Think Like a Hacker: Knowing What to Look for So You Can Prevent It

Five Nines Team : Aug 3, 2021 10:08:34 AM

2 min read

Cybersecurity Business Continuity Multi-Factor Authentication Incident Response
Think Like a Hacker: Knowing What to Look for So You Can Prevent It
TL;DR

  • Most breaches follow a repeatable pattern, so having monitoring, insurance, and a response playbook ready before an incident dramatically reduces damage.

  • In a breach, the first 72 hours are critical: engage cyber insurance, legal, and incident response, then contain, eradicate, and carefully recover.

  • You make yourself a “harder target” by enforcing MFA, training users, deploying next‑gen endpoint protection, and continuously monitoring what you look like from the internet.

To view the recording of our Tuesday Tech Talk, click HERE

Cybersecurity incidents continue to make the news. Here is the Five Nines’ take on typical breaches and how to avoid them.

 

The Ins and Outs of a Breach

There are 4 phases of a typical breach – preparation, detection & analysis, containment, eradication & recovery, and post-incident activity. Oftentimes, a human in the organization is the first one to notice that something is off. By the time this happens, it’s far too late. Sophisticated technical monitoring is a simple but effective measure to put in place, yet it’s hard to implement in-house unless you’re a very large organization with many resources dedicated to it full time. There are many providers of this service such as Arctic Wolf, Huntress, CrowdStrike, and Perch. Typically, we see these hackers evade human analysis until they want to be noticed by dropping ransomware, but even a hack of low sophistication will trip the monitoring software left and right.

 

When an incident occurs, this is what will need to take place in the first 72 hours:

  1. The organization affected should contact their cyber insurance provider’s 24/7 incident line. Pro tip: Store this number outside of the system so you can quickly access it even if you’re locked out.

  2. Cyber insurance will then coordinate a legal team for confidentiality.

  3. Cyber insurance and legal will then contact an Incident Response technical firm.

  4. Contracts from legal and Incident Response will be sent for signatures. Pro tip: Make sure your “signature-power” people are aware of the process beforehand.

Containment:

  1. Shut down internet access, inbound and outbound.

  2. Sweep for “indicators of compromise” across all systems.

  3. Disconnect network connections or hibernate questionable systems. Do not shut down or forensic data will be lost.

Eradication:

With the help of an Incident Response firm, continue seeking, cleaning, and reloading potentially compromised systems. This process could take at least 30 days when engaging with an IR firm, but they will continue to monitor months after to make sure the hacker is fully eradicated.

 

Business Continuity and Recovery:

  1. Know your workarounds. Paper processes, cell phones, Gmail accounts, etc. Limp along to keep your organization operational.

  2. Recover data and systems while trying to preserve as much as possible for forensics.

  3. Do not pay the ransom for stolen data. Likely, the hacker will take your money and still sell the data to another hacker down the line.

  4. Be careful when loosening internet restrictions. Do not let the floodgates open without certainty that your system is secure.

Vulnerabilities Hackers Look For

Cybercrime is a criminal business. There are people out there that this is their full-time job. The aim is to make money as quickly as possible, so your goal is to not be the “soft” target. These low-effort/low-sophistication attacks can be avoided by a couple of simple steps:

  1. If your system can be seen from the internet, it will be probed constantly. Hackers are not just looking for security flaws in the product or configuration, but also usernames and passwords. Be diligent about password hygiene and management.

  2. High-profile services like Office365, VPNs, Citrix, Remote Desktops are especially popular to target.

  3. All systems that your users use to “get in” to the system to do their work should be protected by multi-factor authentication.

  4. Human weaknesses can be minimized by implementing security awareness training such as KnowBe4. Employees will become more aware of the benefits of good password hygiene, management, and how to spot hazardous links and attachments.

  5. Implementing next-generation endpoint protection software like Cylance, Sophos, SentinelOne, CrowdStrike, Cisco AMP, Carbon Black, etc. will also set your organization up for success.

Questions to Ask

  1. What do we look like “from the internet”?

  2. Do we require multi-factor authentication on everything a hacker can directly touch from the internet?

  3. Are we monitoring our environment?

  4. Is our cyber insurance policy sufficient?

  5. What is our deductible/retention, and what are our coverage limits?

  6. Do we have an extortion line item of at least 10% of our annual revenue?

  7. Do we have our 24/7 insurance number handy?

  8. Do signature-power people know the drill?

Frequently asked questions

What are the main phases of a cyber breach response?

The typical lifecycle includes preparation, detection and analysis, containment, eradication and recovery, and post‑incident activity. In practice that means noticing something is wrong, quickly coordinating with insurance, legal, and incident‑response experts, containing the damage, cleaning and restoring systems, and then learning from the incident to improve defenses.

What should we do in the first 72 hours of a suspected breach?

You should contact your cyber insurance provider’s 24/7 incident line, coordinate with the legal team they assign, engage an incident‑response firm, and ensure that executives with signing authority are ready to approve necessary contracts. From there, you move into technical containment and eradication guided by those experts.

What does effective containment and eradication look like?

Containment often involves shutting down internet access, searching systems for indicators of compromise, and disconnecting or hibernating suspect machines without powering them off so forensic data is preserved. Eradication then focuses on finding, cleaning, and reloading compromised systems and monitoring for weeks or months to ensure attackers are truly gone.

How should we keep the business running during and after an incident?

Business continuity hinges on having workarounds ready — paper processes, alternate communication channels, and manual procedures — so you can “limp along” while systems are being recovered. As you restore data and services, you must preserve evidence for forensics and avoid quickly reopening internet access until you are confident the environment is secure.

What basic steps make us a harder target for attackers?

Require strong password hygiene and multi‑factor authentication on anything exposed to the internet, from email to remote access tools. Provide ongoing security awareness training so users can spot suspicious messages, and deploy next‑generation endpoint protection and centralized monitoring so low‑sophistication attacks are detected and blocked before they turn into full incidents.

Related Blog Posts

The Urgency of MFA: Lessons from the Change Healthcare Cyberattack

The Urgency of MFA: Lessons from the Change Healthcare Cyberattack

Information released from the Change Healthcare ransomware attack in February 2024 reveals the absence of Multi-Factor Authentication on a...

Cybersecurity Tech Trends Multi-Factor Authentication Incident Response Ransomware
Read More
IT Security Priorities: Top Recommended Improvements to Make This Year

IT Security Priorities: Top Recommended Improvements to Make This Year

It's a harsh reality for most small and mid-sized businesses, but it's the truth. You simply don’t have the resources to stop well-funded,...

Cybersecurity Strategic Planning Cyber Insurance IT Tips & Tricks
Read More
Breach. Theft. Disaster. Preventing a Threat Before It Happens.

Breach. Theft. Disaster. Preventing a Threat Before It Happens.

No matter the industry, cybersecurity will be critical to your organization’s long-term success. In our first Tuesday Tech Talk of the year, Jarrod...

Cybersecurity Business Continuity Healthcare
Read More