RECOVERY
Change passwords for any company owned accounts – emails and any directory services like AD or O365 AD
If possible, do these changes from a known safe computer – a home PC, or ask your provider to do it for you.
Make sure new passwords are recorded and never use the same password for multiple services
Review and change account passwords for any other service, eg Dropbox, Trello, Facebook, etc
Consider low priority services too – eg Dominos pizza account. Low priority providers sometimes have low levels of security and your credentials may be stolen from them.
Enable Two Factor Authentication on all accounts.
Make sure your provider enables notifications when a new device is used to login to your accounts.
eg A new PC has logged into your email account from Brisbane with an IP address of 123.123.123.12 on Windows XP
Ask your provider to confirm:
Your DNS Records and correct and have not been manipulated
Your web site is ok and not showing signs of malicious activity.
Once Your Services are Secured…
Scan and Scan Again
Assume the attacker have compromised your emails, and also your devices running inside your network.
Run a complete scan of every device with the current Anti Virus tools you have first.
Once completed, run additional scans with:
Scan all devices, then also scan any network file shares to ensure unwanted programs have not propagated to drives. Projects Drives, Shared Drives and even USB drives, including digital cameras and mobile phones that expose USB interfaces to a PC.
If you find potentially unwanted programs (PUP’s), isolate the device and seek further advice about the nature of the program. Consider a more aggressive Anti Virus program like Carbon Black. Contact us for details on where to buy.
Make sure any devices used for work are scanned – this includes devices at home.
If you find PUP’s and other suspicious activity, shutdown the devices and consider forensic analysis.