Let’s run through a scenario: you have been breached and have actually detected it. Maybe your end-users reported it to you, or perhaps you received (and actually read and investigated) a fleeting alert from your prevention technology. However you found out, it’s a good thing – many companies aren’t even aware that they’ve been breached, and may not find out until months later.
Now that you know, here are the steps to take after a breach. Note that some are more easily said than done. Don’t hesitate to engage the experts should you require immediate support.
What/Who is impacted? Which user? What device? What processes/files on that device? The objective here is to identify the issue so that you can prevent further spread of the breach. This begs the question, is this the only device impacted? Which leads us to our next step…
Containing involves proactively eliminating anything suspicious. Kill the processes, delete the files, or block the user. If you’re unable to stop the attack, cut the power, pull the LAN cable- whatever you need to do to prevent the spread of the infection. This process is difficult to advise on because we can’t know exactly what you should be looking for without more information about the attack and your network; you must rely on your knowledge of your organization’s systems to determine what is out of place. ActZero Threat Hunters have a specific list of clients, so they are familiar with the nuances of their network operations.
With the attack contained, you need to identify where it came from; how the attacker was able to gain entry. The goal is to determine the root cause so that what just happened to a particular machine/user/node in your network doesn’t happen to others. Your primary source of information will be logs from your prevention technologies, plus whatever you can garner from the user, assuming they were actually active at the time of the attack – their credentials could have been compromised months before.
Gather what you can and trace the source of the particular file, process, or infection. Note, without Log Management or SIEM technology this can be very difficult – there are often thousands of logs just from a single Anti-Virus or Firewall. That’s why ActZero developed proprietary software to help us navigate, prioritize, and interpret those logs, making our root cause analysis both thorough and expedient.
Try tracking the afflicted user across devices – if you can follow their path, you may be able to identify the original source of the breach; the root cause.
For templates to assist have a look at our SMB IR guide:
Once the root cause has been identified, your objective is to prevent this from spreading throughout your network, and from happening again in the future (which will remain a focus in the remediation phase). Fortunately, you have the information you gathered during your analysis; transform this into immediate actions:
Start by blocking any malicious IP addresses that you identified with your firewall. Note, if your firewall was not set up correctly, there are still risks of something getting through from a different IP address.
Quarantining machines will help you to prevent the spread of the infection. By quarantining, we mean removing their access to the rest of the network, including the internet. The risk is that if you miss even one compromised endpoint, it’s possible for the breach to continue to spread. This highlights the importance of Analysis, as it drives your actions in the subsequent phases.
Temporarily disabling vulnerable services such as web servers, ftp servers, or databases (like SQL), on the compromised endpoint can prevent further actions taken by your adversary or their malware. This is easy enough to accomplish quickly in Windows unless said adversary has implemented measures to prevent you from doing so. The goal here is to give yourself enough time to remediate the problem, which we discuss in the next step below.
Finally, if you’ve invested in an Intrusion Prevention System (IPS), you can tune it to be better suited to preventing attacks like this one. Tuning really means adjusting your configuration settings and adding or customizing rules to ensure that the right action (blocking/discarding, alerting) is taken under the right circumstances. Note, this can be a complicated undertaking, especially for the uninitiated – you may want to refer to a resource or engage an expert.
Several of these steps above also occur during remediation. The separation that we’ve made between the immediate prevention and remediation steps is to highlight that some of the actions you’ll take are just to ‘stop the bleeding’ before moving on to address core issues.
Patching is necessary to remediate vulnerabilities. Which patches you prioritize will depend on the nature of the breach. Of course, everybody should strive to keep patches up to date, but with so many updates, and potential impact upon parallel systems that interact with them, companies understandably withhold certain patches until they can validate that they are low risk. See our post on How to Avoid Microsoft Patch Hell for more best practices on patching.
You can also use a vulnerability scanner, if you have one, to identify the ‘open doors’ across various components within your network. Note that not all vulnerabilities are of equal importance, and you may be faced with thousands of them; try to isolate those that are related to your root cause, first. As an ActZero MDR client your vulnerabilities are detailed and prioritized within the monthly report you receive from us.
If you have had data deleted, had systems become unstable, been unable to successfully remove the malware, or have been hit with ransomware, your recovery option is very likely going to be reverting to a backup. Be aware that many attackers first course of action upon gaining control of your system will be to delete local backups (and remote ones if they can get to them), so hopefully this option is still available to you.
Inform your users and management throughout this process, though depending on the nature of the attack and how it came to your attention, they may already be aware. Either way you’ll need to communicate what has been done to correct the problem, and how it has impacted/will continue to impact the business and your end-users. This step is also different with ActZero– we only inform you once the problems are corrected, and what actions we took.
8) Debrief on Lessons Learned
The goal here is to determine what processes need improvement and create an action plan to get there quickly. Perhaps your company is taking too long to deploy patches? Or the IT team is overworked and was unable to respond to the alerts your prevention technology highlighted? Is there a knowledge gap amongst your end-users? Maybe management’s prioritization efforts are not sufficiently risk-sensitive?
Incident Response requires continuous improvement, and without debriefing on the breach, and discussing the lessons to be learned from it that improvement will be stunted.
As you can see, without trained people, rigorous processes, and advanced (read expensive) cybersecurity prevention technology, incident response can be complicated, and even unmanageable for a small IT team. Check out our Elite SMB IR Guide to see how you can improve. Or, if you know you have been hacked, you can engage us directly for immediate incident response, which we offer to MDR clients. We are competitively priced for small and medium-sized enterprises and have been in business since 2005.