So, a cyberattacker broke into my systems. What comes next?

Aivo Toots

Security Engineer

“Usually, the companies that never expect to be attacked, do, in fact, get attacked in the first place. Due to that, always be prepared to become a target and be prepared accordingly.”

Aivo Toots

Security Engineer

Everything that is connected and visible to the public Internet (but not limited to) is a target for cyberattacks. Without going into too much detail about countless types of attacks, in a simplified approach, there are two types of attacks – (semi-)automatic, not very specifically targeted, and targeted attacks.
The first type is taking place all the time – different bots and botnets are attacking systems connected to the Internet and trying to find common vulnerabilities. They are usually more easily detectable and preventable. Such attacks are usually noisy and there are often traces in logs.
Read more about setting up effective logging here.
The other kind, a specifically targeted attack, is more difficult to detect as attackers are taking their time to understand the system, trying to hide their traces and polish their attack to be more successful. In such cases, the breach is often noticed when the attacker has already been researching your system for a while, the attack has taken place and/or systems start to work differently than they should. Neither of these attacks should be underestimated as both may lead to a serious compromise.

So, how to understand that a system has been compromised?

Here are a few potential indicators suggesting that your system might have been broken into:

  • Presence of unknown applications;
  • Unusually high system activity, system and application crashes;
  • Unexpected password changes, user account lockouts;
  • Browser configuration changes, unexpected pop-ups and redirects;
  • Reports from your contacts about unexpected messages from your email or social network account.

In some cases, this behaviour may just be an anomaly, but when a few of them start to appear simultaneously, it is time to take notice and react. Especially if you see a message from an attacker (for example, in ransomware attacks), there should be no question and a quick response should follow.

There is a reason to believe that an attack has occurred

When the time comes to take action against an attack, it is important to understand that not only the IT systems become disabled and vulnerable, but the business in general. The attack can affect the operation process of a business, as well as its partners.
Steps to take when you believe that your systems have been breached:

  • Gather the people responsible for the IT systems in your company. In case your company lacks expertise in dealing with breaches, do not be afraid of including external resources/services to help you.
    However, a far better solution is to take preventative measures rather than dealing with a huge amount of damage control. This means finding a qualified partner before any incidents happen so you have prompt help available in case of emergencies;
  • Detect deviations from normal daily operations, collect evidence, identify the type and severity of the incident. While collecting evidence, it is important not to make changes to the system, otherwise important evidence or traces could be lost – make sure to document everything! It is also important to contact your local CERT, and if needed, the police - they can both help to mitigate the situation;
  • In order to contain the breach, apply a short-term containment by isolating a network segment, (un)affected devices and services, etc.
    Continue with longer-term containment, which would allow to keep the production and systems running, while cleaning, fixing and rebuilding the affected systems.
    If you are dealing with a ransomware attack, the quickest way to contain the attack and prevent the spread of malware is to disconnect all affected systems from the network or to simply power them off;
  • Remove the malware from all affected systems and identify the root cause of the attack.
    Here, applying the five W-s – Who; What; When; Where; Why – are helpful to understand the details:

Who attacked What;
When did it happen;
Where are the exploited vulnerabilities;
Why did the attack take place (motivation behind the attack);

  • Recover rebuilt and fixed systems carefully. Test and monitor the systems to make sure that normal activity has restored and the source of the compromise has been removed.

Potential consequences of cyberattacks to consider

Like mentioned previously, cyberattacks are not only a problem of the IT department. There are three important dangers to consider regarding such attacks:

  • It may lead to a destruction of sensitive or viable business information which may slow down or end the business for a company;
  • It may cause a disclosure of sensitive personnel or business information which may result in breaking compliance rules or laws. Also, this may affect company's reputation;
  • It may lead to a disclosure of your partners' information, affecting not only yours, but also your partners' businesses.

Taking these into account, it should be clear that one should worry about preventing cyberattacks rather than recovering from them.

Reduce the risk of getting compromised

If you recovered from the attack, learn your lessons. Perform a retrospective of the incident, document how the incident was solved and what should be done better next time. Make sure to understand how the attack took place – which vulnerabilities were exploited and how. Educate your personnel to prevent further similar incidents.

But most importantly, focus on prevention.
Get an overview of the current security status of your systems – performing vulnerability scans, configuration reviews and penetration testing could be helpful. React and do not ignore the findings.

Start preparing for another attack – create crisis and incident response plans and assign responsibilities. Do not forget to test the plan! Review and improve your organizational security policy, perform a risk assessment, identify sensitive assets and measures to protect them.

Compile plans and gather helpful partners that are ready to help you!
Review and test your systems periodically – perform vulnerability scans, configuration reviews and penetration testing.
Usually, the companies that never expect to be attacked, do, in fact, get attacked in the first place. Due to that, always be prepared to become a target and be prepared accordingly.