My system was breached: what to do in the first minutes of unauthorized access
O que fazer agora
If there are signs of a breach, act on three fronts at once: revoke all active sessions and tokens, immediately change the passwords and API keys of privileged access, and isolate the affected machines from the network without shutting them down or reinstalling, because shutdown destroys the evidence that reveals how the intruder got in. Preserve the logs and engage Decripte's 24/7 Incident Response through /contato for containment and threat hunting with an SLA of up to 1 hour. An attacker with access almost always leaves ways to return, so containing without hunting for persistence only delays the second attack. If personal data is involved, record the time of awareness: the deadline to notify the ANPD is 3 business days from that point.
SOC 24x7 e SLA de contenção de até 1 hora. A Decripte é especialista em resposta a incidentes para fintechs, crypto, apps, e-commerces e empresas de todos os tamanhos.
Sinais de alerta
- ›A successful login from an unusual IP, country or time, or from a device no one recognizes.
- ›A new administrator user or service account that appeared without a request.
- ›Unknown processes consuming CPU/network, strange outbound connections or traffic to unusual destinations.
- ›Firewall, security group or email rules (automatic forwarding) altered without authorization.
- ›New files in web directories (possible webshells), scripts or binaries that you did not place there.
- ›Scheduled tasks (cron/Task Scheduler) or SSH keys added that no one on the team created.
- ›MFA alerts, password resets or login attempts you did not initiate, or users reporting being logged out.
Primeiros passos — o que fazer agora
- 1
Isolate without destroying (containment)
Disconnect the compromised machine from the network (remove the cable, disable the interface or block it at the firewall/security group), but do NOT shut down or reboot. Isolating interrupts the intruder's access; shutting down erases memory, processes and evidence that point to the root cause.
- 2
Revoke all sessions and active access
Force a global logout for all users (invalidate tokens and refresh tokens), terminate VPN, RDP, SSH and admin panel sessions. Revoke cloud access keys (AWS/GCP/Azure) and disable suspicious accounts instead of just changing the password, because changing a password does not drop an already open session.
- 3
Rotate secrets, keys and tokens
Change the passwords of privileged access, generate new API keys, rotate SSH keys, application secrets, webhook tokens and database credentials. Consider compromised everything that was accessible to the breached machine, including secrets in environment variables and config files.
- 4
Preserve the evidence
Before any cleanup, save copies of the logs (system, application, authentication, firewall, CloudTrail), a disk image and, if possible, a memory dump of the affected machine. Note the date, time and who detected what. This chain of custody supports the forensics and the notification to the ANPD.
- 5
Hunt for persistence and ghost accounts
Look for new users (especially admin), added SSH keys, unknown scheduled tasks (cron/Task Scheduler), recently created services, webshells in web directories and altered firewall/security rules. These are the mechanisms through which the intruder returns even after you change the passwords.
- 6
Enable MFA and close the entry vector
Enable multi-factor authentication on all privileged and remote access. Identify and close the entry door (exposed VPN, leaked credential, unpatched service, public admin panel) before putting systems back into production, or the breach repeats.
- 7
Engage Decripte's 24/7 Incident Response
Through /contato you reach Decripte's incident response team (24x7 SOC, containment within 1 hour). We lead containment, threat hunting for lateral movement, eradication of persistence and root-cause forensics, and we guide the legal obligations toward the ANPD and the data subjects.
- 8
Assess the legal duty to notify
If the incident involves personal data and may generate relevant risk or harm to data subjects, notification to the ANPD must occur within 3 business days from awareness (Resolution CD/ANPD No. 15/2024), with notice also to the affected data subjects. Record internally the time you became aware, as the deadline counts from there. If there is Pix fraud, contact the bank right away to trigger the MED.
O que NÃO fazer
- ✕Do not shut down or reinstall the server right away: shutdown erases volatile memory, active processes and artifacts that show how the intruder got in, making root-cause forensics unfeasible.
- ✕Do not just change the obvious user's password and think it is over: the attacker has usually already created accounts, SSH keys or scheduled tasks to return; without hunting for persistence, the breach repeats within days.
- ✕Do not pay a ransom nor negotiate on impulse if there is extortion attached: payment does not guarantee data recovery or that exfiltrated copies will be deleted, besides funding the crime; handle containment and evidence first, and assess the decision with legal and forensic support.
- ✕Do not restore backups before confirming they are clean and that the vector was closed: you may reintroduce the backdoor or put back online the same vulnerable service that was exploited.
- ✕Do not publicly communicate wrong versions before the analysis: inaccurate statements hinder the correct notification to the ANPD and the data subjects and can create additional liability.
- ✕Do not rely only on antivirus to declare the environment clean: webshells, hijacked legitimate accounts and scheduled tasks often go unnoticed without targeted threat hunting.
The first 60 minutes: containment without destroying the evidence
The instinct of whoever discovers an intruder is to shut everything down. Resist it. Shutting down a compromised machine erases RAM (where the attacker's processes, keys in use and active connections live) and often triggers cleanup mechanisms. The goal of the first hour is to cut off the intruder's access while preserving what they touched. In practice this means isolating the machine from the network at the firewall or security-group level, instead of shutting it down.
In parallel, terminate what grants live access: force a global logout, invalidate tokens and refresh tokens, drop VPN, RDP and SSH sessions and disable suspicious accounts. Changing a password alone does not kill an already open session, which is why session revocation comes first. In cloud environments, revoke access keys and rotate the API credentials the compromised machine could have read.
Document each action with a timestamp. This record becomes both the basis of the forensics and the proof of diligence for the ANPD. If the operation is critical and you do not have an on-call response team, this is exactly when it makes sense to engage Decripte's 24/7 Incident Response through /contato: coordinated containment within 1 hour, without burning the evidence that will still tell you how it all started.
Hunting for persistence: why changing the password is not enough
An experienced attacker, the moment they gain access, plants ways to return. The most common ones: creating a new user (preferably with administrative privilege), adding their own public key to the authorized_keys of a legitimate account, installing a scheduled task that reopens a reverse connection, uploading a webshell to a directory served by the web application, or altering a firewall rule to open a return port. Each of these survives a password change.
Eradicating requires systematically scanning these points: enumerate privileged users and groups and compare with what should exist, audit SSH keys, list cron/systemd timers/Task Scheduler, review recently created services, comb web directories for files with suspicious modification dates and review network and email rules (automatic forwarding is a classic sign of mailbox compromise).
It is threat-hunting work, not a superficial checklist. Eradication only ends when you are confident you have removed all the return mechanisms and closed the original entry vector. Putting systems back into production before that is the mistake that turns an incident into a recurrence.
Cada minuto conta. Comece o diagnóstico gratuito agora e veja o que já vazou.
Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.
Lateral movement and root cause: from the entry point to the real reach
The question that defines the size of the incident is not where the intruder is, but how far they reached. From the first host, attackers move laterally using captured credentials, reused sessions and trust relationships between machines. Mapping that movement means correlating authentication logs, internal connections, database access and identity systems to reconstruct the timeline: when they got in, what they accessed, what they copied.
In parallel runs the root-cause forensics, which answers how the intruder got in. The typical entry doors are leaked or reused credentials, an internet-exposed service without patches, a public administrative panel, phishing that captured a session, or an API key exposed in a repository. Closing the vector is what prevents the next breach, and discovering the vector is what tells whether there was exposure of personal data and, therefore, a duty to notify.
This is the point where forensics becomes a business and legal decision. If the analysis indicates access to personal data with relevant risk to data subjects, it triggers the deadline to notify the ANPD of up to 3 business days from awareness, with notice to the affected data subjects. Decripte's team leads that investigation and translates the technical finding into a clear recommendation about what to communicate, to whom and when.
How Decripte leads eradication and threat hunting
Decripte's incident response follows the consolidated cycle of detection and analysis, containment, eradication, recovery and lessons learned. In practice, the team steps in doing coordinated containment with your team (isolation, session revocation and secret rotation), while preserving disk images and logs for the forensics. The SOC operates 24x7 and the containment commitment is up to 1 hour, because in an active breach every hour widens the attacker's reach.
The threat-hunting phase looks for what automated tools do not see: hijacked legitimate accounts, subtle persistence, outbound beacons and lateral movement. Eradication removes all the return points and closes the entry vector, and recovery only releases the systems after validating that the environment is clean. In the end, you receive the root cause, the timeline and the recommendations to close the gaps that allowed the breach.
Engagement is direct through /contato, at any hour. The sooner preserved evidence and correct containment step in, the smaller the damage and the more defensible your position before customers, partners and the regulator.
Precisa conter o incidente agora? Comece de graça e ative a resposta 24x7.
Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.
After containing: discover your exposure before the next attack
A large share of breaches starts outside your perimeter: a corporate credential leaked in a dump, an access for sale on a forum, a domain being used for phishing against your customers. You do not see this through internal logs, and it is precisely that blind spot that becomes the entry vector next time. Continuously monitoring that external surface is what turns response into prevention.
That is why Decripte offers a free Threat Management plan, the Decripte Intelligence Center (DIC), at decripte.com.br/intelligence-center. It monitors credential leaks, dark web exposure and your domain's reputation, with no credit card and requiring no technical team. After going through an incident, enabling it is the logical step to know what is already exposed and be warned before it becomes the next strange login at three in the morning.
For those who need continuous operational protection, the paid plans cover 24x7 SOC, contracted Incident Response, pentest, vulnerability management and compliance (LGPD and ISO 27001). The logic is simple: the free plan shows your exposure, incident response puts out the fire, and the continuous program prevents it from starting again.
Obrigações legais (Brasil)
Brazil: if the incident involves personal data and may generate relevant risk or harm to data subjects, notification to the ANPD must occur within 3 business days from awareness of the incident (Resolution CD/ANPD No. 15/2024), with notice also to the affected data subjects; record internally the time of awareness, as the deadline counts from it. In the case of Pix fraud associated with the breach, contact the bank immediately to trigger the MED (Special Return Mechanism), which has a short window, and file a police report. This content is informational and does not replace specific legal advice. These rules and deadlines (ANPD/LGPD) are Brazilian.
Termos importantes
- Persistence
- The set of mechanisms an intruder plants to regain access even after you change passwords: new users, added SSH keys, scheduled tasks, webshells and services or firewall rules created by them.
- Lateral movement
- The technique by which the attacker, from the first compromised host, advances to other machines and systems using captured credentials and internal trust relationships, widening the reach of the incident.
- Webshell
- A malicious script placed in a directory served by the web application that lets the intruder execute commands on the server remotely through the browser, acting as a discreet back door.
- Secret rotation
- The replacement of all credentials the intruder may have accessed: privileged passwords, API keys, SSH keys, application secrets and tokens. Everything within reach of the compromised machine must be considered leaked.
- Threat hunting
- The active, targeted search for signs of compromise that automated tools do not detect, such as hijacked legitimate accounts, subtle persistence and the attacker's hidden communication channels.
- MED (Special Return Mechanism)
- A Pix feature that allows the bank to block and return funds in cases of fraud or operational failure. It has a short trigger window, which is why contact with the bank must be immediate after detecting the fraudulent transaction.
Perguntas frequentes
I found a strange login on my admin account, what do I do first?
Force a logout of all sessions and change the password together with enabling MFA, because just changing the password does not drop an already open session. Then revoke associated tokens and API keys, check whether new users or email forwarding rules were created, and preserve the authentication logs. If the access was to a critical system, engage Decripte's 24/7 Incident Response through /contato.
Should I shut down or reinstall the breached server?
Not right away. Shutting down erases the memory and the artifacts that reveal how the intruder got in and what they did, and reinstalling destroys the evidence completely. The right move is to isolate the machine from the network without shutting it down, preserve a disk image and the logs, and only then move to eradication and rebuilding. Reinstalling without closing the entry vector makes the breach repeat.
I already changed all the passwords, do I still need to worry?
Yes. Changing passwords does not remove persistence. An intruder usually leaves extra accounts, added SSH keys, scheduled tasks, webshells or altered firewall rules that allow them to return even with the new passwords. You need to hunt for and remove those mechanisms and confirm that the original entry vector was closed before considering the incident resolved.
How do I know if the intruder copied or leaked data?
That comes from forensics: by correlating access logs, outbound connections and database activity it is possible to reconstruct what was accessed and exfiltrated. If there is evidence of access to personal data with relevant risk to data subjects, it triggers the obligation to notify the ANPD within 3 business days from awareness and to notify the data subjects. Decripte leads that analysis and advises on what and to whom to communicate.
Do I need to notify the ANPD if my system was breached?
If the incident involves personal data and may generate relevant risk or harm to data subjects, yes. Resolution CD/ANPD No. 15/2024 establishes notification to the ANPD within 3 business days from awareness of the incident, with notice also to the affected data subjects. Record internally the exact moment you became aware, as that is when the deadline starts to count.
There was a fraudulent Pix transfer along with the breach, is it possible to reverse it?
Act immediately. Contact the bank to trigger the Pix MED (Special Return Mechanism), which has a short window, and file a police report. In parallel, handle the security incident: the breach that enabled the fraud must be contained and investigated to prevent new transactions. The sooner the bank is engaged, the greater the chance of blocking the funds.
My company is small and has no security team, does Decripte serve it?
Yes. Decripte serves companies of all sizes, from startups and e-commerces to fintechs and exchanges. For an active incident, the path is 24/7 Incident Response through /contato. For continuous monitoring at no cost and with no need for a technical team, there is the free Threat Management plan at decripte.com.br/intelligence-center, which warns about leaked credentials and exposure of your domain.
How long does Decripte take to contain a breach?
The SOC operates 24x7 and the containment commitment is up to 1 hour from engagement. Initial containment (isolation, session revocation and secret rotation) occurs within that interval, while the team preserves evidence for the forensics. Full eradication and root-cause forensics follow afterward, depending on the complexity of the environment and the extent of the lateral movement.
Incidente em andamento?
Comece agora pelo diagnóstico gratuito — e ative SOC 24/7 e resposta a incidentes nos planos pagos.
Veja em minutos o que já vazou da sua empresa. Quando precisar, a Decripte assume a contenção, a investigação forense e a recuperação do ambiente com SLA de contenção de 1 hora.
