So You've Been Hacked, Now What?

So you've been hacked, now what? The statistics would seem to suggest that it is less a matter of if and more when your enterprise will fall victim to a hack attack of some kind. Once you've been hacked, then what?

 According to the latest global State of Enterprise Security study from Symantec, some 75 per cent of organisations have experienced cyber attacks in the past year, at an average cost of more than £1 million over the course of the year for each hacked business.

If that were not shocking enough, the same study reveals that 100 per cent of the enterprises questioned admitted to some form of 'cyber loss' last year.

This comes as no great surprise to Keith Crosley, a director at security vendor Proofpoint following its own study of the data loss risk to large enterprises of more than 1,000 employees.

Crosley told IT PRO that of the 220 companies taking part, 27.4 per cent had been impacted by the improper exposure or loss of intellectual property in the last year, 32.8 per cent regarding customer information and perhaps most worryingly 33.8 per cent when it came to sensitive data.

So let's start at the very beginning. The fateful day your business discovers it has been hacked. What should you do and in what order?

Rafe Pilling, an information assurance consultant at SecureWorks, recommends that the very first task needs to be attempting to quantify the extent and impact of the compromise, without which it's almost impossible to determine what follow-up activity needs to take place or the priorities to be assigned to this To Do list.

"From an early stage, consideration should be given as to whether the business simply wants to restore a service or perform an investigation that yields evidence that could be presented in court," Pilling told IT PRO, adding "it's best to involve incident response experts early on as they can advise on how to verify the incident, restore service and collect the data in a forensically sound manner that can later be investigated and used as evidence".

The incident management process

As Neil O'Connor, principal consultant at independent IT security consultancy Activity IM says, this means invoking your incident management process.

This should define what to do next, in particular: who to involve, how to grade the seriousness of the attack and how far to escalate the incident.

"The first stage in the incident management process should be to decide if you actually have been hacked," O'Connor said. A false positive from an intrusion detection system or anti-virus software should, of course, be ruled out.

"Assuming that you have been hacked," O'Connor continues, "you need to assess the seriousness of the incident, and in particular if any information has been compromised."

This step is somewhat easier if you have undertaken forensic readiness planning beforehand and are aware what data is held in what location.

Your incident management process should define levels of seriousness and escalation, and if there has been a potentially serious breach then your crisis management plan should be invoked.

This will involve "functions such as marketing and PR as well as senior executives in deciding who to inform, what to say and what assurances to give, as well as what internal briefings to give," O'Connor recommends. Ah yes, the dreaded 'D' word: disclosure.

To disclose or not to disclose?

One of the problems with disclosure is that there is a huge stigma and negative public reaction associated with computer security incidents according to Pilling. "Few people would blame the victim of an assault or a mugging for the crime, [whereas] computer crimes are generally seen as resulting from incompetence on the part of the victim organisation which leads to huge pressures for organisations to cover them up," he said.

This then prevents visibility of the real extent of the crime and in turn helps the criminals and hinders both law enforcement and network security staff. So the big question remains that when you know you've been hacked who do you need to tell?

Dimension Data's global head of security Neil Campbell used to be a computer crime investigator with the Australian police and doesn't think there is an easy 'one-size-fits-all' answer to that question.

However, Campbell does think that what is consistent is the need to plan disclosure processes beforehand that take into account your business's nature and situation.

"In the case of businesses that aren't bound by regulations to disclose, it's critical to know, before a security incident occurs, who is in charge of deciding if, when and how to disclose information about the breach," Campbell notes.

Giri Sivanesan, senior security consultant at risk management specialists Pentura think sit is more straightforward, suggesting that there are certain people and organisations that should be informed straight away.

"I would usually encourage organisations to notify law enforcement authorities of serious hacking incidents even when the incident is particularly sensitive," Sivanesan said.

"Once the attacks have been identified, contained and eradicated and systems are running without any hiccups, a decision should be made by the board on when to go public," Sivanesan added. "Going public before managing the situation may cause customers to panic and may even benefit competitors."

Damage limitation exercises

What about damage limitation in terms of branding and market position if the hack does become public? Preparation is the key if you want to minimise the amount of damage done to your organisation.

"If an organisation doesn't have incident management, business continuity and disaster recovery policies in place then it will become more difficult to minimise the damage caused," Sivanesan warned. By establishing and testing these policies and ensuring there are clear procedures and governance structures in place then responding to hacking incidents becomes much easier.

Sivanesan insists that "the faster you respond to and contain an attack then the less damage it will cause". Most organisations can expect to be attacked by hackers at some point, but by being proactive and ready for the attack beforehand usually reduces the impact attacks will have.

The same holds true when it comes to cleaning up after the attack. It stands to reason that if you know where your information systems and data were beforehand it will be easier to get back there quickly and without undue business interference.

"Backing up regularly will allow you to restore systems and information to an accurate level and with minimal downtime," Sivanesan said, "allowing you to get back to your baseline quickly".

Lessons learned?

Now that everything else has been accomplished, how and when should the 'what really went wrong here' investigation start and how can the lessons learned best be implemented?

Once again, Sivanesan has practical advice insisting that organisations must learn from their mistakes in order to manage the risks from hackers and minimise the impact hacking incidents cause.

"They must understand how the incident happened from the detection of the attack all the way through to the recovery," Sivanesan insists, concluding "how well they responded to the incident and what they should have done better are some of the key questions that need to be asked at a board level and pushed downwards."

Only by having the right knowledge of the risks and vulnerabilities, realising what assets must be protected and understanding the impact future incidents can have on the organisation financially and in terms of reputation, can your business move forward and come out of a hack attack stronger and better prepared should lightning strike twice.

You've been hacked prioritised action list (supplied by Rafe Pilling, SecureWorks):

1. Verify that an incident has taken or is taking place.
2. Identify its scope and impact (is it a customer credit card database hack with data stolen or just defacement of a little used information portal).
3. Capture evidence of the attack and any ongoing activity (forensically image workstations or servers, take live analysis of compromised systems, collect logs for network infrastructure."
4. Stop any ongoing compromise.
5. Determine the extent of the damage and plan repair activity.
6. Determine the attack vector and plan remediation of defences.
7. Implement security updates to prevent re-compromise (apply patches, harden vulnerable server, improve firewall rules etc).
8. Implement repairs and restore service.
9. Analyse and investigate available evidence to determine attack timeline and confirm all compromised areas have been identified.
10. Compile evidence into report and pursue legal action.

If the breach has any actual, or potential to impact on Government Sensitive, or Marked Information Assets then call the relevant agency.

If Personal Information has been impacted which are subject to the controls under the Data Protection Act then consider the reporting channels.

If you have a Corporate Communications Division then consult with them so as to prepare for any potential of adverse reports, or press inquiries.

Always be aware of the relevant local, and International laws and legislations, and their impact on the situation. Report in accord under the guidance of your Corporate Communications Division.

IT Pro