Phase 1: Analysis
The first thing we need to do (especially if you are a new client) is analyze the part of your network that was breached – be it a server, router, device, or some other component of your IT infrastructure. We also need to determine how everything is connected within this environment, so that we can properly understand the extent of the threat / damage to your organization.
The analysis phase follows three basic steps:
1) Determine what was breached.
We must first find out what was breached, and determine the extent of the damage caused by the breach. For example some breaches can be highly localized e.g. a fault or misconfiguration in one server – while other types can spread throughout your entire network e.g. a virus / malware attack spread through an infected email attachment.
While your initial description of the incident is important (since this is our starting point) – we will always need to actually “dig into” your system ourselves in order to determine what has actually happened. A security professional will always be able to tell you more about any security incident.
This is similar to being a detective investigating a crime scene. We have to talk to all the witnesses, collect the evidence, and use our own insights to determine the precise nature of the crime that took place.
The “star witness” in these cases will always be the actual access point that was breached, or better yet the log files that should have recorded the events in question (this is something setup by your IT administrator). Security forensics will always be easiest if you have log files available for investigation.
2) Determine how the breach occurred, and through what means.
Once we determine the precise nature of the breach, and the extent of the damage (whether potential or realized) – we must them determine out how the breach occurred (whether accidental or intentional)
Let’s say for example that someone did manage to hack into your system:
- Did they do this by cracking / stealing a password
- By exploiting some known / unknown security flaw?
- Was the breach due to someone’s negligence, through some unforeseen circumstance, an act of revenge, or was this simply a target of opportunity?
There have been cases for example where hackers will casually scan webservers en masse, and find an easy vulnerability to exploit later. In such cases the breach may not even be targeted or personal, but done simply because they could do it – and you made it too easy!
Determining exactly how someone managed to break into your system, is therefore the first step to determining how this security flaw can be fixed properly.
3) Determine what current security policies are in place, and where these security policies failed.
This is a very important question to answer – not just for ourselves, but also to help you adapt your security policies to help prevent such incidents from reoccurring (or at least so easily).
Let’s say for example we determine that the breach happened due to hacker guessing someone’s password:
- Was this because the password was too simple and easy to guess?
- Because the password hasn’t been changed in years?
- Or because this person uses the same password for all their business and personal accounts?
All of these issues indicate a poor, or poorly enforced password security policy – and such instances are surprisingly common in large organizations, even with otherwise highly intelligent people who assume such things could not possibly happen to them!
Phase 2: Planning
Once we have determined the precise nature and cause of the breach, we are now able to form a plan to fix the relevant issue(s).
This is also the point where we will report to you about what has happened, how it happened, and how we can help prevent this from happening again. You can then decide whether you just want us to simply fix the issue, or go in deeper to make sure that such breaches will be much harder to accomplish again.
Sometimes the problem is simple and simple to fix, other times the problem is extremely complex – and may require significant modification to your IT systems and security policies.
Examples of a simple problem:
- An amateur “hacktivist” is able to deface your homepage by exploiting an easily cracked password through your CMS.
- A virus or some other malware was able to infect your systems due to outdated security software.
Examples of a complex problem:
- A disgruntled former IT administrator locks out your entire IT network and wipes out your main database as an act of revenge.
- Highly sensitive information is exposed because permissions for one folder were set to be viewable by everyone in the organization. This actually happened to one organization’s payroll files!
Phase 3: Quick Remedy
This step involves implementing the action plan drawn up to remedy this case – at least on a surface level. The major goal of this phase is to get your IT systems working again as quickly as possible, so your business can continue as normal (or at least relatively normally).
For example this can involve:
- Rebooting components (such as servers, routers, switches etc.)
- Resetting / changing all breached passwords
- Quarantining viruses / malware etc.
- Quarantining infected / breached / vulnerable areas of your network
- Disabling infected / breached / vulnerable software components and / or web services
- Installing the latest software / hardware patches and updates
- Restoring from backups
- Temporarily disconnecting the internet connection
- Changing Firewall Rules e.g. closing unneeded access ports
Since the priority of this phase is enabling you to continue your normal operations as fast as possible – this may mean that certain services may have to be temporarily disabled in order for everything else to function. While perhaps inconvenient – this is a very normal security procedure that is commonly utilized when repairing breached systems.
We will make every effort to get your entire IT system back to normal operation quickly. Depending on the sophistication, seriousness, and pervasiveness of your particular security breach – it may take some time before this is possible (more on this in Phase 4).
In such cases you will be fully apprised of the situation so that your organization can take the appropriate steps.
Phase 4: Deep Fixing
Deep Fixing is about fully restoring your IT network, so that all traces of the threat / vulnerability are completely removed from your organization’s systems. While the previous phase is mostly about the “quick fix”, this phase is all about getting to the root of the issue. This is how we make absolutely sure that everything is fixed properly, for example removing rootkits which are notoriously difficult to find.
Examples of steps this can involve may include:
- Purging your systems of all malicious software e.g. rootkits, malware etc.
- Code fixing e.g. removing loopholes and security exploits from your code
- Reformatting hard drives and / or databases as necessary
- Reinstalling operating systems and applications as necessary
- Rebuilding entire systems, networks, and servers from scratch if necessary
While we will make every effort to get everything working normally again – in some cases this requires shutting down parts of your network and / or certain services so that we can repair them. Depending on the sophistication, seriousness, and pervasiveness of your particular security breach – it may take some time before a full restore is completed.
For example: there may be a relatively easy modification required to fix an infected server, however if there are more than 100+ infected servers – it quickly becomes obvious why it can take time to perform a full restore.
In such cases you will be fully apprised of the situation so that your organization can take the appropriate steps. We will make sure to minimize the amount and impact of downtime as much as possible.
Phase 5: Complete Security Audit
This phase is about scanning / analyzing your entire IT system to determine if and where other vulnerabilities exist within your network. For example we may have fixed the issue in your Los Angeles office, but what about the Chicago / New York / Miami office? These things need to be checked as well.
Please review our Security Audit Methodology for a complete rundown of this process.