Things To Do After You ve Been Hacked

(1)

Problem:

You’ve been hacked! Now what?

Solution:

Proactive, automated incident response from

inside the network

share web

Tube

Things To Do

After

You’ve Been

(2)

Hexis Page

2

5 Things To Do After You’ve Been Hacked

Introduction

#1. Detect and Identify

#2. To Contain or Not to Contain? #3. Remove and Recover

#4. Be Proactive

#5. Automate Incident Response What Not To Do

Conclusion Final Word

It only takes one click to

compromise an organization

Once a breach happens, the damage can be devastating. And unless you adopt a proactive stance in responding to incidents, you are doomed to get compromised over and over again. How many times will you fall...hook, line and sinker?

It’s time to change your strategy.

95% of all state-affiliated espionage attacks still rely on phishing in some way.*

(3)

Hexis Page

3 It is only a matter of time before you are hacked. Why? Because

hackers only need to exploit one vulnerability and defenders need

to defend all.

It only takes one click by an unknowing user and

the hacker is in. It’s that simple.

To make matters worse, the Verizon Data Breach Investigations

Report (VDBIR) found that in 66% of cases the breach wasn’t

discovered for months or even years. During that time critical data

and assets are at risk. How quickly

and effectively you respond

matters – a lot.

It isn’t realistic to expect you’ll

never get hacked. But it is realistic

to expect you can improve your

response and mitigate the impact

of attacks now and in the future.

These 5 steps can help.

Introduction

Introduction

In 66% of cases it took months or even years to discover a breach.*

66 %

(4)

Hexis Page

4 1. Detect and Identify

#

1

Introduction

1. De

Error messages, suspicious events in logs, poor performance and unusual bandwidth usage can all indicate a possible event. Once you’ve validated that you’re dealing with a malicious situation and not ‘noise,’ such as an instance of misconfiguration or a false positive, you need to establish a cross-functional team to oversee all aspects of the response process and immediately begin to:

• Locate “patient zero” if possible, or any device known to be compromised

• If you can gain access to the actual malware and have the skills, analyze it to

determine how it got in, how it is behaving, how it is spreading and if it has exfiltrated any data

• Even if you can’t directly do malware analysis, examine a compromised device to determine Indicators of Compromise (IOCs) so you can search other hosts

for signs of exploit

• Collect and correlate log data from as many sources as available, including

server logs, firewall and IDS/IPS logs and flow data, to gather more details about what happened and determine if other hosts are infected

(5)

Hexis Page

5 2. To Contain or Not

to Contain?

#

2

Now that you’ve identified the nature, extent and severity of the attack, you have two options – contain it or jump straight to removal. Traditional incident response plans dictate you contain and stop it. This involves:

• Quarantining the compromised host(s) or system(s) or disabling

certain functions

• Removing user access or login to the system

• Determining the access point and blocking it to prevent ongoing damage

Containing is appropriate if you’re dealing with a ‘drive-by’ type attack in which a virus or other rudimentary threat is introduced and the attacker quickly moves on to the next victim.

But if you believe you’re dealing with advanced malware or an APT that watches and alters its techniques depending on your reaction, the more effective approach could be to jump directly to #3 and coordinate the removal phase. Quarantining systems and blocking access is an

immediate tip-off to the attacker that you’re on to them. They’ll simply hide and lay dormant within your environment to launch at a point in the future, or alter their methods in a way that you can’t detect and continue on their mission.

Introduction

#2. To Contain or Not to Contain?

#3. Remove and Recover #4. Be Proactive

(6)

Hexis Page

6 3. Remove and Recover

#

3

Whether you choose to contain the attack or not, comprehensively removing the threat is critical so that you can reduce the risk of reinfection and get back to normal operations. This is particularly important when dealing with an APT that will simply move elsewhere in the network and attack again, requiring you to repeat this entire process.

If possible, identify all infected hosts on the network and then perform

the following steps on the hosts known to be compromised:

• Stop or kill all active processes of the attacker

• Remove all the files, back doors and malicious programs the attacker

created and save them as evidence for the investigation

• Protect sensitive data by separating it from the compromised system(s)

or network

• Check all associated systems including those through trusted relationships

• Apply patches and fixes to eliminate vulnerabilities and correct any

improper settings/misconfigurations to prevent subsequent similar attacks

• Update all login accounts and passwords that may have been accessed

by the attacker

• Perform a damage assessment on each system/file

• Reinstall the affected files or the entire system as needed

• Turn on functions in stages in order of priority, verify successful

restoration, and notify all affected parties

• Disconnect the infected hosts and, if necessary, obtain forensic

information

• Perform daily reboots of systems to eliminate memory-only

resident malware 5 Things To Do After You’ve

Been Hacked Introduction

#2. To Contain or Not to Contain?

#3. Remove and Recover

(7)

Hexis Page

7 4. Be Proactive

#

4

.

At this point you probably think you’re out of the woods. And in some ways you are, having executed a thorough response, mitigated the impact of the attack, and learned from it to prevent future similar attacks.

But sophisticated and relentless attackers learned from the experience as well. They’ll return with nuanced versions of the attack and you’ll be back on the defensive, repeating this process again and again. If you’ve hired professional services to help with incident response and remediation then dealing with reinfections can cause security costs to spiral out of control.

To break the cycle, you need to take a proactive stance by:

• Changing your mindset from ‘if’ to ‘when’ an attack will happen

so that you can better anticipate threats and take action to reduce the amount of time an APT lives in your organization

• Actively investigating your environment for IOCs by continuing

to collect data from multiple sources and looking for known malware via signatures and unknown malware via behavioral detection algorithms

• Staying current with the latest threat intelligence and available

countermeasures and deploying them as required within the context of your environment

Introduction

(8)

Hexis Page

8 5. Automate Incident

Response

#

5

.

Introduction

#5. Automate Incident Response

What Not To Do Conclusion Final Word

Being proactive can be potentially time consuming because you are now investing resources in looking for attacks before they occur. In the long term it makes financial sense, but it may be difficult to justify in the short term because of the additional resources required. This is why automation goes hand in hand with a proactive approach. Automation eliminates the need to perform manual work that is crucial but time consuming, such as collecting endpoint data from a large number of hosts and searching for IOCs.

To begin to incorporate automation into your approach to incident response:

• Select solutions that you and your team trust and that integrate

well with your existing security infrastructure

• Evolve from manual methods to automation over time as your

comfort level grows and the value is demonstrated – begin with ‘low hanging fruit’ such as searching for and removing files with known bad MD5 hash values on endpoints; move to more sophisticated methods of analyzing data to identify IOCs and kill processes or remove files

• Report back to the business on how automation is saving costs

while enhancing security by freeing up highly skilled security staff to be proactive

(9)

Hexis Page

9 What Not To Do

Don’t tip your hand needlessly. You may decide to contain the attack but

be careful how you respond. Actions such as hacking back or submitting the malware to a reporting site will inform the adversary you’re on to them. The same is true if you use your compromised network to coordinate incident response efforts, rather than establish out-of-band communications. Before you know it, hackers will deploy another technique while you’re still dealing with the first attack.

Don’t start investigating without a plan. An overzealous response can

compound the damage. For example, utilizing an external tool to attempt to find the threat can taint the data required to perform proper timeline analysis. External tools can also overwrite data that may provide valuable forensic artifacts such as prefetch data (data that is preloaded to speed the boot process and shorten application startup time). Prefetch data may help to answer the “what”, “where” and “when” of an attack.

Don’t keep it to yourself. Inform management and the right people using

the incident notification call list and call tree. Collaboration can help you more effectively deal with the situation. If you’ve hired professional services to help, make sure knowledge transfer is part of their process to help keep costs in check.

STOP

Introduction

#5. Automate Incident Response

What Not To Do

(10)

Hexis Page

10 Conclusion

After you’ve been hacked, reducing the amount of time an APT lives in your organization is the goal.

To get the job done you need a methodical approach that includes steps to detect/identify, contain – or perhaps not, and remove/recover from the attack as quickly as possible.

But you can’t – and there’s no reason why you should – stop there. Attackers are increasingly creative in their methods of attack. You need to become more creative in how you identify and remediate the growing number of security incidents you organization will continue to face.

By adopting a proactive approach that includes the option of policy-based automation you can reduce the time and costs your team spends on incident response. Only then can you shift the bulk of your resources from focusing on what happened in the past, to creating a safer future.

Introduction

Conclusion

Final Word

(11)

Hexis Page

11 Attacks are inevitable

Companies should devote more time and effort to detection

and remediation; preventing attacks becoming breaches, and

breaches becoming financial and reputational disasters.*

Introduction

Conclusion

Final Word

Hexis Cyber Solutions, Inc., a subsidiary of The KEYW Holding Corporation (Nasdaq:KEYW), serves commercial companies, government agencies, and the Intelligence Community (IC) with tools and capability to detect, engage, and remove both external and internal cyber threats.

To learn more, phone 443-733-1900; e-mail info@hexiscyber.com; or visit www.hexiscyber.com.

Is IT spending time on the right prevention measures? 86% of breaches were discovered by non-IT efforts; 76% were by external parties.*

86 %

For more information:

Request the full white paper or arrange a demo of proactive defense from inside the network: info@hexiscyber.com.