Why attacking and hacking

– proof of concept
– causes service interruption
– utilize compromised systems to attack other targets
– steal compute power
– build zombie network
– ransome
– attention seeking
– personal reasons

How does it happen

– Webhack exploiting vulnerable apps or scripts
– SQL injection
– Overflow boundaries
– Brutish password hack
– Social hacking
– Affected by compromised neighbors particularly in muti-tenant environments
– Internal rogue

What to do when a system is being attacked or hacked?

Contain the incident: Immediately confine the affected systems and stop the attack

– Isolate hacked system by putting it in isolated environment
– Disable related outbound or inbound traffic
– Capture forensics and terminate malicious processes

Assess the damage

– Identify affected data, servers, and users
– Notify affected users

Recover service and data

– Run full scan and quarantine infected files
– Backup data
– Redeploy server from clean sources
– Restore data assuming they are clean

Protect the systems

– Change admin passwords and use strong passwords
– Install AV, WAF, CDN, DDOS, IDS and IPS systems
– Update detection signatures or databases
– OS hardening and patching
– Identify weakest link and pen-tests
– Review and tighten directory and file permissions, disable exec permission
– Change IP
– Deploy disaster recovery systems

Resume service and monitor

– Increase log levels
– Deploy monitoring and alerting tools
– System integrity checks

Leave a Comment