It’s Monday, 7:50 a.m. Everyone is returning to the office after a relaxing weekend. A few people stop by the kitchenette or gather near a cubicle to discuss the news. Others head straight to their workstations and start their day.
By 8:15 a.m., people are wading through the email that came in over the weekend.
Around 8:30 a.m., one frustrated employee calls the helpdesk reporting that they are getting “weird pop-ups.” Another mentions that five people in their section mentioned got an email from the employee that had multiple misspellings and a link to a spreadsheet that seemed to have nothing in it when they opened it.
By 8:35 a.m., the Security Operations Center (SOC) deploys a member of the Incident Response (IR) team to take the computers in the section of the network and bring them back to the lab for analysis.
At 8:50 a.m., the vice president of operations reports that one of the mission-critical manufacturing systems just went down, and if it isn’t back up before 10:00 a.m., they will have to push back the customer orders expected to ship today.
By 9:00 a.m., all employees are off the network as the SOC begins to survey the damage and begin remediation. The employees, not sure what to do, assemble and share what they know or have heard from others. “Were we hacked?” asks one. “Were there any warning signs?” asks another.
Very likely. Let’s review five of the many possible signs that you have been hacked.
1. New Browser Toolbars
Your browser has one or more new toolbars with names that suggest it is supposed to help you. More likely than not, it is not helpful, and you need to remove it immediately.
Most browsers allow you to review installed and active toolbars. Remove any you don’t want. If you aren’t sure if it is useful, remove it! If you can’t quickly delete it, you might have to reset your browser back to the default settings, run your antivirus package, and contact your helpdesk.
2. You’re Seeing Random Pop-ups
Random browser pop-ups from websites are a common and annoying sign that your system has been compromised.
One of the malicious mechanisms that cause pop-ups are toolbars, as well as other programs or applications that appear to be helpful utilities. Remove the toolbars as outlined above and use tools in your operating system (OS) to remove offending programs.
3. Customers or Colleagues Receive Emails You Didn’t Send
If others are receiving emails from you that weren’t sent by you, that is a serious indicator that you have been hacked. Like in our example above, the email is almost sure to have a malicious file or link that prompts an executable to infect a receiving system.
The recipient will either delete it without action, ask you why you sent it, immediately contact the helpdesk or errantly click on the link. The hacker relies on the recipient to trust the sender enough to let their guard down and click the disguised executable without a second thought.
To stop the damage and remedy it, you must send out a timely notice warning people against the malicious email as well as go through procedures to quarantine and purge the message from inboxes.
4. You or Someone at Your Company Receives A Warning You’ve Been Hacked
One of the worst messages anyone can see on their computer is a sudden screen take-over telling them all their data is encrypted and asking for a payment to unlock it. Ransomware is a huge problem for small and large businesses, hospitals, government agencies, and municipalities. Billions of dollars are lost in ransoms paid, and productivity lost.
Generally, you are going to have to restore a system affected by ransomware. Having a clean and current system image is a massive step in remediating a compromised system. Additionally, it is smart to have current backups of your data available in off-system storage. If you are using the cloud for storage, make sure that you can do recovery operations from that cloud service.
Fortunately, if you are a forward-thinking company with threat hunting tools, your SOC may get advanced warning to take proactive action before the attack manifests.
5. Your Network Goes Down or You Start Receiving Irregular Traffic
This can be a sign of a distributed denial of service (DDoS) attack against your company’s web or other file servers.
If the network suddenly becomes sluggish, or if you see unexpected or strange traffic that you cannot explain, it is probably best to report it to the SOC and start an IR investigation.
Fortunately for our hypothetical company, the quick action by the SOC allowed the IR team to mitigate the damage quickly. An email notifying the company about the offending message stopped the proliferation beyond just a few employees. The strong data governance policies for system images and data backup allowed the company to get the manufacturing system up and running in time to complete the customer orders, and the employee workstations were rebuilt and returned before the end of the day.
