? (63)
  • ISO 2700x (12)
  • News (38)
  • Reviews (77)
    • Book Reviews (33)
    • Free E-Books (13)
    • Hardware Review (9)
    • Security Review / Reports (10)
    • Software Review (8)
  • Video Tutorials (101)
  • What is new? (27)
  • Windows (30)

Recent Comments

  • Erdal on Free EDR Certification Training
  • SANDEEP SHRIVASTAV on Free EDR Certification Training
  • Alicia Harlow on Core isolation Memory Integrity not available – (Get it fixed)
  • Alicia Harlow on Core isolation Memory Integrity not available – (Get it fixed)
  • Erdal on Siber Güvenlik Saldiri ve Savunma Stratejileri – NEW B00K

Archives

Dr. Erdal Ozkaya © Copyright 2023. All Rights Reserved.