You’ve Been Hacked, Now What? A Step-By-Step Guide

Finding out your business has been compromised is a scary moment. As a fellow business owner, I know that your first instinct is usually to panic-fix everything to protect your reputation. But in the world of cybersecurity, your gut reaction can often be a terrible move.

If you aren't careful, you might destroy the very evidence needed to stop the attacker for good.

Discovering You’ve Been Breached

You will typically learn you’ve been breached in one of three ways:

• Internal Discovery: You find out via IDS logs, event logs, alerting systems, system anomalies, or antivirus scan malware alerts.
• The Bank Notification: Your merchant processing bank tells you about it.
• Customer Complaints: A customer complains to you because your business was the last place they used their card before it began racking up fraudulent charges.

Don’t Destroy Evidence

When a merchant becomes aware of a possible breach, it is understandable that they want to fix it immediately. However, without involving the right people, you could inadvertently destroy valuable forensic data, which will cost you more in the long run. That data helps a forensic analyst determine how and when the breach occurred.

Pro Tip: Think of your network like a crime scene. If you delete files or pull the power plug, you are effectively "mopping the floors" before the detectives arrive. Heavily restrict access to your network following a breach, and if anyone other than your PFI needs access, make sure they log exactly what they do and the time at which they make any changes.

A Step-by-Step Post-Breach Process 

Your primary concern right now should be stopping data loss. Here is what to do:

1. Disconnect from the Internet: Pull the network cable from the router to stop the outward flow of data.
2. Document Everything: Record all network changes, notification dates, and every agency involved, like your payment processor or law enforcement.
3. Segregate Hardware: Move hardware involved in the payment process to a separate network subnet if possible.
4. Keep Devices Powered On: Do not turn off your devices. You need to preserve "volatile data" stored in the RAM, and turning them off wipes that evidence.
5. Quarantine, Don't Delete: If an anti-virus scan identifies malware, do not “remove” the files—quarantine them so a forensic analyst can study the code.
6. Preserve Logs: Take screenshots of firewall settings and preserve all system and security logs.
7. Disable Remote Access: Disable (do not delete) remote access capability and wireless access points. Change all account passwords on routers and systems immediately.

Find A PCI Forensic Investigator (PFI)

Once the breach is contained, you need to consult with a forensic PCI Forensic Investigator (PFI). Because of the delicate nature of stolen payment card data and identity theft, when an investigation is mandated by card brands, a PFI is required. 

When our team at SecurityMetrics arrives onsite, we obtain forensic copies of the environment and analyze them in our lab to find exactly where the leaks are. A good PFI won’t waste any time in discovering just how threat actors breached your network and what vulnerabilities exist.

Speak with a SecurityMetrics PCI Forensic Investigator today.

If You Must Keep Systems Running

Sometimes, business needs dictate that you stay online. While not optimal, you can reduce potential loss by:

• Updating antivirus tools and running malware scans on all devices in the CDE (Quarantine only!).
• Saving copies of malware and log files on a quarantined external drive.
• On Linux systems, copying as much of the bash_history files for all accounts as possible to track attacker commands.
• Installing software only from known “clean” images if you must re-image systems.

Relying on uncertified or "cheap" scans during a breach can leave you exposed to liability shifted back to you in the fine print of your processor's contract.

Your Next Steps

A breach is a high-stakes test of your business's resilience. Today, we’ve learned that containing the damage is about discipline, not just speed. You have to stop the data loss without destroying the digital fingerprints that tell the story of the attack.

Next Steps:

1. Audit your current logging: Ensure you have 100% logging coverage so that if a breach happens, you actually have the evidence to analyze.
2. Review your passwords: Eliminate any default or simple passwords that make a threat actor’s job easy.
3. Get expert eyes on your network: Don't wait for a breach to find your weak spots.

Need a forensic consultation? Speak with an expert today.