Checklist: 11 things to do after a hack

Where do you begin? Here's a brief list of some steps to take "post-hack" to ensure you have the best chance of determining who did what and how it was done:

11 things to do after a hack

1. Get a picture of your network and systems before the event.

You might not be able to do this before a breach, but a significant part of effective computer forensics is practicing symmetrical security, in that you need to be able to determine the normal function and level of activity on your network and computers before the event to detect the anomalies post-hack.

2. Preserve the scene of the crime.

Often clues that will lead you to either the cracker's activities or the cracker himself are subtle and indirect, found mainly in the state of things as you discovered the hack. Further, data in a computer is very volatile, and the evidence you seek may be erased by continued usage of the system. For the same reason investigators wear plastic gloves while handling evidence -- to both preserve and not pollute -- tread carefully on your systems and rope them off while the investigation is underway.

3. Take some initial steps to notify stakeholders and other important people.

You'll want to get in touch with senior management, your firm's attorney, security experts, and local or federal law enforcement. Alert them that you suspect your network's (or servers') integrity has been compromised and you would appreciate their assistance. Note that law enforcement may not be able to immediately help you, but in my experience it's a good idea to alert them of your suspicions.

4. Understand where your threats may be coming from.

You might think you've been cracked from the outside, but it's a fact that a large number of events requiring forensic assistance are perpetrated by an insider. Don't assume you're dealing with someone outside your firewall.

5. Isolate the suspected system.

Either disconnect it from your network or route packets around it -- put it in a protected VLAN or somehow guard your other networked systems from being similarly infected. Make sure to observe chain of evidence -- who touched the system when, and what did that person do? Document everything.

6. Shut down the system.

This preserves the state of the machine for further investigation. However, before shutting down, if possible observe background processes that are running. An inexperienced or less sophisticated cracker may leave evidence that you can later use to determine what was penetrated and how.

7. Make an exact, bit-for-bit copy of the hard drive in the suspected system.

This can be used to compare with the baseline image mentioned in the first item above.

8. Take a look at audit logs.

Figure out exactly when certain events occurred. Document them.

9. Look for passwords/password prompts around and throughout the operating system and hard drive.

These can be ticking timebombs, in that if you enter an incorrect phrase a destructive process could be launched erasing the drive. The presence of unauthorized passwords, and their location, is significant to your investigation. Note what action you're trying to perform when you stumble upon the password prompt.

10. Look for strange files.

Are there a lot of graphics or text files that aren't ordinarily present? Run a time/date scan to find recently created or modified files and determine if there are any anomalies.

11. Know when to quit.

Sometimes law enforcement won't get involved, you've wasted three weeks without finding any sort of conclusive evidence, and your users are beginning to notice the down time. In this case, blow the operating system away, reinstall from scratch, and focus on preemptive security. Sometimes the fish aren't big enough to fry.

About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security. Ask Hassell a hardening Windows question today.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Defining Policy What's hot in Microsoft Windows security Here's how three IT shops manage passwords Insider security threats: Watch out for the quiet ones Troubleshooting your Windows-based VPN Telecommuter security kit Finding lost or forgotten passwords Ethical hacking Build secure computer password policies Password hardening Step-by-step guide: Cracking network passwords Defining Policy Research Microsoft Windows Policy Bypassing password downfalls with single sign-on Controlling Windows executables Insider security threats: Watch out for the quiet ones Developing a Windows patch methodology Scheduled security testing Discussion: Laptop Security Effective Group Policy Summary: 'Anatomy of a Hack -- The Rise and Fall of Your Network' Comparing security on Windows and Linux Intrusion Detection Systems PatchGuard defends against rootkits in Windows Vista How did a rootkit get on my Windows machine? Can an antivirus program stop phishing attacks? Wireless network security testing An introduction to Google Hack Honeypots Step 3: Application-level filters Step 4: Software restriction with Group Policy Challenge 9: The Root of the Problem Malware removal handbook Penetration testing for Windows systems Intrusion Detection Systems Research

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary