There will be a similar post that focusses on Office and Corporate environments.
Hopefully you are reading this as a means to prepare yourself in case of an incident like this but you may be reading this after you have found out one or more of your systems have been compromised. You’ve read about it, done all you can to prevent it, but here you are googling like crazy to find out what to do next. In case your systems have already been compromised and you are not properly prepared there are some steps in this post that will not help you, sorry. Keep reading either way though (and keep searching for other websites and tips on what to do next in other Tabs while you do). The way an incident like this is handled is very important and can mean the difference between recovering from it or making it worse. Let’s get started.
Create an Incident Response Plan.
Yes, sounds like something a corporate office should do but it can help you at home as well wether you have one or ten systems on your network. If you find it useful, this post combined can become your Incident Response Plan.
1. Disconnect but do nót unplug/power down.
Wether you know for sure you have been hacked an/or compromised by malware or you have a strong suspicion, disconnect from the internet. Yank the ethernet from your modem or disconnect the coax cable. This way at least no (more) information can be leaked to the outside. If you still have access to your router, disable WiFi as well just in case the threat is within WiFi reach. If you disconnect from the internet but an intruder is within reach of your wireless network information can still be accessed/stolen. Also, if malware is present, it’s most valuable contents/traces are inside the computer’s memory (RAM), not on the hard drive. If you power down the system the memory will get erased. The same may go for system logs. Once you have isolated your home network it is time to move on to the next step.
2. Call a Pro.
If you know someone who is better equipped to deal with a situation like this, call that person right away. If he/she can be there on very short notice, sit back and do not touch or do anything else, let the pro handle it. If a pro is not available or will take too long to get there, it’s now up to you, on to the next step.
3. Track down the breach.
First of all find out if you were actually hacked. Look for traces of malware by checking your Console log files and Activity Monitor for processes that take up an unusual amount of CPU or RAM. If an antivirus application is installed, use it to scan your entire system. Remember any suspicious emails? check those out too. If your router keeps logs, inspect them to see if any unusual activity was recorded. Use your smart phone and cellular connection to see if there may be new firmware available for your router, if so make note of it, we’ll be installing it later. Also (while keeping WiFi and internet access disabled) change all of your router passwords. The password for logging in to the router, the WiFi password and possible guest network password. Disable any type of port forwarding or open port rules you may have set up. If your system’s performance improved immediately after you disconnected from the internet this may be a good indication that something or someone was bogging down your system’s performance or internet speed by copying large amounts of data or possibly even using your system as a zombie, part of a larger botnet. In this case some form of malware is present. Call your internet service provider and ask them if they have noticed any unusual activity on your line such as higher than normal upload bandwidth usage etc, they may be able to assist in tracking down the problem.
4. What was taken?
As with any breach, someone was after something. You now have to find out if that someone got what they came for. This can be a very time consuming process and may still require that pro i mentioned in step 2 as reading log files and the likes is like reading a foreign language to most people. If the pro is still not available and you have no clue how to find out what was the target or what was taken, create a digital snapshot of your machine(s). Clone your entire system to an external hard drive and do this for every system you believe was compromised so the pro can evaluate it later. Memory contents are of course not copied over so those will be lost but it’s better to have something than nothing.
5. Make sure the breach is properly identified and closed.
Once you have done step 3 and 4, hopefully by now you are either sure you were hacked and have found the breach or you realize it was a false alarm. Either way you must be sure. Once the breach was identified (if there was any), move on to make sure it is closed and can not be exploited again. This can be the router firmware, weak passwords, weak WiFi encryption such as WEP or malware. As long as you are sure. Why? If you think you found the breach but you really haven’t, guess what will happen the moment you enable WiFi and internet access again… exactly. If router firmware was the issue, disconnect all systems (including phones, Apple TV’s, Nest thermostats, iPad etc etc) from the network. Then, create a new user on one of your systems and make sure it does not have administrator capabilities and connect that system to the router, preferably using an ethernet cable, and enable internet access. Immediately upgrade the router firmware and once done, disconnect from the internet again. If malware was the problem, make sure you erase all traces of it on évery system on your network and install protection to prevent re-infection. Leave all systems disconnected from the network.
Your router and WiFi are secure, the threat was identified and you made sure your systems can not be compromised in the same or similar ways and you have figured out what information was compromised. Now it is time to recover. Starting with your modem, connect the coax and wait for the modem to come online. Before you do anything else, call your service provider to see if they can upload the latest modem firmware. Once that’s done it is time to connect your router but before you do, make sure you have implemented strong passwords and secured it properly. When you are confident the router is properly secured, connect it to the modem. Now connect your systems back to the network one by one. When connecting every system make sure it immediately installs all available software updates and antivirus updates. Check for third party updates too like Flash player and Java, enable your built-in firewall if it wasn’t already, restart when everything is updated and let your antivirus run another full system scan. If no issues, threats or out of date software is present, move on to the next system and do the same. You do not want to connect all your systems and devices back at the same time, if one of your systems is still infected with malware or presents a vulnerability to your network, you risk exposing all of your systems.
7. Keep an eye on it.
If you know exactly what the symptoms and methods used were in the first attack, you now know exactly what to look out for. Keep a close eye on system behaviors and performance, router logs and track down the source of any unusual activity right away. The trick here is to not become paranoid and treat every suspicious thing like you were hacked again but at the same time don’t become complacent thinking you are now unhackable. Find a balance that doesn’t drive your family and yourself crazy 🙂 One of your systems running slow may be because of malware or a hacker copying your data but it may also be Time Machine running in the background copying your data to a network drive or Time Capsule. Don’t go to DEFCON 1 immediately but set yourself to DEFCON 4 and start investigating.
8. Who to tell.
You were hacked, found the treat, took care of it and realized nothing was stolen. In this case your systems were just being used as part of a larger botnet to inflict a DDOS attack on someone else. You are proud you took care of it and want everyone to know how awesome you are. Yeah, no. Keep this adventure off Facebook, Twitter and other social media. Don’t tell your friends or coworkers. Just keep it to yourself. No need for others to know what equipment you use at home and how you’ve secured it, that’s your business and noone else’s. You know you’re a bad-ass and we know too, that’s enough 🙂
However, if information wás taken from your systems (address book, email archive, etc.) it is only right to let the affected people know. Let everyone in your addressbook know that their name, email, phone and address information is now in the hands of a hacker. Nothing might happen but this type of information is usually sold online and used for spam/advertisement scams. Let the folks know to watch out for a flood of spam and phishing emails. They won’t be happy about it but they will appreciate you warned them. At the same time ask these people to keep this to themselves. If you are up for it, educate them on how to avoid being victimized themselves if they ask. Spreading awareness about security (like we do on this blog) is the best way to avoid or be properly prepared for the day someone is targeted or victimized by a breach.
So, in a nutshell:
– Have access to your router and modem. Physically and through one of your systems (web browser or utility that accesses your router settings).
– Find a friend or company that you can call, and is willing to help, in case of a breach.
– Familiarize yourself with Console and Activity Monitor so you can do the tracking down if a pro is not available.
– Have a big external hard drive available that can be partitioned and hold multiple clones, depending on how many systems you have.
– Installing antivirus once it is too late is, well, too late in most cases. Have a good antivirus installed. For some good tests and comparisons have a look here.
This post may be edited or expanded over time so if you found it useful check back once in a while to see if anything has changed. If you think i forgot something or would like to point out a mistake please leave a comment.