Do you suspect you’ve been Hacked?

Call our emergency response line anytime: 1300 223 482

As attacks are designed to cause maximum impact, cyber-crime often occurs out of business hours, on weekends and public holidays. If your business or department has just been hacked and you need security expertise to help contain and stop the attack, we offer a 24/7 emergency response service.

Ctrl-Alt-Del IT Forensics has a comprehensive IT security recovery strategy and action plan. We can help you and your team to get a full picture of what’s happened, including how the hackers got in, which computers and accounts were compromised, what data was accessed or stolen and whether any other parties — such as customers or business partners — were affected.

Most importantly, we help you can get back online and back in business.

If your business or department has just been hacked and a breach discovered, these are the immediate steps we recommend you take:

Step 1: Confirm the attack
Check if your systems or networks have been breached. If you have logs, this is the best place to start. Confirmation can be as blatant as a defacement or extortion attempt, through to systems behaving abnormally or malicious files found on your servers. Skilled attackers cover their tracks so this can be problematic.

Once you’ve confirmed the attack, the choice is to perform either a Forensic Assessment or Incident Response. Use forensics when you want to prosecute an individual or organisation and prove who hacked you. Alternatively, use incident response if you just want to get back up and running again.

Forensic assessments are generally larger projects requiring significantly more time and investment.  If you choose forensics, please leave things exactly “as is” and seek external independent assistance. This is where Ctrl-Alt-Del IT Forensics is able to assist. You should contact us immediately to ensure the process and evidence trail is precise and accurate.

Step 2: Contain the attack
When investigating security breaches, valuable “volatile data” is lost when servers are shut down, including server memory contents and existing network connections. This may not be avoidable depending upon the type of attack, but it is important to understand this when determining your initial response. Ctrl-Alt-Del IT Forensics recommend that computers, servers and other devices and not shut down, but instead disconnected from the network or IT infrastructure to reduce the spread of infection or illegal access. This allows out response team to gather accurate forensic data and present a more precise analysis of the incident.

If you decide to handle the security incident in-house, and you have no interest in how the attack occurred, then you need to take action to contain and stop the attack. This may involve shutting down servers or blocking access to the services being compromised.

To limit the damage, you may need to take disruptive and costly steps, such as removing infected computers and shutting down your website. Consider reformatting hacked computers and restoring data from clean backups.

Your backups will be critical in this step.

If hackers exploited a software flaw, apply a “patch” from the software maker that fixes the problem, implements a recommended workaround or compensating controls. Secure your accounts by setting new, complex passwords that will be hard to crack.

Allocate quite a few days to this activity. Two to four weeks is not uncommon.

Step 3: Understand and investigate the attack
Find out how far the hacker gained access into your systems and networks and what was breached, stolen or damaged. Using off-site logs will give you certainty. By using a LiveCD to investigate the hard drives of the affected systems, you can also gain an “untampered” insight into what has changed on the server.

Step 4: Report the attack
Depending upon the type of attack and what is at risk, you may need to report the attack to authorities. For example, money laundering, extortion or other forms of financial fraud must be reported immediately to your local police. You should also report the incident to:

AusCERT: https://www.auscert.org.au

Depending on the nature of the attack you might also want to report it to your ISP (e.g. for a DOS/DDOS attack).

Step 5: Determine the cause
Importantly, you need to pinpoint how the hacker initially accessed your system. Identifying the entry point is essential. Often hackers will break in and leave doors open in order to regain access. It is critical to find out if the hackers can still access your systems.

Step 6:  Do you need to communicate the attack?
Consider how you want to communicate with affected employees, customers and partners about what happened, what you’re doing about the problem and what they need to do. In some cases there is a legal requirement to do this. This may also be necessary to salvage your business.

Step 7: Remediation
Develop an action plan for increasing your IT security so you can identify and repel future attacks. Make sure your applications and operating systems are current, patched and receiving automatic updates to fix bugs. Consider using Ctrl-Alt-Del IT Consultancy’s Penetration Testing Services or Preventative Maintenance Plans to assist.

Step 8:  Proactive Security Protection
There is a real benefit and better ROI on IT security budgets if you develop a roadmap for monitoring, analysing and remediation. Once the attack has been addressed and managed, we recommend you move your focus from reactive issues and crisis management to proactive security protection. Early detection of data attacks greatly reduces the impact and cost of cybercrime on an organisation. Future prevention will come down to people, processes and technology all working together to keep you safe.


Ctrl-Alt-Del IT Consultancy, Security and Forensics can assist you at every step. Contact us now.


Reporting cybercrime:
Australian Federal Police https://www.police.act.gov.au/
AusCERT https://www.auscert.org.au/
Department of Defence (Intelligence and Security) https://www.asd.gov.au/infosec/acsc.htm