Skip to content

Suspicious Activity In Your Network. Now What?

Suspicious Activity In Your Network. Now What?

We have already talked about the importance of proper network monitoring. In fact, this is a topic that we have covered quite often. However, a lot of people don’t know what to do when they actually find some suspicious activity. Although there is no one response plan that can work for every incident, we have tried to concentrate on the universal aspects of incident response.

First Things First: Don’t Unplug Or Power Off!

If a non-technician encounters evidence of a cyberattack, they might respond by instinctively cutting off the power to the affected device. Unfortunately, this is not a good idea. You see, whenever a computer shuts down or restarts, all the data in its temporary memory cache is lost. If the device has not been powered off, it might be possible for investigators to get a lot of valuable info by looking at the contents of that protected memory.

The great thing about protected memory is the fact that it stores data in a non-encrypted form. This is necessary because the computer cannot technically use encrypted data…it can only store that data until someone decrypts it with a password. Thus, even if the hacker has tried to encrypt their digital footprints, it won’t matter.

Step One: Cut Off Unauthorized Access

Rather than freaking out and turning everything off, the first step should be to cut off unauthorized access. To do this with maximum effectiveness, you will need to do several things at once. For one thing, all legitimate users need to reset their passwords immediately. This is especially true for network administrators, as their accounts are the most likely to be targeted.

At the same time, you need someone to identify the IP and/or MAC address that is associated with the suspicious activity. Once that is known, firewall tools can be used to exclude that specific address. This should immediately boot the unauthorized user from the network.

Finally, once everyone is finished resetting passwords, you need to do a total network reset. This should kick everyone off the network, forcing them to re-log with their new passwords. If the attacker used a stolen password to gain access, this will remove them from the network.

Step Two: Remove Any Malware That Might Be Present

You also need to check the system for any malware that might be present. Unauthorized access and malware installation will often go hand in hand, like dogs and fleas. In some cases, it might be the malware itself that allows them to remain connected to the network. Regardless of type or purpose, all malware needs to be detected and removed immediately. If the situation is bad enough, you may even want to delete everything and restore it from backups.

Step Three: Intense Network Monitoring

A group of qualified individuals should next be set to the task of monitoring the network. If the attack is continuing in any form, it should be possible to detect the telltale signs and act accordingly. The whole point of these first three steps is to stop the attack itself before it gets any worse. Next, we will focus on later steps and long-term remediation.

Step Four: Collect All Relevant System Logs

Once you have cut off the immediate danger of the attack, you need to focus on documenting the attack. Not only do you want to try and prosecute the hackers, but you will also require proof that the incident occurred. This might become very important for protecting your reputation later on. Companies that failed to consider this sort of thing have sometimes suffered immensely bad consequences. When doing this, place a special emphasis on security logs.

Step Five: Address The Root Of The Problem

Now we need to worry about fixing the root problem that caused the breach in the first place. In the course of the previous four steps, you may have already figured out how the attack took place. If not, this is the time for an in-depth investigation. This is the most important step when it comes to the prevention of future attacks.

Once you think that the root cause has been addressed, you need to go one step further and verify that fact. Some penetration testing from a qualified and trustworthy company is just the thing here. They can try to duplicate the actual attack (or the attempt at such) in order to see if you have really closed that loophole.


Regardless of how the breach happened, we cannot overemphasize the importance of quick action. The longer you wait, the more time a hacker will have to do their work. This probably involves compromising your system, stealing sensitive information, implanting malware, or all of the above. However, prompt action can make it possible to weather an attack like this with no significant damage. It also helps if you have the services of a competent IT company like PCH Technologies. If you would like to get some more good advice, you can call us at (856) 754-7500.