Blog
‘We’ve been hacked!’
A small weakness, with major consequences. A developer downloads a project. A few hours later, the business is down. What happened and how long will it take before all systems are up and running again?
Imagine a developer downloading a project from GitHub. ‘Inventory Manager’ looks like a normal Visual Studio project with a standard code structure. No warnings appear. But behind the façade, malicious code is hiding, establishing a C2 connection to the attacker’s server. Nmap maps the network. Using Hashcat, the attacker cracks the password for a service account. The account has admin rights on four servers. Ransomware then encrypts the finance folder and the SQL database. The result is that the business comes to a complete standstill.
Attack patterns and the threat landscape
Cyberattacks are multi-step processes. Attackers use a chain of small, quiet steps – for example initial access, network discovery and password recovery. Lateral movement and encryption are other typical phases. It is rarely a single vulnerability that determines the scale of an attack.
Ransomware is the biggest threat today, and the number of attacks continues to rise. At the same time, no defence is 100 per cent effective. That is why recovery and resilience are just as critical as preventive work.
Simple weaknesses in complex environments
An IT environment often contains several trivial yet critical weaknesses. These might include weak passwords that can be cracked using tools readily available online. Or service accounts with simple passwords and extensive permissions, enabling lateral movement. Inadequate network segmentation can also allow attackers to move through the environment unhindered.
Protection through network segmentation
Segmentation is an important tool in cybersecurity. For example, the backup server is often protected by several layers of security. It runs on a dedicated server, completely separated from the production environment, which enables separate identities. In addition, the backup environment is not connected to the production domain. Firewalls and isolated networks block unauthorised access. Moreover, authentication credentials – such as service accounts – from production do not work in the backup environment.
Do not back up the attack
Backup is a crucial part of a company’s resilience and a clear target during an attack. That is why it is important to ensure that the backup system scans all backups on at least two occasions: immediately after they are created and before restoration. This identifies malware, suspicious activity and other threats, so that only clean and verified backups are allowed to be restored to production.
Fast restoration without disruption
Once a cyberattack has been stopped, the restoration process begins. IT can now start the work of restoring virtual servers. The virtual servers start directly from scanned and clean backups. At the same time, data is migrated to production storage in the background. Users can continue working throughout the process, with minimal impact on the business.
‘Having a strong recovery strategy, reliable backups and a well-prepared incident response process is at least as crucial as preventive work.’
Build stronger resistance and resilience
Recovery is now just as important as preventive work. And with the right strategy, you can minimise the damage and the impact of a cyberattack.
- Evaluate your backup strategy. Is the backup server isolated and protected?
- Test regularly. Ensure that the restoration processes work.
- Take stock of resources and expertise. Bring in experts if needed to secure your IT environment.
We were hacked! Live cyber attack and recovery in action
Related
