what to do if your network is hacked checklist

What to Do if Your Network is Hacked

People regularly ask the questions, “how do I know if my email has been hacked?” or “what do I do if my network is hacked?” This article will offer some insight into answering these questions.

But, first and foremost, if you are not an IT professional or cybersecurity expert, you need to hire someone who specializes in cyberattack remediation. Mailprotector is an email security organization who makes MSPs and outsourced IT professionals better by providing the most complete email security solution on the market. Here, we offer suggestions and advice to those whose network might have been hacked.

I have been hacked. Now what?

  • Stay calm. You are not going to be effective under duress. You need to think clearly. And while everything might seem out of control, you will recover from this.
  • Document everything. Where the breach occurred (once you figure it out), who discovered it, what you did to solve the problem. Record information like times, dates, and details of the incident.
  • Run a full anti-virus/malware scan. Attackers may be running a trojan on a local machine that can help them gain access to login information.
  • Identify and isolate. Oftentimes, ransomware doesn’t strike everything at once. Isolate infected users and systems. Close network access to all, patch systems, reset passwords of compromised accounts
  • Keep logs, do memory dumps, download network traffic reports, and save disk images. Before you pull the plug on systems, you are going to want this valuable information for digital forensics.
  • Engage your legal team. Are there SLAs that need to be kept up? Should you shut down until a threat is eliminated or do you need to keep parts of your service active?
  • Take steps to mitigate the disclosure of protected health or customer information. PHI might include: treatment information, billing information, insurance information, contact information, or social security numbers.
  • If you believe HIPAA may have been violated with regards to the breach, you are going to want to review the HIPAA Breach Notification Rule and take note of the breach notification requirements.
  • Immediately fix any technical issues resulting from the breach. Monitor Internet connections to identify data leaving the network.
  • If you’re in the United States, inform the Internet Crime Complaint Center (IC3), which is a division of the FBI. In some cases, law enforcement officials may tell you that the potential breach would impede a criminal investigation or harm national security. In this case, you will need to delay reporting the breach for a time the law enforcement official will request in writing (or 30 days if the request is made orally).
  • Notify whoever is impacted that systems are down or that a data breach has occurred. Engage your marketing, communications or public relations team if you have one. The best thing you can do is be transparent about what is going on. People may empathize if you tell them what is happening. If you try to hide it, you are going to make matters much worse. This might include customers, employees, and other stakeholders.
    • Publicly-traded organizations – If you’re a publicly-traded company and the incident has material impact, an 8-K form may be necessary to inform shareholders through the SEC.
    • Service Level Agreements – Depending on the type of business, there may be a compliance or SLA that mandates reporting a cyberattack.
  • Properly configure SPF, DKIM, and DMARC for the effected domain. The attacker has likely gathered data on contacts will attempt to leverage the information in future spoof and phishing attempts on known contacts.
    • SPF and DKIM will validate the authenticity of emails coming for the domain. This is a critical tool for telling the internet where emails from your domain can originate. If they don’t come from those sources or the message is altered on its way to a recipient, the receiving server should consider it suspicious.
    • DMARC takes the validation information from SPF and DKIM, and further informs receiving servers on how to handle emails that do not meet the validation standards. DMARC also includes reporting that can tell your MSP or IT service provider how often and from where suspicious emails are being generated.

Problems still remaining after website remediation? Go through additional checklists in our article, Have I Been Hacked?

Who is Mailprotector?

Mailprotector is an email security, email privacy, and email encryption company whose goal is to provide the best, most complete email security option we can to our base of partners. From where we sit, we see a vast array of businesses jumping into the IT security space because “cybersecurity” is the latest buzzword. Since 2000, we have been patenting, building, and evolving the most secure email security platform available on the market today. Don’t settle for a partial email security solution.

Schedule a demo to see what a complete solution looks like today!

mailprotector logo

BONUS RESOURCE
Preventing Ransomware Attacks eBook (PDF)

Read an in-depth summary where we look at several recent ransomware attacks to break down exactly what happened, which ransomware prevention plans worked, and which ones didn’t hold up when it mattered the most.