One of the key attack vectors in use is the APT, or Advanced Persistent Threat. The idea is for hackers to obtain access, install some sort of malware payload, and have it run undetected inside your systems for a period of time harvesting more records over time. The longer the time gap between infection and detection, the larger the risk of both compromised data and additional systems being infected. Like any sort of vermin infesting places where they don’t belong, hackers need to be eradicated, but the key is detection.
Have a Plan
The first step in information security is establishing a plan. A security plan needs to address a number of areas such as identifying an inventory of systems and services that are critical or contain sensitive data. You must know what you need to protect and why. If your business is subject to legal or regulatory requirements for safeguarding Personally Identifiable Information (PII) or Sensitive Personal Information (SPI) for example, systems with that type of data may have different legal requirements around recovery and restoration than systems without it. Your information security plan will guide you to ensure appropriate steps are taken in various situations.
When you first detect a breach or discover malware in your systems, containment is important so that it does not continue to spread further into your network. While you may be tempted to just shut down the infected systems, that may have more of a negative impact on your business and reputation than the breach itself. A thorough threat detection and identification process is needed to gather data to understand the scope and magnitude of the attack. This needs to be done quickly so you can begin taking corrective steps. Two words of caution though – one, do not contaminate the forensics of the situation in case you need to engage law enforcement, and two, many hackers will include a self-destruct mechanism designed to erase their tracks or crash your systems upon detection.
Assume Hackers are Still Active in Your Systems
While the evidence you uncover in the investigation needs to drive your recovery actions, one assumption should be that the hackers are still active in your organization. As noted, they may have a self-destruct ready to go if they think their hack has been detected. So, if possible, utilizing copies of system logs on centralized syslog servers or other Security Information and Event Management (SIEM) resources for the investigation is preferable. Not only is this more efficient than examining each server individually, but it is also less likely to tip off the hacker that they have been detected.
Help for the SMB Market
As a small business, you might be thinking this is fine for a large corporation with hundreds of IT employees that can afford specialists to focus on this. The problem is the SMB market is increasingly targeted for cyber crime. Attacks on SMB’s doubled between 2011 and 2016, and most small businesses have to close shop within six months following an attack. So this is not something you can afford to ignore. Fortunately, the skill and expertise required to develop an Information Security Plan is available through Managed IT Security & Compliance Consulting firms. Firms like Intrinium have experts in multiple market sectors like financial, healthcare, state and local government, and retail providing the experience to help drive your plan creation. Also, if you are utilizing a Fully Managed IT Services Provider, your plan will need to be communicated with them so they can execute properly in the event of an incident. You don’t have to be in this alone!