Hey everyone! I need some advice about the best responses to a hacking incident, especially in a cloud environment. Recently, several UK retailers like Marks and Spencer and Co-Op faced severe hacking issues. I heard that the Co-Op's IT team took effective action by shutting down their entire system, which angered the hackers so much that they reached out to the BBC to complain about it. That got me thinking: in an on-prem environment, if I noticed unusual activity, I would completely shut down Active Directory to prevent file access and then power down any necessary systems. But how do you execute a similar emergency shut down in cloud setups using services like Entra, OKTA, or AWS? What are the best practices?
5 Answers
In most cases, you wouldn’t just shut everything off. If your hypervisors are safe and your network is intact, you should check each VM individually. It’s a tricky gamble since you may not know which VMs are compromised until it’s already too late if you reboot. If the management plane is breached, you could run into serious trouble!
Simply shutting down AD might not be enough if the hackers use common local admin passwords or if they've gained domain admin access with cached logins everywhere. If your plan is to pull the plug just like that, I'd really rethink your strategy. Ransomware could strike at peak times, and missing your cues might lead to a rough start to your week!
In my environment, I’ve tagged all power cords with red tags and laid out clear instructions for anyone to unplug them if they suspect a cybersecurity incident. It keeps the machines ready for experts to possibly retrieve decryption keys while minimizing spread. It’s simple and can be done by anyone—even if I can't be at the school every day to handle it.
Focus on containment instead of total shutdown. Shutting down systems could erase valuable memory artifacts. Pulling network cables can be a better option, preserving crucial data.
If there's a hacking incident, I’d first disconnect our internet feeds and backup systems, then probably cut power to the switches. Isolating systems quickly is key! Just make sure not to shut down servers during an attack; it could ruin chances of recovery or trigger additional issues during a restart. You've gotta trust your gut on these moves—time is critical!
Yeah, it’s definitely a ‘do it and ask for forgiveness’ situation. If you wait for permission, it might be too late!
If you’re using AWS, there are options to set service control policies that can deny access to all accounts instantly. This is crucial, especially if your management account is secure with physical key MFA. Ultimately, your goal should be to prevent further data loss while ensuring recovery is possible. Keep your backups securely stored and protected from accidental deletion, not even by root accounts.
Absolutely—once they have access to the management, it’s game over!