A cyberattack occurs when a criminal – a hacker – tries to exfiltrate information from your organization mainly for two reasons: blackmail you for money or to claim credit for hacktivism.
In almost all cases, the trigger is only a click on a link or the execution of a file.
I have been writing about cybersecurity for some time now on this website, about Secure Coding and vulnerabilities, or about how to detect if you have any Internet exposed services. I highly recommend you to read my first post in which I explained how a cyberattack works, so you can have an end-to-end vision on cyberattacks.
But now, let’s see what are the essential steps you should follow in case your company needs to fight back against a cyberattack:
How Cyberattack start
Depending on the objective of the cyberattack the trigger may be one or another. In almost all cases this trigger is usually a click on a link or the execution of a malicious file called Malware.
To get you to bite, hackers usually are based on urgency or offering you a succulent “prize” that you will get when you click, but once you click on the link you have already screwed it… or not…
Step #1. Clicked!: “Nothing happens, the link should not work…”
The next thing that happens is that nothing happens. Sure… nothing with the naked eye, which is what the attacker wants you to think. The bug is already there though, on your computer (laptop, mobile or whatever you use to connect). Now the kill-chain starts:
Step #2. Last chance before it’s in: Internal Recon, Lateral Movement and Establish Persistence
Once he get you to click, the kill-chain begins. The final purpose of the kill-chain is to establish persistence in your device and being able to enter remotely with a C2 (Command and control), -even if you restart the device as many times as you want-, and start to exfiltrate data.
It is a matter of hours or days that your alert detection system (SIEM in large companies) detects the intrusion and this is when the hunger games party begins (there can only be one left, kill the bug or die).
In the recognition phase, if the hacker does it well, you will not notice that your network is being analyzed. It will be when the first attacks begin, if you have a good threat monitoring system, when you discover that they are trying to attack you: several failed login attempts from an IP outside your organization is always a good indicator but not the only one.
Step #3. It’s in, I haven’t caught him in the initial attack: What do I do now?
Once the hacker is inside it is increasingly difficult to catch him, but there is still hope. You can find out:
- Where the attack came from,
- learn how the malware works,
- and where it is trying to connect.
So you can close all your connections to the outside and smash the C2 that they have left in your servers / computers to ensure persistence in the future.
Basically it’s about doing matching of the Indicators of Compromise (IOC’s) known to IOC’s that are circulating in your organization. For example, with an IOC that corresponds to an IP, you could close connections from that IP to your organization (based on your network).
The most important thing to respond in these states of the attack is to try to find out in the shortest possible time the way in which they have sneaked into your organization.
Step #4. What if it has already begun to move through our network?
Once the hacker has already made lateral movements it will be more difficult to detect it, but not impossible.
If this hacker finally manages to exfiltrate data or ask us for a ransom for our data, the best thing we can do is NOT to pay and report to the State Security Forces.
Obviously, do not restore the backup until the systems are safe again. If we do not have an information backup system, we should consider having one so that the same does not happen again and we can resume the operations of our company in the shortest possible time.
Step #5. Post-mortem analysis
Finally it is very important that before re-establishing your entire system you make sure that you have put all the necessary measures so that the same incident is not reproduced.
Also, don’t forget to do a post-mortem analysis to be clear about the lessons learned from this attack and know what points of your entire protection, detection and response system have failed to reinforce them in the future.
Joan Rodríguez
Santander Global T&O
I am a superior computing engineer and I have had a great chance of working in all waterfall or agile development profiles: Developer, SW Architect, SW Evangelist, Scrum Master, Project Manager, Team Leader, QA Tester and Product Owner. I consider myself to be restless, resilient, geek and mostly, family-oriented. Currently, I am making cybersecurity developments for Group Santander.
