What to do when my company gets hacked?
Getting hacked might be a nightmare. But you have to know that all the fortune 500 companies had been hacked. All entities got hacked whether it is a large enterprise like Cisco or Microsoft, a late stage startup like linkedin, uber or facebook, or an early- stage startup, or an antivirus company like kaspersky, or even a government entity like CIA. “There are two types of companies: those who have been hacked and those who don’t know yet that they have been hacked”.
Before getting into details of what you should do when your company got hacked ? It is important to know some symptoms that shows you got hacked
How to know if I got hacked? Eight Signs You’ve Been Hacked
Any security incident should affect any of the CIA triad which are Confidentiality, Integrity and availability. We will discuss some of the signs below
Confidentiality Signs:
Sign 1 => Data Leakage: Some of the obvious ways is seeing your data leaked on the internet on pastebin or any of the hacking forums.
Sign 2 => Blackmailing: Another way is receiving a mail or a message form a hacker that has attacked your website and asking for money in return for the vulnerabilities he discovered .Also, this similar to what is used now on a large scale named ransomware where hackers develop a malware that encrypt your data with a key you don’t have and to decrypt the data, you need to pay them a ransom.
Integrity Signs:
Sign 3 => Strange behaviour: This includes strange logs in your system, abnormal mouse movements, or change in users data.
Sign 4 => Wrong Credentials: when you are trying login to any of your system or ssh to your server although you are sure of the password and you can’t login
Sign 5 => Page Defacement: Your website or application home page would be replaced with another page.
Availability Signs
Sign 6 => Slowness in your server or infrastructure: your website or the services hosted on your server is not responding
Sign 7 => High utilization in resources either memory or processor : you notice heavy utilization in machine resources especially storage, memory and processor which can cause your server to stop responding.
Sign 8 => High or strange Network traffic: traffic that may contain malicious code might be hitting your servers causing a denial of service attack.
However there are some best practices that you can do to detect and discover the hack before it happens or at least at the beginning of the attack.Some of them are:
1 => SIEM / Alerting Systems: The SIEM collects and aggregates logs generated from specific systems or applications. The SIEM helps security admins to categorize and analyze the logs in addition to sending alerts to responsible users.
2 => Security Operation Center (SOC): This is a team inside the organization either outsourced or internal that continuously monitor security of organization to detect, prevent and respond to security incidents
3 => IDS/IPS systems: Intrusion detection systems (IDS) and Intrusion prevention systems (IPS) continuously watch the company’s network to identify, stop and report incidents.
4 => Anti-malware : This is a software that helps to detect and remove malware from your servers or machines.
5 => Security Audits: Running periodic security audits is important to detect any gaps inside your process, technology and people
6 => Penetration Testing / Vulnerability Assessment: Detecting your vulnerabilities either on your application level or network level will help to reduce the probabilities of being attacked.
7 => Firewall: Implementing a firewall that monitors incoming and outgoing network traffic based on a set of rules is one of the ways that can prevent an attack from happening on your organization.
Now, assuming all that failed. What can you do if your company got hacked?
Step => 1 Who is your team?
First, It is important to have the right team with enough experience and skills to handle a security incident.The team leader should have direct access to management to take the right decisions if needed like shutting down systems or cutting down the internet. This team can be either an internal team or a managed security consultant from an external company which CyberTalents can help you in assembling such a team from our pool of experts.
Step => 2 Detection and analysis.
The incident response team will work to identify the way of the attack, entry points, how big is the attack and what are the compromised devices. The teams will use different analysis techniques in order to formulate a full report including, but not limited to:
1. Collect and analyze different types of logs either form SIEM solution if available or directly from the machines.Tools like security onion can be used to help in log management and threat hunting.
2. Interviews and questions with users, system admins and IT managers to know details about the incident.
Step => 3 Containment and recovery
The next step is to prevent the attack from expanding to other devices or other networks. Isolating the compromised device is crucial at that phase to contain the breach. Depending on the impact of the attack, the recovery plan will include a list of actions like password resets, patching of systems, blocking ip addresses, and in some cases installing clean images on the compromised systems. The main objective is to return back to business asap with a safe and clean environment.
Step => 4 Notify needed parties
Depending on your country's laws, your sector regulations and international laws like GDPR and others, you might need to inform specific entities about data breaches and security incidents that happened in your organization. Also, you might need to notify your users to reset their passwords if needed.
Step => 5 Post-Incident and Lesson Learned
Once everything gets back to normal, it is the right time to review your incident response plan or create one if you don’t have it, review your policies and procedures to add all the lessons learned from such an incident. Also, include employees training, implementing alerting systems, logging systems, firewalls and others.
How CyberTalents Can Help?
Don’t assume a security breach won’t happen to you. In CyberTalents, We detect, analyze and fix your vulnerabilities, run penetration testing, security audits and more. Our pool of experts from all over the world has the needed skills and experience to secure your organization and let you focus on growing your business.
Conclusion
It is better to be prepared for the hit before it happens. Incident response activity starts a few months before the attack. Make sure to implement a security program inside your company, implement the basic tools, educate your employees and run periodic tests. If a hack does occur, having these controls on place will help to minimize the impact on your business.
Don't assume you are secure. There is no such thing as 100% security. Assume, you have a breach and build your plan on how to respond to that breach.
In addition to that, make sure to have a company or a list of security experts with different sets of skills in digital forensics, security analysts, cloud security experts, penetration testers and others that you can reach in case the incident affected a large part of your business.