Why attacking and hacking
– proof of concept
– causes service interruption
– utilize compromised systems to attack other targets
– steal compute power
– build zombie network
– ransome
– attention seeking
– personal reasons
How does it happen
– Webhack exploiting vulnerable apps or scripts
– SQL injection
– Overflow boundaries
– Brutish password hack
– Social hacking
– Affected by compromised neighbors particularly in muti-tenant environments
– Internal rogue
What to do when a system is being attacked or hacked?
Contain the incident: Immediately confine the affected systems and stop the attack
– Isolate hacked system by putting it in isolated environment
– Disable related outbound or inbound traffic
– Capture forensics and terminate malicious processes
Assess the damage
– Identify affected data, servers, and users
– Notify affected users
Recover service and data
– Run full scan and quarantine infected files
– Backup data
– Redeploy server from clean sources
– Restore data assuming they are clean
Protect the systems
– Change admin passwords and use strong passwords
– Install AV, WAF, CDN, DDOS, IDS and IPS systems
– Update detection signatures or databases
– OS hardening and patching
– Identify weakest link and pen-tests
– Review and tighten directory and file permissions, disable exec permission
– Change IP
– Deploy disaster recovery systems
Resume service and monitor
– Increase log levels
– Deploy monitoring and alerting tools
– System integrity checks