5 helpful steps for responding to and recovering from a network attack

Strange pop-up windows, unauthorized software, sluggish systems, mysteriously changed passwords, programs running automatically, or unofficial content posted to your website are all signs that your small business network has been hacked. If you suspect that your network security has been compromised, don’t panic! It’s important to remain calm, retain your professional demeanor, and act decisively.

In addition to seeking guidance from a security professional, these five steps can help you quickly respond and safely recover from a network attack.

1. Verify the attack on your network.

You should gather as much information as quickly as possible. Confirm which systems were compromised, determine the IP addresses that were used in the attack, and identify the type of attack, such as unauthorized remote access, a virus, or a malware page tacked onto your website. Use the administration tools available in your routers and firewalls, such as traffic logs and syslog messages. If devices on your network can provide traffic flow records, these records can help to investigate, classify, and provide future protection guidance. Your Internet service provider (ISP) and any out-of-house IT provider may also be able to provide useful information. In addition, a security professional can help you gather and make sense of all the information collected.

2. Contain the damage and preserve your business assets.

Your initial reaction may be to take your entire network offline but that could actually cause additional damage to your company’s operations, not to mention relationships with customers and reputation in the marketplace. Instead, strategically isolate and take offline just the impacted applications or, if necessary, take down the servers or computers those applications live on. This will quarantine the affected applications and devices while still allowing your company to continue to do business.

Also, you need to identify the exact damage done to individual devices. Compare the configurations and data sets for each compromised computer and server with the last known stable and clean backup for each system.

You may need to delete any offensive content left on your site or wipe your systems clean of malware, but you also need to preserve evidence of the crime that was committed against your company—a practice recommended by the Anti-Phishing Working Group (APWG). The APWG also recommends making safe copies of the illegal content or unauthorized applications, separate from any systems that could be further damaged by that content. Make sure to check with your company’s legal counsel before doing so. Some content shouldn’t be copied, particularly child pornography, and must be immediately reported to authorities before you proceed with cleaning up those systems. Cisco partners specializing in security matters and Certified Information Systems Security Professionals (CISSP) can be most helpful in recovering while preserving information for possible legal actions.



3. Decide if you need to make a public statement about the incident.

Depending on the kind of attack and the damage your network sustained, you may need to communicate with customers, partners, or authorities. For example, if the security breach affects your compliance with a governmental regulation, you may be required by law to hire a security investigator who will guide you through your response to the breach. If customer or partner data was affected, you’ll need to notify them that their information was compromised. Again, consult first with your lawyer and public relations professional before issuing any sort of public announcements.

Even if you don’t need to make a public announcement about the security incident, consider reporting it to the vendors of your antivirus and antimalware solutions as they keep updated logs of security threats. You may also want to consider notifying local or even federal units for cybercrime law enforcement.

4. Clean up and restore the affected systems.

If more than one computer or server was hit in the security attack, you should first prioritize the order in which you’ll clean and then restore them to their previous states—starting with business-critical systems, of course. Replace the current, compromised data, configurations, and applications with the most recent clean backup. Change the passwords for all affected systems, users, and applications, including the root password. At the same time, require that all passwords companywide be changed, even on systems that weren’t impacted by the attack. Make sure, too, that no passwords are set to a default or “admin”.

5. Close the vulnerability used to access your network and amp up security.

Make sure you fix the hole that was used to gain access to your network, whether it was a configuration error, an email download, or other vulnerability. You should also increase your network security. For example, check for new security patches and update all systems and software to the most current versions and make sure the security settings on all of your network hardware and software are set appropriately.

As you put your systems back online and resume normal business operations, you will want to monitor for any reoccurrence and might consider adding additional security protection, such as an intrusion prevention system (IPS). The Cisco SA 500 Security Appliances include an IPS as well as advanced web and email security options.

Security experts strongly encourage planning ahead and having an incident response plan that you can act on in the event your network is compromised. These five steps can serve as a foundation for your response plan, which can also be an important component of a small company’s disaster recovery plan. If you need help creating an incident response plan that reflects your company’s operations, consult with a network security expert, such as a security specializing Cisco Certified Partner or a Certified Information Systems Security Professional.