How to Handle a Security Breach on Your Network
Every Moment there are a number of APT’s (Advanced Persistent Threats) are increasing alarmingly and organisations from all over are under attack . The days when the government and military sectors were under the radar of hacktivists and cybercriminals . Now hackers have started targetting even IT sector organisations , Banking sectors , Energy and the list goes on . Not the Network security Administrators need to be ahead of hackers and alter their mindset from prevention to detection . Now the organisations are targetted with more sophisticated attacks and there is simply no way to prevent the network breach completely .
The networks once compromised may lead to data leakage as well as using the hosts in a botnet . The traditional solutions donot have the ability to prevent the APT ‘s 100% . Therefore penetration testing of the network is of high importance . Here are some steps that one must take immediately once an anomoly in the network is identified .
Identify the Attack :
Whether or not you catch a new infection quickly, or discover that a threat has been harvesting or manipulating data on your network for weeks, months , the first thing you need to do is identify the attack by determining:
- Which systems, services and devices have been compromised?
- Who is the target within the organization?
- Does it stem from a host on your network, or is it coming from outside your perimeter?
- Information about the command & control servers that were used in the attack (IP addresses, domain names, etc.)
- The type of attack (e.g. stealing information,DDoS, unauthorized remote access, etc.)
- The nature of the attack
- The agenda of the attack
Traffic Log Analysis- to detect attacks as soon as they occur is one of the best remedies at this step .
Quarantine the Damage
For many organizations – particularly large enterprises — taking the network offline after an attack is simply not a feasible option. Each day, numerous employees, customers, partners and vendors depend on the network. What’s more, idling the network could result in major damage to one’s reputation.
However, provided that the identification step (as described above) is done efficiently and thoroughly, there’s likely no need to consider such a drastic reaction. Instead, it makes sense to quarantine only the infected servers, computers and devices. From there, they can be examined, remedied and brought back online.
Once the infection is quarantined, the next step is to disinfect the network.To disinfect you’ll need to compare pre-infection and post-infection backups. Start with the most critical systems first, and then work towards less essential systems from there.
Also keep in mind that as you work your way through this process, that the network breach is a considered crime, and that means you could be wiping away valuable evidence.
You should definitely consult with your organization’s legal counsel to ensure that you have the most up-to-date and accurate advice.
Re-Secure the Network
Before putting any server, computer or device back online, ensure that all compromised or potentially compromised passwords are changed, and that new passwords incorporate best practices for strength and security.
Plus, if the attack was triggered by a spear phishing email or some other vulnerability that involved the unwitting participation of an employee, then you also want to educate all employees on how they must play an active role in maintaining network security going forward.
That’s how you get the network running and prepare for in future attacks . The best practice in this case will be to use a SIEM (Security Incident and Event Management System) .