You're familiar with that dreadful feeling when your phone vibrates with a server alert at 1:00 am? Yes - that feeling. If you have run any hosting servers, you are familiar - breaches of data will surely happen to someone. What should you do now? Create a simple, straight-forward data breach response plan. A plan that helps you quickly respond while all hell breaks loose instead of simply looking good on paper.
Ask yourself the following question: Would you even notice if a hacker broke in to your server right now?
To be prepared, you should follow these guidelines:
• Utilize 24/7 monitoring tools such as CrowdStrike or Wazuh.
• Establish alerts for changing logs for monitoring when there is an alert.
• Monitor unusual activity from users or unusual network traffic.
Here is the action to be taken:
• Isolate the servers that have been compromised (disconnected but don't delete).
• Get reset all passwords, SSH keys, and API keys.
• Lock all access to backups so that the attacker can't delete or modify them.
Your intent here is simple: stop the attack and preserve evidence so that you can address the root cause down the line.
• Remove infected files and re-image the servers if possible.
• Restore your systems from back ups that are clean of the virus.
• Patch previous software and close off any security “ holes” on your system.
When it is time to bring a system back on the network, do not allow a compromised system on the network until you are 100% sure it is clean, just like you do not drive until you fix your brakes.
Step 1: Discover the Breach Quickly
The sooner you discover a breach, the lesser amount of damage it can do. Let’s face it - most breaches go unnoticed for days or, in some cases, weeks.Ask yourself the following question: Would you even notice if a hacker broke in to your server right now?
To be prepared, you should follow these guidelines:
• Utilize 24/7 monitoring tools such as CrowdStrike or Wazuh.
• Establish alerts for changing logs for monitoring when there is an alert.
• Monitor unusual activity from users or unusual network traffic.
Stage 2: Preventing Further Damage
When confirming a breach, the worst thing you can do is panic and take action that loses evidence/forensics — that is a recipe for disaster.Here is the action to be taken:
• Isolate the servers that have been compromised (disconnected but don't delete).
• Get reset all passwords, SSH keys, and API keys.
• Lock all access to backups so that the attacker can't delete or modify them.
Your intent here is simple: stop the attack and preserve evidence so that you can address the root cause down the line.
Step 3: Cleanup and Restoration
Since the attack has ceased, now it is time to clean up. Here are some tips:• Remove infected files and re-image the servers if possible.
• Restore your systems from back ups that are clean of the virus.
• Patch previous software and close off any security “ holes” on your system.
When it is time to bring a system back on the network, do not allow a compromised system on the network until you are 100% sure it is clean, just like you do not drive until you fix your brakes.