If you suspect you’re the target of an active cyberattack, follow these steps to help you confirm the attack and take actions that can minimize the damage to your infrastructure and data, and restore operations quickly:

Recommended Immediate Actions

  1. Access your organization’s incident response plan. A good plan will help navigate the immediate steps to take once you’ve detected harmful activities on your network.
  2. Determine which systems were impacted and immediately isolate them.
  • If several systems or subnets appear impacted, take the network offline at the switch level.
  • If it’s not immediately possible to take the network offline, then locate the affected devices or systems and network physically unplug them from the network or remove them from the wireless network.
  • After an initial compromise, malicious actors may monitor your organization’s activity or communications to understand if their actions have been detected. Be sure to isolate systems in a coordinated manner and use out-of-band communication channels to avoid tipping off actors that mitigation actions are underway. Not doing so could cause actors to move laterally to preserve their access.
  1. Immediately take backups offline to preserve them. Scan backups with anti-virus and malware tools to ensure they’re not infected. Restore backups to offline systems needed to restore operations.
  2. Initiate an immediate Password Reset on affected user accounts with new passwords that are no less than 14 characters in length. Do this for Senior Management accounts as well. Once you’ve completed this step, issue a password reset for all users having non-Unique passwords (e.g., users who have the same password value such as Summer2016).
  3. Uncover root causes of the attack. Identify and speak with affected users especially those with privileged accounts. Confer with your team to develop and document an initial understanding of what has occurred based on initial analysis.
  4. Review your Firewall’s outbound and inbound traffic. Make sure blocking rules are in place for countries sanctioned by OFAC.
  5. Check any external email forwarding rules that are in place. Block those which are using SMTP services to suspicious domain names.
  6. Check for rules which add a BCC address to every outgoing email. Delete these rules. Identify the email address account and block any activity associated with the account.
  7. Identify all Service Accounts particularly those with privilege access and/or access to multiple applications. Issue a password reset on service accounts and provide different passwords for service accounts which access multiple applications.
  8. Ensure logs from databases and important applications are enabled. Ensure that you have enough memory capacity to store those logs for the investigation phase and avoid overwriting these logs.
  9. Take a system image and memory capture of a sample of affected devices (e.g., workstations and servers). Additionally, collect any relevant logs as well as samples of any “precursor” malware binaries and associated observables or indicators of compromise (e.g., suspected command and control IP addresses, suspicious registry entries, or other relevant files detected).

FINAL STEP: Contact UDT’s Cybersecurity Incident Response Team (CIRT) at 1-800-882-9919 ext 1 for additional guidance.

Our cyber consultants can provide help with the investigation itself and assist in coordinating
computer forensics and recovery resources to help investigate, contain, and restore.