RECOVERY


Accounts

Internal Accounts

Change passwords for any company owned accounts – emails and any directory services like AD or O365 AD

If possible, do these changes from a known safe computer – a home PC, or ask your provider to do it for you.

Make sure new passwords are recorded and never use the same password for multiple services

Other Accounts

Review and change account passwords for any other service, eg Dropbox, Trello, Facebook, etc

Consider low priority services too – eg Dominos pizza account. Low priority providers sometimes have low levels of security and your credentials may be stolen from them.

Enable Two Factor Authentication on all accounts.


Notifications

All Services

Make sure your provider enables notifications when a new device is used to login to your accounts.

eg A new PC has logged into your email account from Brisbane with an IP address of 123.123.123.12 on Windows XP


Online Services


Domain and DNS

Ask your provider to confirm:

Your DNS Records and correct and have not been manipulated

Your web site is ok and not showing signs of malicious activity.


Once Your Services are Secured…


Scan and Scan Again


Get Many Opinions

Assume the attacker have compromised your emails, and also your devices running inside your network.

Run a complete scan of every device with the current Anti Virus tools you have first.

Once completed, run additional scans with:

Scan all devices, then also scan any network file shares to ensure unwanted programs have not propagated to drives. Projects Drives, Shared Drives and even USB drives, including digital cameras and mobile phones that expose USB interfaces to a PC.

If you find potentially unwanted programs (PUP’s), isolate the device and seek further advice about the nature of the program. Consider a more aggressive Anti Virus program like Carbon Black. Contact us for details on where to buy.

Make sure any devices used for work are scanned – this includes devices at home.



Isolate


Shutdown and Forensic Analysis

If you find PUP’s and other suspicious activity, shutdown the devices and consider forensic analysis.