Processors Toolkit

You've been hacked: Now prevent future attacks

Tags:
Hacker Attack,
Long Term,
What To Do,
Been

Robert L. Bogue Tech Republic

Published: 03 Jun 2003 09:16 BST

In the aftermath of a network attack, you must act quickly to recover systems and prevent further attacks. In this article, we'll focus on long-range measures you can implement to strengthen your defences after the dust settles.

Establish monitoring
One of the main challenges in restoring systems is determining when those systems were compromised, how the systems were compromised, and what vulnerabilities were exploited to compromise them. The reality is that hackers rarely get in on their first attempt. They typically have to attempt to exploit a series of vulnerabilities or try a large number of username and password combinations before they find a crack in your systems' armour. Those attempts can, and often do, leave telltale fingerprints of the hacker trying to break down the doors. It's up to you to make sure that you record the attempts and that you have procedures or systems in place to notify you when an attack is being waged.

So a key piece of your long-term security strategy -- especially after a successful attack has occurred -- is the development of a monitoring system that doesn't allow intrusions to go unnoticed.

Log review
When was the last time you reviewed the event logs on your servers or the firewall's logs? If you're like most IT professionals, you're too busy to check logs unless there is a problem. Of course, we all know that this isn't an ideal situation, but there never seems to be enough time.

After you've had someone break into your systems, it's important to make a point of doing periodic log reviews. Scheduling a log review for first thing Monday morning means you might have it done by the end of the day Monday. It also gives you a chance to look at what happened over the weekend--when most hackers launch their attacks because they know that no one will be in the office to stop them.

The first week you're back on the Internet after an attack, you should review the logs every day or every few hours, since it's likely that the hacker will be jiggling the locks on all of the doors he or she opened before you discovered the intrusion. If you don't want to manually collect all of the logs from every system and would prefer to receive alerts when certain events occur, you can implement Microsoft's Operations Manager.

Intrusion-detection software
With log reviews, there's an inherent delay between when an attack occurs and when it's discovered. Even if you're reviewing logs daily, an attack can go unnoticed for hours -- which leaves a lot of time for a hacker to try to find the right opening in your systems. That's where intrusion detection comes in. An intrusion-detection system (IDS) constantly watches your network and alerts you or takes other actions when an intruder is detected.

IDSs can work with your existing firewall to add filters to prevent the attacker from making further progress. By adding an explicit "deny" rule for the location that the attack is coming from, you can prevent the hacker from making any progress on hacking into your systems -- ever.

Go to section: