Hackers in your network? Why kicking them out straight away is not always the best approach

Rushing to get that infection off your network without proper investigation could just make it worse, warn cyberlaw enforcement experts.
Written by Danny Palmer, Senior Writer

When hackers attack, don't unplug your systems -- wait and watch what they're doing.

Image: Getty Images/iStockphoto

It's time to face the facts: no matter how secure you might believe your corporate network to be, sooner or later, cybercriminals will find their way in.

They could enter using stolen credentials, they could find their way in using malware, or they could be in the system for some time before you realise something is wrong.

You understandably panic when hackers have infiltrated your network and look to shutdown the infected PCs, because that's the correct thing to do, right? Wrong. The FBI has warned that while this might be an understandable impulse, it's not always the right decision.

"When we come into an incident, most people want to immediately fix it, they want it to go away as fast as possible," said Kurt Pipal, assistant legal attaché at the Office of the Legal Attaché for the FBI in the UK, speaking during panel on law enforcement and cybercrime at Infosecurity Europe 16 in London.

"I get that, it's a driver from a business perspective. However, not understanding the true intrusion events could mean you don't clear it out -- they're called 'advanced persistent threats' for a reason."

If possible, businesses should allow investigators to look into the breach before the evidence is destroyed.

"Understand where they [hackers] are in your network, let law enforcement understand that threat, and be able to give you tips on how these actors move through your network, then get them off it," said Pipal.

"It's not a mistake, but a business decision. There's definitely a drive to mitigate it as fast as possible, but to understand what it is before you do that is important," he explained.

For Andre McGregor, a former FBI cyberspecial agent and now director of security at endpoint protection firm Tanium, suggesting to a breached company that they don't do anything is "one of the hardest conversations" to have in cyberlaw enforcement -- as the organisation just wants the hackers out of their system. But that can just make the situation worse.

"The minute you unplug a device -- because instinct is 'something bad is happening and I don't want it to happen anymore' -- the adversary is aware. So as long as you're not actively losing data, you have some time to actively look at where the adversary is going," McGregor told ZDNet.

"That's exactly what we do with terrorism: we observe, we obviously want to get to the point before anything bad happens, but up until that point we want to get as much information as we can so we understand the adversary. But the minute they unplug the machine, the adversary is aware," he said.

McGregor recalled an incident where a large company was the victim of a cyberattack: it acted quickly and only inflamed the situation.

"We identified ten computers in the environment with ATP malware on, so [the company's] immediate response was to turn off the machines. Meanwhile, on the other end, we in the intelligence community monitoring what the adversary was doing, saw 50 more machines pop up as infected. They were doing their work on ten machines, but the infection laid persistence in 60 machines," he said.

"It's not that you're not doing anything, but that we can set up walls around it, segment their activity so we can still see what they're doing, allow them to give us more evidence, but not navigate further," he said.

Read more on cybersecurity

Editorial standards