We preach quite a bit on this site about how to prevent security breaches, and hopefully you take it to heart and play an active role in hardening your systems. But sometimes even that ounce of prevention and pound of cure isn't enough to defend against a predator and the resulting penetration of your protections can be a mind-boggling experience.

Where do you begin? Here's a brief list of some steps to take "post-hack" to ensure you have the best chance of determining who did what and how it was done:

    Requires Free Membership to View

 11 things to do after a hack
1. Get a picture of your network and systems before the event.
You might not be able to do this before a breach, but a significant part of effective computer forensics is practicing symmetrical security, in that you need to be able to determine the normal function and level of activity on your network and computers before the event to detect the anomalies post-hack.
2. Preserve the scene of the crime.
Often clues that will lead you to either the cracker's activities or the cracker himself are subtle and indirect, found mainly in the state of things as you discovered the hack. Further, data in a computer is very volatile, and the evidence you seek may be erased by continued usage of the system. For the same reason investigators wear plastic gloves while handling evidence -- to both preserve and not pollute -- tread carefully on your systems and rope them off while the investigation is underway.
3. Take some initial steps to notify stakeholders and other important people.
You'll want to get in touch with senior management, your firm's attorney, security experts, and local or federal law enforcement. Alert them that you suspect your network's (or servers') integrity has been compromised and you would appreciate their assistance. Note that law enforcement may not be able to immediately help you, but in my experience it's a good idea to alert them of your suspicions.
4. Understand where your threats may be coming from.
You might think you've been cracked from the outside, but it's a fact that a large number of events requiring forensic assistance are perpetrated by an insider. Don't assume you're dealing with someone outside your firewall.
5. Isolate the suspected system.
Either disconnect it from your network or route packets around it -- put it in a protected VLAN or somehow guard your other networked systems from being similarly infected. Make sure to observe chain of evidence -- who touched the system when, and what did that person do? Document everything.
6. Shut down the system.
This preserves the state of the machine for further investigation. However, before shutting down, if possible observe background processes that are running. An inexperienced or less sophisticated cracker may leave evidence that you can later use to determine what was penetrated and how.
7. Make an exact, bit-for-bit copy of the hard drive in the suspected system.
This can be used to compare with the baseline image mentioned in the first item above.
8. Take a look at audit logs.
Figure out exactly when certain events occurred. Document them.
9. Look for passwords/password prompts around and throughout the operating system and hard drive.
These can be ticking timebombs, in that if you enter an incorrect phrase a destructive process could be launched erasing the drive. The presence of unauthorized passwords, and their location, is significant to your investigation. Note what action you're trying to perform when you stumble upon the password prompt.
10. Look for strange files.
Are there a lot of graphics or text files that aren't ordinarily present? Run a time/date scan to find recently created or modified files and determine if there are any anomalies.
11. Know when to quit.
Sometimes law enforcement won't get involved, you've wasted three weeks without finding any sort of conclusive evidence, and your users are beginning to notice the down time. In this case, blow the operating system away, reinstall from scratch, and focus on preemptive security. Sometimes the fish aren't big enough to fry.

About the Author:
Jonathan Hassell is author of Hardening Windows (Apress LP) and a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.

This checklist originally appeared on SearchWindowsSecurity.com

This was first published in January 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.