Compromised Systems Response

When an attacker is already inside your systems, it's a different game. You should be more vigilant, deliberate, and cautious, as any hasty action can worsen the situation.

What to Do When an Attacker is Inside

• Contain first
  Isolate affected systems, accounts, and networks. Stop lateral movement.

• Invalidate access paths
  Rotate credentials only after isolation. Otherwise, attackers reuse new ones.

• Assume automation is compromised
  CI/CD, package publishing, cron jobs, startup scripts — inspect all of them.

• Look for persistence
  New users, modified configs, hidden processes, poisoned dependencies.

• Rebuild, don't clean
  Treat systems as hostile. Restore only from verified, pre-incident sources.

Compromised systems compromise trust. When an attack happens, your business is at risk. Mitigating quickly is then the first priority, uptime and functionality come second. If it helps, kill the system to halt the attack and investigate the damage.

Exercise

1. Does your company have a clear incident response plan for when an attacker is already inside? If not, create one.
2. Review your current response plan and identify any gaps or areas for improvement, especially regarding containment and credential rotation.
3. Do a workshop or tabletop exercise simulating an attack where the attacker is already inside. Practice your response and identify any weaknesses in your plan.