Detect hacker attacks

A hacker attack is one of the most terrifying scenarios for every company - and for most private PC users. If the worst comes to the worst, the right reactions are essential to limit the damage. Their effectiveness depends on reacting as promptly as possible. Therefore, users should pay attention to certain warning signs that indicate an ongoing hacker attack. We summarise some important characteristics for you.

Hacker attacks - a very topical problem

The probability of being affected by a hacker attack is unfortunately still increasing, especially for companies. The consequences range from simple disruptions to operational processes to the complete and permanent unusability of the IT infrastructure. In addition to the costs caused by this, the attackers sometimes make financial demands. For example, they demand payment for the decryption of important company data or extort money by threatening further attacks. These are good reasons to regularly deal with current cyberattacks.

When is one "hacked"?

The term "hacking" is a colloquial description for cyberattacks. Technically, it is more commonly referred to as an IT security incident. The German Federal Office for Information Security (BSI) considers this to be the case when an event occurs that impairs the confidentiality, integrity and availability of parts of the IT infrastructure. However, a targeted attack on an IT system is only one form of possible security incident.

Common attack scenarios are:

- Ransomware: Here, attackers gain access to a network, partially extract data for possible extortion and then encrypt files of accessible computers and servers as comprehensively as possible. The perpetrators offer decryption for a ransom and often threaten to publish secret data at the same time.

- Botnets: Cyber criminals gain permanent access to as many end devices with an Internet connection as possible and set up a remote access option. They later use the botnet created in this way to attack servers or send spam mails en masse, for example.

- Spying on data/phishing: This type of attack is about spying on important data, such as access data for services accessible from the Internet or online banking accounts. However, this can also happen without direct access to the network, for example by imitating websites on which access data must be entered. Fake e-mails are also a variant in which a request is made to supposedly change access data. In rare cases, keyloggers are also used to record keyboard strokes.

- Computer sabotage: These attacks can take different forms. If a company's server is disrupted by mass requests (so-called distributed denial of service attacks, DDoS for short), the network is not directly hacked. However, more targeted attacks to disrupt company processes are also possible.

- Virus attack: The intrusion of malware into the company network does not have to be the result of a targeted attack. Some computer viruses circulate on the Internet in search of random victims, which can of course also be companies.

What happens during a hacker attack?

A hacker attack takes place in different phases. These can be roughly divided into five categories:

1. Preparation: Hackers often scout out their targets in advance. This is often automated, but can also be targeted and carried out manually. Thus, publicly accessible login routines are tested, ports and services of servers are scanned, but also information is collected through so-called social engineering. In this case, employees are deceived in telephone conversations or by e-mail and pressured into giving out useful information.

2. System intrusion: The actual access can be gained by exploiting known vulnerabilities of used software (so-called exploits), which are installed on servers or computers accessible from the Internet. Other possibilities are the infiltration of malware via e-mail or the use of spied-out access data.

3. Extend and secure rights: Once the attackers have penetrated the system, they usually first try to set up the broadest possible rights and create hidden backdoors without being noticed. For example, virus scanners can be deactivated or processes of their own malware can be hidden.

4. Performing malicious actions: Once the necessary access is established, the hackers begin their planned actions, such as leaking secret information, manipulating services or encrypting important data.

5. After-action behaviour: If the attack is not detected and stopped, the attackers often even clean up after their deed. This, of course, in order to cover traces and make later prosecution more difficult.

How can I recognise a hacker attack?

Depending on the stage the hacker attack is in, it varies in difficulty to recognise it as such.

- Phase 1: The preparation of a hacker attack can only be recognised through special attention and preparation of one's own systems. This includes log protocols that can document failed logins and port scans. In addition to regular manual checks, intrusion detection software or intrusion prevention software can help by automatically monitoring logs and sending notifications to responsible persons or blocking accesses preventively. Raising awareness among own employees is essential to detect social engineering attacks in time.

- Phase 2 and 3: Actual access to systems in the network can be detected by powerful virus scanners. Another alarm signal should be if installed software or entire systems suddenly no longer function as usual for no apparent reason, such as an update. In particular, keep an eye on programmes for which security vulnerabilities have recently become known. Suspicious entries in logs are also possible in this phase. Network traffic from unusual IP address ranges and at unusual times can also be detected by the intrusion detection system. Altered access data in systems should always set all alarm bells ringing.

- Phase 4: Although damage has usually already occurred at this point, it may still be possible to contain it. Important features are warning messages from virus scanners, the discovery of suddenly unusable (corrupt) files that may have been encrypted, inexplicably high network or system loads and supposedly remote-controlled activities on individual computers. Spam mails to business partners are of course also a possible impact. In ransomware attacks, it is common to leave extortion letters directly on the attacked systems.

- Phase 5: It should be noted here that after a detected cyber attack in phases 1-4, a search for traces by IT forensic experts may still have to be carried out. Therefore, it is also relevant whether the attackers succeed in removing malware again and deleting logs.

The right reactions to a hacker attack

First of all, it is important to take into account the possibility of a hacker attack in the first place and to accept possibly drastic follow-up measures. Ignoring warning signs can have the serious consequences already described. Accordingly, employees must immediately report suspicious findings to responsible persons. If there are reasonable grounds for suspicion, all computers should be disconnected from the network immediately so that malware does not spread further. In most cases, it also makes sense to at least shut down the systems that may be affected, as malware can only cause further damage during operation. Afterwards, an examination of the attacked computers must be carried out promptly in order to be able to assess the extent and the damage that has already occurred. Only after the gateway for the malware is known can a new network be set up safely. Otherwise, there would be a danger of immediately re-infecting it.

Practice for the worst case scenario

The consequences of an unavailability of the IT infrastructure, which are undoubtedly serious for companies, can be mitigated in advance. If daily backups are available and have been securely stored separately, a system can often be restored quickly. A contingency plan for hacker attacks ensures a planned and effective approach. Raising awareness and training own employees is also one of the most important preventive measures. If the hacker attack is detected at an early stage, it can be averted much more easily. It is also possible to test the seriousness of the situation with penetration testing. Here, experts from a commissioned company simulate a hacker attack on the company and subsequently provide information about any vulnerabilities that have been identified.