The step-by-step process if you suspect a breach.

David Ellis, Director of Forensic Investigations, PFI
By: David Ellis
You will typically learn you’ve been breached in one of three ways. You find out about it internally (via IDS logs, event logs, alerting systems, system anomalies, or antivirus scan malware alerts), your bank tells you about it, or a customer complains to you because your business was the last place they used their card before it began racking up a load of fraudulent charges.

So you’ve been breached. What do you do? Before we get any further, please remember one thing…
Don't panic if you suspect a data compromise

Don’t destroy the evidence!

When a merchant becomes aware of a possible breach, it is understandably in their nature to want to fix it, immediately. However, without taking the proper steps and involving the right people, you could inadvertently destroy valuable forensic data, which could cost you in the long run. That data helps a forensic analyst determine how and when the breach occurred, and what to recommend when properly securing the network against similar future attacks.

Your primary concern right now should be stopping data loss.
Here’s what to do when you get hacked.

What to do when you get hacked

  1. Disconnect from the Internet by pulling the network cable from the router to stop the bleeding of data.
  2. Document all network changes, notification/detection dates, and people/agencies involved in the breach (e.g., payment processor, payment software vendor, gateway provider, law enforcement, legal staff). If you haven’t already, contact your merchant processing bank and let them know what’s happened.
  3. Segregate all hardware devices in the payment process, or devices suspected of being compromised (if possible) from other business critical devices. Reallocate these devices to a separate network subnet (Your IT folks will know what I’m talking about). Don’t turn off your devices! Keep them powered on to preserve volatile data, and make sure employees don’t access, use, or change them.
  4. Quarantine instead of deleting. If an anti-virus scan has identified malware on your system, do not “remove” (delete) the detected files—quarantine them in order to maintain the findings for analysis and evidence.
  5. Preserve firewall settings and firewall logs (take screenshots if necessary). Preserve all system and security logs.
  6. Restrict Internet traffic to only business critical servers and ports outside of the credit card processing environment. If business needs dictate that you must reconnect to the Internet before a PCI forensic investigator (PFI) comes onsite, segregate (remove) your credit card processing environment from any devices that must have Internet connectivity. Obtain dial-up point-of-sale (POS) terminals from your card processor or merchant bank, and process all credit card transactions via the dial terminals until the suspected compromise had been thoroughly remediated. This is critical to prevent further loss of credit card data.
  7. Disable (do not delete) remote access capability and wireless access points. Change all account passwords and disable (not delete) non-critical accounts. Remember to change passwords on routers and document your old passwords for later analysis.
  8. Call a PFI. Once the breach is contained by steps 1-7, consult with a forensic PFI to plan a compromise analysis. Because of the delicate nature of stolen payment card data, fraud, and identify theft, when an investigation is mandated by one of the card brands, a PFI is required. When a breached merchant calls SecurityMetrics, we arrive onsite, obtain forensic copies of the card data environment, and analyze that data in our lab back in Utah. Then, we create a report that includes what happened and our recommendations to avoid future compromise.
SEE ALSO: PCI - You Don't Have To Be Perfect


If you MUST keep systems running…

Often merchants will keep running payments systems during and after an active compromise in order to keep business running as normal. While this isn’t optimal, if this is what you choose to do, there are a few things you can do to reduce potential loss and preserve the evidence for later analysis.

What to do when you get hacked (the bare minimum)

  1. Change passwords immediately on all systems and routers.
  2. Disable remote access.
  3. Preserve firewall logs and current settings. Then restrict traffic to business critical servers and ports. Systems that process credit card data for authorization and settlement (either back office server or point of sale systems) should be restricted to only communicate outside with the payment gateway.
  4. If an ecommerce site is breached, preserve any altered pages.
  5. Update your antivirus tools and run malware scans on all devices in the card data environment. (Quarantine any findings—do not delete)
  6. Save log files.
  7. Save a copy of malware and malware log files on a quarantined external drive (if discovered).
  8. On Linux systems, copy as much of the bash_history files for all accounts as possible.
  9. Under the direction of a PFI, and only if you have the IT skill, make a forensic image of the system before wiping and installing a new system.
  10. Document all changes with the date and a description of the actions taken.
  11. If you re-image your systems or switch to new devices, only install software from known “clean” images.
  12. Engage a security consultant (preferably a PFI or QSA) to preserve the compromised environment for future data breach review.

If you feel a little more prepared for a compromise, please share this post!


David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.

Current hacking trends ebook