If you’ve recently been hacked, it’s not shocking when you consider what companies are up against in the jungle of cybersecurity. According to Microsoft cybersecurity experts, 11 percent of hackers are insiders, 7 percent are nation-states, an average hacker spends about 209 hours hacking one system, and the average hacker spends 140 days in a system before the hacker is discovered. While it is easy to obsess over and worry about the damage that has been done, it’s better to begin working on real solutions. What is the recovery action plan for your company? How do you identify and close security breaches? The following six tips will help you navigate the recovery process as you craft your incident response plan. If you failed to create a plan before the hack, it’s not the end of the world. You can use the hack recovery process as the perfect training ground for building a cybersecurity roadmap for the future.
1. Find All Possible Internal Breaches
If you’ve stumbled upon evidence that you’ve been hacked, it’s likely that this breach is only one of many in your system. The statistics quoted above about hackers support this assumption, and it’s always better to assume and plan for the worst. In either case, you will need to look under every rock and pebble of your infrastructure. A security solution such as Microsoft 365 can scan a wide range of areas for you. It does so by using a variety of techniques including:
- Security and audit log management
- Application whitelisting, which, as Microsoft notes, “ensures the security and resilience of systems and assets, consistent with related policies, procedures, and agreements”
- Microsoft’s Advanced Threat Protection will take suspicious attachments and links and open them in isolated Virtual Machines that are able to identify what kind of attack has engaged your system
In addition, this kind of security solution will scan and detect breaches across three major avenues that hackers will often take:
Attacks on devices
Your IT should be using this software to provide immediate detection of any fresh threats on devices. This is done by monitoring heuristics such as advanced file and process behavior. Windows Defender Advanced Threat Protection is an example of one of the tools that perform this.
Attacks through email
Your security software should also scan emails, attachments, cloud storage and files to detect threats.
Attacks using ID credentials
Some of the most effective security solutions such as Azure Advanced Threat Protection (ATP) will create a profile about users in your company to understand their normal behavior through logs and network activity. Azure is then able to notice abnormal behavior that seems suspicious, which causes it to search for and stop hacking attempts and breaches before they spread even further into your organization and cause more damage.
2. Identify Stolen Intellectual Property
In addition to running a thorough scan of the interior workings of your company, you need to conduct a search for stolen intellectual property (IP) such as stolen accounts, credential information or other content stolen from your company’s servers and placed somewhere online. Solutions such as the Microsoft and its Intelligent Security Graph are capable of scanning billions of web pages monthly with more than 450 billion authentications completed each month. It scours the web, including the dark web, and identifies the stolen material.
3. Put Out the Fire, Stop the Spread
Using a tool such as Windows Defender Suite to give your endpoint server protection is another critical step. As listed on Microsoft’s cloud blog, the Suite has tools such as:
- Device guard, which prevents malicious software from downloading or spreading to other systems
- Credential guard, which stops lateral travel by malicious software trying to steal credentials
- Controlled folder access, which makes further crypto-attacks impossible
- Windows 10 kernel hardening, which shuts down attacks that are using old or unused protocols
- Secure boot, which stops Master Boot Record (MBR) attacks
4. Bring Everything Up to Date
When we say everything, we mean everything: all software and operating systems on every workstation, and all servers, routers and IOT devices. Basically, if there’s something on your network that has software, you need to make sure it has the latest updates.
5. Rebuild Using Your Backup
Using powerful cloud backup such as Azure Backup allows you to turn to that treasure trove in your time of need. It reduces the anxiety of discovering your system has been hacked and made unusable by malware or other malicious code. You always have the safety net of going to your backup files and restoring your network. What makes Azure Backup special is its ability to handle huge full-enterprise backups from a centralized cloud without using any infrastructure.
6. Purge Non-Essential Programs
The more extraneous programs you have on your network, the more vulnerable you are. Examine every piece of software you run and assess its value. Do you really need it? If not, consider ditching it. The more software you have the more work and time it will take to make sure all of it is fully updated and well defended from threats.
Final Thought: Microsoft’s Key Recommendations
Agile IT uses all of the powerful Microsoft tools above, and there’s good reason for it: Microsoft’s cybersecurity experts are some of the best in the world. Microsoft’s quick breakdown of tangible things you can do based on the first 30 days, then 90 days, is a fantastic example of why they’re some of the best. Use the following tips to create a string of victories, however small, as you recover and rebuild from a hack:
0-30 Days (Quick Wins):
- Create destruction resistant backups of critical systems and data
- Immediately deploy critical security updates of OS, Browser, and Email
- Isolate computers if you cannot patch them
- Implement advanced email and browser protections
- Enable host anti-malware and network defenses
- Implement unique local admin passwords on all machines
- Separate and protect privileged accounts
Less than 90 days:
- Validate backups
- Discover and reduce broad permissions on file repositories
- Rapidly deploy ALL critical security updates
- Disable unneeded legacy protocols
- Stay current, run only current versions of OS and applications.
Agile IT offers workshops to help you ensure your cybersecurity is covering every angle mentioned above. The goal is simple: create a comprehensive roadmap for application visibility and control.