When the zombie apocalypse hits, there are clear provisions for what steps to take next. You grab your prepacked emergency kit, stealthily follow your evacuation route, and seek shelter—fast. You keep weapons on hand and develop a battle plan that will enable you to dispatch with as many zombies as possible without getting too close.
The guidelines for responding to an IT network attack are a little less clear-cut. Unlike zombies, hackers tend to traffic in stealth; they don’t lunge directly toward you, groaning with arms out and brains spilling—they creep in and inflict damage unnoticed. In either case, efficiently dealing with the aftermath of the attack is essential to mitigating the damage.
Lock your doors
There you are, minding your own business, when something starts to feel suspicious. Maybe fake antivirus messages are popping up on employee computers, fishy log files appear, or you notice changes to DNS settings. If you’re experiencing these symptoms, your company may be the victim of an IT network attack, and it’s time to swing into gear.
Step one is to go into lockdown mode and marshal your resources. If the zombies have already descended on your safe house, your top priority is to contain the attack and protect yourself (and your loved ones). There’s strength in numbers, and you immediately want to mobilize a team that is poised and ready to do what needs to be done. Ideally, this team has already been formed and trained on what to do in the event of an attack. Planning (more about this later) can save critical time and enable a more potent defense.
Divide and conquer
Once your team is on guard, search for the source of the attack to avenge what’s been compromised. In order to contain the breach, you have to know where it’s coming from and the damage it’s already caused. This can pose a serious challenge because hackers are adept at disguising their tracks, which is why it’s helpful to have all hands on deck to assess the situation. Check out firewall and event logs, analyze evidence about the attack, and search your network for discrepancies and compromises. Remember to rigorously keep track of all the evidence you find—it will be invaluable later.
After identifying the source of the attack, go into containment mode and take steps to stop the threat from spreading. For example, if you’ve located the hole through which the hacker accessed your system, like what happened recently at several universities, block access to that connection. All compromised systems should be disconnected from the network and neutralized. This could include isolating infected machines, disconnecting the system being attacked, or disconnecting the host being attacked from the network. You can also apply access control lists for routers and firewalls.
Meanwhile, some team members should be in charge of securing key assets, such as sensitive data. It’s a good idea for your incident response plan to include inventory of these assets, so when in crisis mode, you can prioritize the things that are most important and don’t find yourself scrambling around in panic, leaving high-priority information or technology exposed. After containment, your goal is removal. Get all traces of zombies out of there. Sniff out malware, indications of APT attack tools, grayware, viruses, and any form of infection that doesn’t belong in your system, ensuring all entry points are closed.
Assess and recover
Once the IT network attack has been stopped in its tracks, look at all the evidence and learn from your mistakes. An attack is an opportunity to refocus on security, address vulnerabilities, and take steps to ensure it doesn’t happen again. For example, if the hacker used the printer as the entry point, make sure that printers are properly secured from that point forward, with all the preventative measures outlined above. Analyze the damage, optimize your security architecture, and take whatever measures are needed to handle the attack from a legal and PR perspective. If nothing else, the silver lining of an IT network attack can be that you never make the same mistake again.