Southern Bay IT New Zealand

Linkedin

What to Do if You Suspect a Hacker Is In Your Systems:

  • Isolate, don’t shut down
  • Secure your access points immediately
  • Check for persistence mechanisms
  • Review logs and identify the entry point
  • Scan and clean systems properly
  • Communicate and document

1. Isolate, don’t shut down

Your instinct might be to power everything off — don’t. You’ll destroy evidence and make diagnosis harder.

  • Disconnect affected machines from the network (Wi-Fi, LAN, VPN)
  • Block external access at the firewall if needed
  • Keep systems powered on for investigation

Objective: Contain lateral movement without losing forensic data.

2. Secure your access points immediately

Assume credentials are compromised.

  • Reset all admin passwords (email, servers, firewall, cloud platforms)
  • Enable MFA everywhere (especially Microsoft 365 / Google Workspace)
  • Revoke active sessions and tokens

Priority order:

  1. Email (this is the master key)
  2. Domain/admin accounts
  3. Remote access tools (RDP, VPN)

3. Check for persistence mechanisms

Attackers rarely just “log in and leave.”

Look for:

  • New user accounts (especially admin-level)
  • Scheduled tasks or cron jobs
  • Unknown remote access tools
  • Startup programs/services

If you miss this step, they’ll come straight back in.

4. Review logs and identify the entry point

You need to understand how they got in.

Focus on:

  • Firewall logs (unusual inbound connections)
  • Email audit logs (phishing, mailbox rules)
  • Login anomalies (locations, times, failed attempts)

Common entry points:

  • Phishing emails
  • Weak or reused passwords
  • Open RDP/VPN with no MFA
  • Outdated software vulnerabilities

5. Scan and clean systems properly

This is where many businesses get it wrong — a basic antivirus scan is not enough.

  • Run endpoint detection tools (EDR/XDR if available)
  • Scan all endpoints, not just the “obvious” ones
  • Remove malware, backdoors, and unauthorized tools

If in doubt: rebuild compromised machines from clean images.

6. Communicate and document

Now you shift from firefighting to control.

  • Inform key stakeholders (management, IT, possibly clients)
  • Document what happened, what was affected, and what was done
  • Assess if reporting is required (privacy/data breach laws in New Zealand)

In NZ, you may need to notify the Office of the Privacy Commissioner if personal data is involved.

Final reality check

If someone has been inside your system:

Assume data access, not just access attempt

Assume persistence unless proven otherwise

Assume it will happen again unless you fix the root cause

Get InTouch with us

We’d love to hear from you! Whether you have questions about our services, need assistance, or want to provide feedback, we’re here to help.

Click here

Please complete the form, and we will be in touch with you shortly