Server platforms Toolkit

You've been hacked: What to do first

Robert L. Bogue Tech Republic

Published: 19 May 2003 12:31 BST

Sitting at your desk, you notice some odd activity in a log while you're looking into a user problem. The more you step through it, the more you are convinced that something is just not right. Your heart skips a beat when you realise that the system has been hacked.

At this point, you enter a stage of shock as you ask yourself, "How could this happen?" and "What do I do now?"

Although you'll find plenty of advice on how to keep your systems from being hacked, there are relatively few articles that will help you sort things out in the aftermath of an attack. So for the next three weeks, I'll present a series of articles that will explain what you should do in the first five minutes, in the first hour, and in the first week after you've discovered that an interloper has compromised your systems. This article will focus on the most immediate actions you must take to secure your system: evaluate, communicate, and disconnect.

Evaluate
The first question that you must answer after an attack (or preferably before) is what your objectives are. In most cases, the objectives are simple: prevent further intrusion and resolve the problem. However, in some cases, you will want to be able to positively identify the intruder and, in others, you will be focused on figuring out which vulnerability the hacker exploited.

Identify the intruder
It may be necessary to positively identify the intruder so that you can refer the matter to the police for further investigation and possible prosecution. Of course, this is not the most expedient way to get the systems back online and prevent further infection. Identifying intruders can be difficult, particularly if they have covered their tracks well. Despite Hollywood's portrayal of hackers easily being traced, someone who is routing traffic through several systems is not only difficult to find, but might be -- in all practical terms -- impossible to track down.

Identify the vulnerability
Another approach that some organisations take is to try to identify the specific vulnerability exploited. The thinking is that you want to patch the specific hole that allowed this intruder to gain access. By and large, this approaches the problem from a suboptimal perspective. A far better strategy is to attempt to identify all vulnerabilities and prevent any intruder from gaining access to your systems, rather than focusing on the one vulnerability this particular hacker exploited.

Many of today's security assessment tools will allow you to quickly test and resolve all vulnerabilities.

Return systems to operation
If this is the first time you have been attacked, you may find it simpler to forgo trying to pinpoint the intruder or the specific vulnerability that was exploited. In general, it is unlikely that you will be able to easily generate the logs you might need to target the origin of the intrusion.

Patching the vulnerabilities and returning systems to operation as soon as possible is the most straightforward approach. It reduces your risk and allows you to fortify your defences without worrying about the intruder continuing to take advantage of your systems.