It’s unlikely that your company will be hit by a Level Three or Level Four disaster during the next year, but what about a hack attack? The threat of hackers breaching your company's network and computer systems is a real and present danger, and an attack could cause serious problems for your IT infrastructure and, as a result, interfere with business operations. Therefore, a hacking recovery plan should be part of any comprehensive disaster recovery plan. Here are some steps that should be included in your hacking recovery plan.
1. Disconnect external lines. If you suspect that a hacker has compromised your network, disconnect any external WAN lines coming into the network. If the attack came from the Internet, taking down external lines will make it harder for the hacker to further compromise any machines and with luck prevent the hacker from compromising remote systems.
2. Perform a wireless sweep. Wireless networking makes it relatively simple for a hacker to set up a rogue Access Point (AP) and perform hacks from the parking lot. You can use a wireless sniffer such as Airscanner Mobile Sniffer, AirSnort, Airosniff, ApSniff, or NetStumbler to perform a wireless sweep and locate APs in your immediate area. Install the sniffer on a laptop or another mobile device before you need to use it to make sure it’s working properly. You should install the sniffer on a NIC that supports all the current wireless standards (e.g., 802.11a, 802.11b, and 802.11g).
3. Scan for compromised machines. A hack attack could compromise multiple machines. Make sure you check every machine that could potentially be hacked for compromises. For example, use the Autoruns utility from Sysinternals (http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml) to check for unknown programs that are set up to automatically run. Also check whether root kits and other hacking tools are installed on the computer.
4. Disable or delete rogue users. Examine Active Directory (AD) for rogue (i.e., unauthorized) users, and disable or delete such users as necessary.
5. Change passwords. Change all passwords for every account on the network. This especially includes the Administrator account and accounts that are used to start services on the server. Consider using 15-character pass phrases for enhanced security.
6. Preserve the data. If possible, buy replacement hard drives for the hacked computers, so that you can preserve the hacking activity on the compromised computer. After you've restored the network, you can review this information to gain more valuable information about the hack.
7. Identify and address the vulnerability. This is often easier said than done. Make sure you know how the hacker accessed the network in the first place. If you don't address the vulnerability, you face being attacked again.
8. Rebuild the machine. After a machine has been hacked, it’s almost impossible to completely clean it of all hacking tools; all a hacker needs is one to gain access to the machine. The only way to make sure the machine is clean is to format the hard drives and rebuild the computer from scratch. If you have to restore data on the computer, make sure you don't accidentally restore any previously installed hacking tools. Don't restore the registry, any OS files, or programs from tape. Install all applications manually; don't restore them from tape.
9. Bring the network back up. Reconnect the WAN lines and carefully monitor them. Make sure you've closed all holes on your network, to prevent the hacker from returning.
10. Perform forensic analysis on the hard drives. After the network is running again, you might want to install the hacked drives on a standalone computer to gain more information about the hack. Although hackers often spoof their IP addresses, for tracking down the source of the hack, the IP address is a good place to start. You can get a list of IP address allocations from the Internet Assigned Numbers Authority (IANA) at http://www.iana.org. Document each hacking tool that you find on a computer. It’s very difficult to track down hackers, especially if they’ve covered their tracks. Often you must catch a hacker while the hack is occurring. You might want to leave tracking the hacker to the appropriate authorities.
11. Notify law enforcement. Most FBI field offices have Cyber Action Teams and run the Internet Fraud Complaint Center (http://www.ifccfbi.gov/index.asp) for reporting suspicious activity on the Internet. To contact your local FBI office, refer to the list at http://www.fbi.gov/contact/fo/fo.htm. No one likes to admit he or she has been hacked, but notifying the appropriate authorities is the first step to prevent a hacker from doing more damage. The more information you can provide about the attack, the more likely the FBI can capture the hacker.
During a hack attack, it’s difficult to think clearly. Having a game plan for dealing with hack attacks will help you to bring up your network quickly and preserve the hacked computer for future analysis.