Have I Been Hacked? (How To Know & Steps To Investigate Incidents)
Everyone knows that cybersecurity is important. We all want to prevent people from accessing our data and using it to their advantage.
The fact is that there are great cybersecurity tools out there, but nothing is 100 percent effective.
In my 16 years in IT, I’ve seen all kinds of hacks. I’ve seen the bull in the china shop approach where hackers just bust in, don’t care who sees, and lock up data. I’ve also seen the quiet, calculated, “casing the joint” approach.
There are different types of hacks and different types of hackers.
In this article, I’ll give an overview of some of the signs that indicate a security incident has occurred, and explain the steps involved in investigating a possible incident to get to the root cause.
How To Know If You’ve Been Hacked
As mentioned previously, there are different types of hacks and different things to look for. In general, when you see something that doesn’t look right, bring it to the attention of your security champion (you do have one, right?) or your IT provider.
In the same way that your medical provider prefers to see you in person for symptoms of a serious medical condition that turns out to be nothing, your IT team would rather investigate a potential incident than have you assume it is a non-event.
To quote an overused phrase, “If you see something, say something.” This applies to IT, too.
So, how to know if you’ve been hacked. Unfortunately, the answer is – it depends on how subtle the attack is. Sometimes this depends on the sophistication of the hacker. Other times, it depends on whether the attacker cares if they are seen or not. Here are a few examples:
-
The Lurker
In some cases, an attacker wants to poke around anonymously to see what they can access without being noticed. In these cases, they can be in your system for a while without you noticing them. These types of attacks, which are used by sophisticated hackers, are very hard to really detect.
The first step for these attackers is to conduct reconnaissance in the background to see what they can access.
There have been cases of attackers lurking in an organization’s systems for as long as 18 months without being detected or taking any nefarious actions.
Often hackers aren’t noticed until something bad happens.
For example, lurking hackers weren’t detected until a Monday when Sony Pictures employees were locked out of their office building.
In another case, the Central Bank of Bangladesh didn’t know it had been hacked until the New York Federal Reserve contacted them after noticing an unusual authorization of transfers of $1 billion of their funds to other banks.
Or, on a smaller scale, a user may notice that their system seems to be running unusually slowly or they see a piece of software that they don’t remember installing. Or maybe their browser is acting funny and sending them to weird sites.
-
The Snatch and Grab
This scenario is similar to the “bull in the china shop” that we reference above. These attackers are coming to get your data or to take down your systems and they don’t care who sees them. They strike quickly and “loudly.” You notice immediately when you can’t gain access or you get a ransom request.
-
The Script Kiddie
Then there are the immature hackers who try to access things just to see what they can find, often using random tools they may have found but don’t know how to use. They usually aren’t in it to reign true havoc, generally doing such things as defacing websites, but are just looking for bragging rights.
The bottom line is that most hacks aren’t detected until there is an event of some kind.
Investigating A Possible Incident
What if, despite your best efforts, someone gains access to your network?
Step 1 - Preparation
Before an incident even occurs, it’s important to make sure you’ve got all of your tools, plans, and training in place so that when an incident occurs, you’ve got a plan of action on a variety of levels.
Step 2 - Identification
Usually, this is the point where a user identifies that something strange is going on. For example, maybe there are emails in their sent mail that they didn’t send. Or maybe a piece of malware gets caught. After being notified, the IT group needs to determine whether an incident actually happened.
Step 3 - Containment
If an incident did occur, the IT folks will disconnect the system from everything else to isolate the bad stuff and contain it to make sure it doesn’t spread. Everything else that is okay can keep running as it is.
Step 4 - Eradication
The IT team will fix the problem, clean up the contamination, and then reconnect the previously affected system back to the network. People use different terms for this step, but the bottom line is that things are restored to normal operation.
Step 5 - Analysis
After the immediate crisis has been handled, we look to see what happened. Logs are a key element of this analysis. Every operating system produces different kinds of logs. I consider logs the most powerful tool in terms of identifying what was done, by whom, when, and for how long.
Where Do You Go From Here When It Comes To Hacking?
In this article, we’ve talked about how to know if you’ve been hacked. We identified three different kinds of hackers (the lurker, the snatch and grab, and the script kiddie). You’ve learned which attacks are easier and more difficult to detect.
We’ve also highlighted 5 steps to take when investigating a potential hacking incident.
Armed with this information, you have a better understanding of the complications associated with detecting a security breach and what steps to include in your investigation of something that appears to be suspicious.
Again, the bottom line is that users need to be empowered to speak up when their system is operating in a strange way.
Read this article to learn 6 Easy, Cost-effective Cybersecurity Solutions you can implement today.
Wondering how your organization’s cybersecurity posture measures up? Take this short quiz to find out: Is Your Company Cybersecure?
