Security Experts:

You've Been Hacked. Now What?

You've Been Hacked. What's Your Response Plan?

It’s 3:10 a.m. and your home phone rings.

The assistant security specialist in your global company is sorry to wake you but it couldn’t wait. You open your eyes and you already know: he has spotted what he is calling “highly” suspicious activity over the company network. Although they are working on the problem, the situation is expected to get worse. You get dressed and go to the office.

Hacked? An Action Plan and What You Should do Now.In the meantime, customer service representatives are reporting numerous complaints of unauthorized debits to their credit cards and banks, your customer service department is overloaded with irate customer calls and the backlog is mounting. What do we tell customers?

The tech department is recommending a complete shutdown before the situation gets worse. Your secretary informs you that three credit card companies are on hold. The chief executive officer of the company, the one who entrusted you to protect data, is waiting on the priority line on your cell phone. You are sorry, but you cannot talk to him right now. Until the breach is located, there will be no, or little use, of company cell phones.

You’ve known all along, and on your way to work (the longest drive of your life), you finally admit it: you’ve been hacked.

How is this possible?

You’ve had all the training. You made sure your employees were checked and double-checked. You have gone from a posted sign at the entrance stating, “loose lips sink ships” to “Internet Network Security awareness”. You’re employee security training is up to date, and you’ve hired the best security people you could find.

You’ve thought of this day.

It’s here.

Take a deep breath. The truth is, you didn’t work to prevent an attack but rather to make an attack more difficult. In fact, you remind yourself that you prepared for the likelihood that you would be attacked.

What is your next step?

Don’t feel it is just your company being attacked and don’t take it personally. Don’t panic. You have prepared for this eventuality and now all your skills will be put to the test. Acknowledge you have been hacked. Check your ego at the door.

Hackers have all day to find ways to get into your system. They can lurk around in your system looking for the tiniest of loop holes in the codes. You are not surprised you got the phone call at 3:10 a.m. But because of your diligence you have plugged many of the holes and in your foreword thinking approach you are prepared. You might take some joy that you and your team caught the breach and through your diligent work you are feeling confident that you will stop any further penetration.

“We’re gonna catch this guy,” you say out loud.

Your confidence should be at an all-time high. You have taught the employees, support staff and executives in the company how to spot or become suspicious about possible threats that could unleash a virus on a computer by simply opening an e-mail with a malicious program. Because of this forward thinking it may be easier to find where the hacker found a hole, and through which port.

Take another deep breath. The year 2011 is proving to be the year of the hack, or at least more companies are reporting breaches. Most hacks do not get reported for reasons of potential lost reputation and the fear of financial loss.

Accept again that you have been hacked – drill it into your thoughts that you have been hacked. This does not mean the business is going to close, and since you have prepared yourself for this day you are ready to handle the attack.

Never disconnect

Your proactive approach should not become reactive. Now is the time to kick it into high gear.

The realization that someone has hacked into the network triggers an immediate response to shut it all down. The feeling is “pull the plug and cut access to the attacker”, and by doing that the attack stops.

It makes sense, at first, but it can make the investigation difficult, and there is a good chance any evidence of the hacker will be wiped clean. What has been stolen may never be known because the network was shut down and with that so was the memory or any signs of the attack.

Shutting down the network may be a knee-jerk reaction to a problem easily solved, but you will never know…you threw the switch, when all that was penetrated was a single computer hacked by a curious student working on a small computer from his or her dorm room.

The same applies to a sophisticated hacker who has spent months lurking under the surface, wielding his fake emails in spear phishing attempts, decoding your barriers and gaining access to small bits of sensitive information. Do not disconnect. The hacker may even be counting on you shutting down.

If you have any hope of tracking your hacker, or hackers, shutting down will no doubt backfire.

You make that one call on your cell to IT. “Do not shut it down.”

Gather as much information as possible

Get to know your hacker, or at least how he or she attacked you. A good policy is to gather as much information as possible from all departments, and do not be afraid to examine all the possibilities.

While much of the focus is on teaching security to employees, it could be someone higher up the ladder has unknowingly done something to allow access to the attacker. It could be as simple as an executive using a laptop in an open coffee shop. Your goal is to get the “goods” on the attacker and safeguard company data.

This goes a long way in your damage assessment process. How large is the problem? Is it one computer, or the entire network, or somewhere in between. Has IT noted any peculiar employee behavior? Are any logs suggesting suspicious behaviors? Any employees dismissed recently? What was hacked? What was not hacked? Does it appear that the data was not touched, or was the data stolen, but left intact to look like it was not breached? Is the breach open? Is it spreading and from where?

Get help from an ethical hacker

Once you are at the office, you set your plan in motion. The damage assessment is underway. Customer service has been informed there is a problem, and you’ve instructed the customer service supervisor on how to speak with the customers.

Now it is time to forget you have an ego and call for help.

You may be able to handle the experience, but as a top CSO you have learned that when heads are put together the result is always positive. What was that guy’s name at the Network Security Conference last week? It is time for a specialist. Since you are prepared.,you already know one who has worked on your network, and have one on call.

Network SecurityEthical hackers are people who can help you prevent an attack and help you in determining where an attack originated. Ethical hackers are experts at breaking into your system the same way a hacker will. Known as “white hats”, doing the same work as hackers known as “black hats” but for ethical reasons. EHs are up on the latest technology and the latest breaches. It is their job, 24 hours a day, to know the latest and to be experts in cutting edge technology.

Usually, a company has worked with an ethical hacker. As CSO, you watched over an ethical hacker’s shoulder as he penetrated your system right before your eyes. You’ve seen the “hacking” possibilities.

In many cases, companies do not budget for EH services. Budgets are a big part of today’s economy and CEOs are struggling to zero-balance budgets. A budget for any penetration test may not be economically viable. It is a risk that some companies are willing to take.

Related Reading: Breach Forensics: Keeping Things from Going from Bad to Worse

If you are a CSO who falls into the above category, you are in reactive mode, but nevertheless, you can get back on track with an ethical hacker. If you need further convincing, take a look at Citibank’s hack attack: in June of 2011 where attackers exposed personal information about some 360,000 customers. That is information that can be used in infinite ways, and not just affect your company. Since 2005, some 533 million personal records have been exposed, according to the Privacy Clearing House. Sony? Reports say up to 70 million people had their personal data in jeopardy after a breach in 2011. This could mean that your system will remain vulnerable for days, months or years from now.

Think customer service

While the company has been hacked, your job was the protection of the personal data of your customers. And they will blame you. Let’s say it is credit card numbers. Nothing reaps havoc on the mind like knowing if your credit card number is “out there” somewhere and in the hands of a shady character. Companies who have been breached will usually post a notification letter on their website, explaining the situation and assuring customers that they are working on the problem and everything is under control. Other things that call up reassurance include a telephone number to call, an offer for credit-rebuilding services, and the flagging of unauthorized use of credit cards.

As CSO, you are aware of the value of reassuring customers and keeping them as valued customers. A company’s reputation, if founded on how customers are treated, will help soften the blow that may come to the company’s established reputation.

To report or not to report?

The tendency to disconnect is also followed by the desire to remain quiet about being hacked. This is a mistake that can backfire on you in the long term.

Mandiant, an information security company, conducted 50 forensic investigations of companies that were hacked and found that 48 of the businesses involved didn't know they'd been breached. These companies were informed of the breach by law enforcement agencies.

Why report?

Some companies may not see the hack as anything major. IT could think that the intruder was “playing” around. As we stated earlier, maybe he is just a “teenage basement dweller” with a computer. Or, maybe he is not! What is becoming clear in 2011 is that more companies are reporting their attacks. This is leading to more useful data among companies. In a sense, reporting any and all breaches to legal Internet Security forces is a way to stockpile and analyze types of hacks, methods used and what to be on the lookout for to make it more difficult for future attackers.

Work with your ethical hacker

While you have been dealing with customer service, assessing the damages and considering reporting, your ethical hacker has been on the job, crouched behind a computer, getting close to the information you want: what was stolen, who did it and how can you prevent it?

Related Reading: Breach Forensics: Keeping Things from Going from Bad to Worse

Subscribe to the SecurityWeek Email Briefing
view counter
Terry Cutler is a co-founder of Digital Locksmiths, an IT security and data defense firm based in Montreal and serves as the company's Chief Technology Officer and Certified Ethical Hacker. Prior to joining Digital Locksmiths, he was a Premium Support Engineer for Novell in Canada where he analyzed network vulnerabilities and transitioned security technologies into production. In addition to being a licensed private investigator in Canada, Terry is an internationally known author, trainer, speaker, and security consultant, Terry has appeared in numerous national television and radio programs and is very active on the conference circuit. Follow Terry on Twitter at @TerryPCutler