Steps to take if your business gets hacked.

As cyber criminals find new ways to monetize their attacks, the frequency of Ransomware attacks will increase.

When our CEO presented to the UK National Security Select Committee in 2017, he highlighted Ransomware as being a top-tier threat that would have a major impact on Critical National Infrastructure. As we have seen with the WannaCry Ransomware attack that hit hard in May 2017, Ransomware has the ability to impact the world on a systemic scale. However, there are a number of steps that organizations take to investigate if they believe that they have been impacted by the ransomware attack, or indeed any other security incident.

If you’ve been hacked, call us on: 212-335-2285

1. Notes Make contemporaneous notes of every action you take along with the reasons for your actions from the moment you become aware of a potential security incident. If you subsequently find yourself having to buy-in specialist help to assist in managing the incident, they will want detailed information around the circumstances leading to the breach discovery and what actions were taken. In addition, if the incident results in criminal or civil prosecutions you may well have to account for your actions in a court of law or tribunal. Ensure that you record the source of the information, including what the source observed or themselves recorded.

2. Check Source Verify everything in respect of the source of the information. It may be that you were informed by a government agency that malicious activity has been observed originating from your network. They may well give you limited information, but get a switchboard phone number for them so that you can at least call back and confirm that the call was genuine. If you receive information 3rd hand from an internal source, whether that is a member of staff or something in your technology stack, go back to the original source to confirm the information. Interview any member of staff reporting suspicious activity on your network, take screenshots of any alerts generated by your technology stack. Save any logs relating to an initial alert if they exist.

3. Triage If you have appropriately trained staff, triage the incident – you should confirm if the activity is malicious or a false positive. It is important that you understand the implications that you undertake. Your instinct might be to remove an impacted systems network cable. This might be a prudent decision, but you would also potentially loose valuable information if you haven’t recorded the active network connections prior to disconnection. Similarly, shutting down the system may or not be the correct course of action, but you should understand the pros and cons of performing this action before doing so.

4. Investigate If you are in a corporate environment, and you don’t employ an incident response or forensics team, we would recommend that at this point you contact external assistance.

The external assistance should be a reputable organisation that has both forensics and incident response capability. The following organisations have guidance on entities that can deliver strong forensics and Incident Response capability.

  • USA – Federal government – CIRA
  • UK central – government – CIR
  • UK and US commercial sector – CREST CSIR

The investigation should have clear objectives set, such as establishing the scope and impact of a breach and determining the root cause of a breach. Any IR capability should be backed with malware analysis capability. Make sure that any 3rd party investigators are aware of any logging capabilities that you have in place.

5. Contain It will be necessary to try and contain the incident, that could be something simple like removing a network cable (make sure to record the active network connections on impacted systems before doing this) or something much more drastic such as completely shutting down a critical system. In the latter case, make sure you have the authority to do this.

6. Eradicate Once the breach has been investigated and contained, you can start the process of eradication of the threat. This may involve the disabling of compromised user accounts or removal of malware. Robust preparation should help you in this step. Do you have a policy applicable to actions on systems infected with malware? Does that policy differentiate between different types of threat i.e. is the policy the same for PUP’s such as unwanted browser add-ons and ransomware. The severity of the threat should dictate your eradication policy.

7. Recover Determine how systems can be recovered. This could be achieved through restoring critical systems of files from a backup, or it could be achieved through a full systems rebuild. The specific approach for recovery will vary according to the type of attack, and the time sensitivity of the systems that have been compromised. It is important that, where practical, forensic images are collected of from impacted systems prior to the commencement of the recovery process. This will facilitate opportunities to perform much deeper analysis once your systems have been recovered. Such analysis may assist in determining who attacked your organisation and what vulnerabilities they exploited to gain access to your network.

8. Notify You may have legal and ethical obligations to notify various parties if data is compromised during a breach. Establish which parties need to be notified and under what circumstances. Again, if you have prepared effectively you should already have a list organisations and individuals that you will need to contact in the event of a data breach and know the timescales that you have to contact them. If data is compromised during a breach, involve internal stakeholders such as PR and HR, if it is employee data stolen, at an early stage.

9. Follow up If an organisation is compromised, it is important that they understand what happened and when it happened so that an improvement plan can be formulated. The improvement plan should be based around a post-incident review that will examine how all of the previous steps were managed and what lessons can learnt. Gaps in capability around your people, process and technology should be identified and remediated at this stage.