News Stay informed about the latest enterprise technology news and product updates.

You've been hacked: Stage three -- Recovery

After the first 24-hour window after a hacking has passed, what actions should you take get the infected workstation back on track? Find out what the experts have to say.

After the first 24-hour window after a hacking has passed, what actions should you take get the infected workstation back on track? Read what the experts have to say, or click here to go back to the scenario.

Lawrence Abrams: Using patch management tools or manual intervention, make sure all computers have antivirus, spyware removal software and Windows updates installed. Each computer should be armed with not only AV software, but also at least two antispyware programs.

Kevin Beaver: If a formal investigation is not going to be pursued, the main concern here is making sure the system is clean before putting it back online. This may involve restoring it from a known good backup, or if that's not reasonable, booting it up (off the network) and running various utilities such as antispyware, antivirus, rootkit detection/removal, TCP/UDP port mappers, personal firewall with application protection, etc., to make sure it's clean.

Also, change any passwords that would've been stored on the local system (Windows, AIM, etc.). Once the system is clean, you can install a network analyzer on it (preferably a commercial program such as Sniffer or EtherPeek that's easy to use) before putting it back on the network.

The next step would be to start capturing packets or at least monitoring protocols and connections to ensure nothing suspicious or malicious is going on.

Tony Bradley: Assuming that the pings to both addresses work, I would do a tracert to an external Web site to determine where communication is failing. Assuming that the system is a Windows operating system, I would check the event, system and security logs for any information or evidence of suspicious activity. Obviously, the ports discovered from the Netstat scan should be investigated. I would do a Google search for the suspicious port numbers to identify known Trojans, backdoors or other malware that utilize those specific ports.

Your response, both initial and long term, depends on your company policies and your own abilities. Many companies have a policy to simply reformat or re-image a machine that appears to be compromised, and doing so virtually guarantees the problem will be removed -- at least short term.

If deeper forensic investigation is warranted, the machine could be quarantined or an image of the drive created. However, doing so requires resources in terms of people, equipment and time, and the results may not be worth the time invested to find them.

Stage four: Preventative measures

About the experts: Expert bios are available on the scenario page.

Dig Deeper on Network intrusion detection and prevention and malware removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.