What are the reflexes to adopt if you suspect that one of your machines has been compromised? Whether it is a personal or professional computer, it is important to act quickly to limit the loss and theft of your data.
The first reflexes to have
I - Isolate the machine
If you think someone has unauthorized access to your machine, it is essential to cease all activity on it and disconnect it quickly from the network (WiFi and Ethernet).
If an attacker has managed to create remote access to your computer, it is important to cut off all Internet connections immediately.
II - Inform your security manager
If your company or you yourself have a security manager, they must be immediately informed. Avoid emails and other means of communication that may have been compromised and explain precisely what happened by answering the questions “When, What, Who, and How” for each event.
Some technical procedures need to be performed, and the support of a professional for data recovery and analysis of your computer can have a major impact on your ability to recover data and evidence of an intrusion.
III - Dealing with ransomware or if a cybersecurity manager is unavailable
If your machine is a victim of ransomware, it is crucial to turn it off at the first signs of infection and do not turn it back on before analysis by a computer security expert. The longer your machine stays on, the lower your chances of recovering data on your hard drive.
Also, if you cannot get help from a manager and you want to resume your activity quickly, you can turn off your machine and replace its hard drive, being careful to keep the infected drive.
Warning: by turning off your machine, you will make it impossible to recover part of your computer’s memory, which can be useful during a forensic analysis.
Preparing for analysis
If you want to try to find out who and how the potential attack was carried out, your machine’s data will need to be analyzed by a technician with forensic computing skills.
To help this process, it will be useful to document as precisely (description, date, time, remarks) as possible the events that occurred as well as the measures you took. Feel free to take photos of the involved equipment, as these may be useful later in a judicial investigation.
It is also crucial to not open, power on (if they are off) the machine(s) or do anything that could damage or alter the data on the compromised equipment.
Initiating legal procedures
If after an analysis you have conclusive evidence of intrusion, you can file a complaint with the Police.
It is usually the Sub-Directorate for Combating Cybercrime that will handle computer investigations; be sure to bring all analysis reports and photos/documents you have at your disposal when filing the complaint.
If personal data of your clients or business partners has been compromised, it is essential to inform them of the security incident that occurred.
You can be held responsible if the confidentiality of third-party information is compromised following a cyberattack on your equipment.
Starting afresh
Regardless of the type of intrusion you have faced, you cannot reuse a potentially infected machine without taking certain precautions beforehand:
I - Change the hard drive(s)
The safest and simplest method to quickly rehabilitate a compromised machine is to change its hard drive(s). It’s an expense of around €50 for 1TB of data that allows you to keep the compromised drive (in case of need for investigation or further analysis) and ensures you retain no infected files.
II - Reinstall a clean operating system
Once your new hard drive is installed, you can reinstall a new operating system on it. If you work in a Windows environment, you can create an installation disk using a USB stick or an external hard drive and a clean Windows machine (https://support.microsoft.com/fr-fr/help/15088/windows-10-create-installation-media) which will help you reinstall the version of Windows of your choice.
For other operating systems, refer to the appropriate documentation.
III - Improve your security
If you did not use Firewall and Antivirus, now is the time to take care of it! Research reliable software solutions based on your operating system and enable automatic updates and the security settings recommended by your OS.
It is also essential to rotate all passwords entered on your machine, as they may have been stolen by an attacker.
Using a password manager (like KeePass, 1password, LessPass, Dashlane, for example) will facilitate the creation of new passwords and help you avoid reusing them.
IV - Recover your data from a healthy backup
While it may be tempting to use data from the potentially infected hard drive, the associated risks make this operation absolutely unthinkable.
Use the latest available healthy backup to recover the data you need, and if you don’t have an automated backup mechanism, this is a good opportunity to set one up.
Only install and store on your machine the bare minimum, especially if you have not been able to precisely determine the vulnerability that allowed the intrusion.
If you suspect an intrusion on your network or one of your machines, you can contact us for advice and support in the analysis and securing of your data.
Resources
-
https://www.cert.ssi.gouv.fr/information/CERTA-2002-INF-002/ (In French)
-
https://www.secjuice.com/how-to-handle-an-intrusion-on-a-windows-system/ (In English)
Illustration image by Vitaly Vlasov.