Hacked? How to respond!

Lets Talk Hacking First

Hacking comes in many shapes colors and sizes these days. It could be a single system being taken over by malware, or it could be a cloud account that has access to 20 systems, development keys, and ability to reset other users credentials. There is a wide range of ways to gain access to information in today's modern infrastructure landscape.

Some of the more common types is system and account compromise. Both can lead to each other given the right scenarios, and sometimes neither is necessary for compromise of information. Such as a website that has an exploit which leaks information it shouldn't.

Finding evidence of these may come in various flavors as well. Such as an antivirus detection alerting but not quarantining, or a network detection tool flagging a suspicious pattern of callback-like activity. In both of these example cases, you'd want to further investigate. In this post, we'll walk through doing this under the system compromise perspective, but be sure to leave discussion about other formats as well.

Response

In an ideal world everyone would have someone on their team, ready to respond in a moment's notice. This would provide the best mixture of on-call support and retention of forensically relevant information. Unfortunate reality is, usually the first responders are actually not the people you call out, but you yourself. It's the person who sees the problem that should be trained and understanding enough to know how to handle the problem through at least until hand off. 


Luckily with today's industry, it's not hard to provide suitable evidence handling in the event of a problem. Lets discuss these in sections.

Step 1: Stop using the system, Disconnect from network

To be clear, this doesn't mean pull the power immediately, this means preferably disconnect from the network to prepare this for use from the response team (that could be us at FeemcoTechnologies, but this process holds strong for any SOC/CSIRT/IR Response team). If EDR (endpoint detection and response) tools are used such teams may prefer to disconnect the system from the network via that EDR tool. Making this step a simple prevent further usage and contact the team. By Stopping using the system and preventing further spread of malware. 

Many people believe if they pull the power cable this will prevent damage to their files due to ransomware encrypting their files. In some cases this may protect some (but not all). It would be safer at that point to force it into sleep or hibernation mode (so the contents of ram are written to disk) which may include the encryption/decryption key for the ransomware. If the problem is suspected to be ransomware this is the quickest method in many cases.

In cases where it's not possible to disconnect a system (production system? main form of revenue?), more careful isolation mechanisms may be needed during an incident until end of business or until a switch-over device can be provisioned with the correct configuration. This is especially true for web services in small businesses. If there's a reason to hesitate, involve your IR team as soon as possible.

Step 2: Document everything!

As with everything in life, documentation aids all future work. In this case, anything you see on screen, anything that could be relevant to how you are aware of problems, any additional concerns you see, whatever the case may be, get it documented. Even if you've got to write on a sticky note at that rate (please don't put passwords on these, use them for information but not THAT information). Don't be afraid to take blurry, bad pictures. Sometimes those are the most helpful evidence.

Step 3: Contact your Incident Response Team (That could be us!)

Okay this might seem a little sales-y but yes. Once you've done these simple steps, reach out to the team you have ready to handle it. If you don't have anyone on retainer or don't have anyone on your team to call to investigate, well that's what FeemcoTechnologies is here for. We expect most individuals and small businesses don't have the on-demand retainers or full time staff to handle these incidents, but still want you to have world class protection. 

Once the team takes over the investigation, the last step you'd need to do is change credentials that may be related or compromised. Some may be able to be found immediately, some may need to be once a full investigation has been completed including root cause analysis. 

Now the IR team will do a number of steps as well, as you might expect. Here's a high level break down of those:

  • Evidence preservation
    • Depending on the need (if there's reasons to take it to court or to justify to auditors primarily), evidence may need a full chain of custody (document of who has the evidence and when) or keep the drive in an undamaged state.
  • Log analysis
    • We want to investigate logs because logs hold a story of what has been. On an individual system, on a router, cloud logs, logs from a siem/log aggregate, etc... all of this is useful and the IR team can use to ensure with some degree of confidence what happened and if anything else is at risk. 
  • Malware Analysis
    • If malware is known or found, investigating how the malware works is a crucial part of investigation flow.
  • Hunting through your entire network
    • Any indicators of compromise we find, of even might be relevant, we can then implement tools or use existing tools to perform a search over other systems or other setups within your network so we can identify any additional evil.
  • Forensics
    • Investigating data on hard drive and memory, logs, configurations, other storage devices and mechanisms related to an environment, all allows forensics to give further information on what happened and when. This is specifically useful as well for deep dives into the incident root cause, knowing what a threat actor did while on the system, or for regulatory & legal requirements.
  • Document after action remediation plan
    • Any good incident response will include remediating any additional threats but also a plan to prevent future events where applicable. 
  • Reporting
    • Write the findings of all these categories into one pretty little bow and throw an executive summary of all portions of investigation for easy digestion by business owners, executives, and those not technical but require knowledge of what happened to make more informed decisions.
  • Remediation assistance
    • Most IR teams, unless it's created into it's own team, do remediation assistance. This is primarily like saying "unless something else comes out of the investigation, lets get this remediated quickly. We'll walk you through those steps for remediation or (depending on contract type) perform the work as a systems administrator ourselves. 

Summary: When to call?

Long story short, the time to call is as soon as possible if you believe you've been breached. Some times this can be scheduled to an off hour or time which it won't impact business to come investigate. In other cases this may before you've even had a chance to get the system disconnected. We understand that's part of it, we understand this will happen. The great news is, we're open for your calls, we have our own scheduling tools ready when you are, and asking questions ahead of time is a GREAT way to keep you safe if something does happen!

Thanks for reading

If you need any IT or CyberSecurity work remotely or within the DFW area, please contact us over at FeemcoTechnologies.

Comments

Post a Comment

Popular Posts

ISP Routing Hell

Image
Weird Routes?  History:      So I wasn't really sure how to start this post, but I guess some back story. Many in the IT world know consumer ISPs (internet service providers) like ATT, Comcast, Charter (now spectrum), all have a weird history of "you can't prove there's a problem because we don't escalate it properly, now you're stuck with this while we replace your router 200 times because it can't be on us" sort of problems. I switched to spectrum because in my area its the only non-att fiber lines, and ATT couldn't tell me why my router had an ssh server listening on it. They couldn't think it was compromised or could be compromised, they couldn't tell me anything they just replaced it. Then replaced it again. Then again. After 2 years of doing that, I just had enough. Later that year after leaving ATT, https://en.wikipedia.org/wiki/Salt_Typhoon . But sadly, despite my contempt for ATT by this point, this post isn't about them. More ...
Read more

Yara hunting phishing samples

Image
     So, I made a yara rule a while back based on some suspicious phishing nonsense I found in some open (unauthenticated + file directory listing enabled) cloud storage buckets. I decided only recently to see if I could do some public hunting with these. One possibility was on hybrid analysis. After just a few days, I have 9 detections already found.       The YARA rule is hosted on my github ( https://raw.githubusercontent.com/ferasdour/SpecialYaraRules/refs/heads/main/Bucket%20Phishing%20Kits.yar ) but basically it's like this (notations added for this post): rule phishingKits3 {     meta :       description = "PhishingKits3: This was found in multiple phishing kits hosted on open/unauthenticated S3 buckets."       author = "ferasdour"     strings :       $s1 = "https://ajax.googleapis.com/ajax/libs/jquery/" ascii // adds jquery       $s2 = "https://code.jquery...
Read more

How-to: Hacking Lab Environment

Image
Introduction      I recently asked what tutorials I should do, and the first response that made sense to do was to write a how-to for making a lab environment. Because this is a tech blog, I think it's safe to assume this meant tech lab, or even hacking lab, not like science lab or something too crazy like that, though those are also things that probably could use a how-to these days. Generally, labs like this would be made to test new ideas, technologies, or techniques. When used for hacking labs, its usually the same with a gearing towards exploitation, with malware analysis, the same geared towards understanding the malware. So, lets go through some basic setups, the requirements for them, then follow that up with a dive into ways we can expand on that as well for different variations.       To do this, we're going to be using virtualization and containers, as this will provide us the widest range of capabilities for what we want to do. I'm going to...
Read more