How to respond to a cyberattack: 5 steps to take
It can happen at any time: One click is enough, and the computer is infected, then the network, and then… If the computer freezes or the screen goes black or displays a warning, then something is very wrong. Most likely, it is a cyber attack. But what exactly do you have to do if a cyber attack has been successful and your IT environment is affected, and what legal regulations do you have to observe?
The examples of Heise or Landkreis Anhalt Bitterfeld show what consequences a single click on a contaminated email can have. There is no time to process the initial shock. But not everyone is an expert in IT forensics, and especially the ” regular” employee is quickly overwhelmed in such a situation. In this article, we give you an overview of the most important measures you need to take in the event of an IT emergency.
1. Stay calm
As threatening as the situation is, every step from now on must be well thought out (or already thought through, see below).Wrong action can make a bad situation even worse. In addition, this is also relevant for the later securing of evidence. In any case, it makes sense to get external help from IT forensic experts and incident response specialists (see below).
2. Mitigate damage
Perhaps the most important measure first: make sure that no one with privileged user accounts (administrator rights) logs on to a potentially infected system while it is still on the internal productive network or connected to the Internet.
Next, you need to isolate infected machines to prevent malware from spreading. So, unplug the network cable and prevent WLAN connections. Do not shut down or turn off devices – this could alert the cybercriminals, making it more difficult to track them down later.
The BSI generally recommends considering infected local systems to be completely compromised and rebooting them later. You should also consider all access data stored on infected computers or entered later as compromised. This includes, but is not limited to, web browsers, email clients, RDP/VNC connections, and other applications such as PuTTY, FileZilla, WinSCP, and others.
Also, and especially in the case of Active Directory (AD) compromise, the BSI recommends that the entire network be considered contaminated. It must then be rebuilt afterwards.
3. Stop running backups
A backup won’t do you much good later on if it is also contaminated. Also, check if you have recent and clean backups. Ideally, store your backups offline.
4. Document the situation
Gather information on what the current situation is, what specifically has happened so far, and how the attack can be reconstructed so far:
5. Hire external help for forensic processing
IT forensics and incident response specialists will help you find all relevant data, perform digital forensics and analyze the situation.
This involves reviewing and evaluating network and system logs, log files, photos of screen content, data carriers and other digital information. Employees and other witnesses may also be interviewed. This provides an accurate picture of the extent and nature of the attack.
This information is not only important for processing and subsequent recovery, but also for filing any subsequent criminal charges.
What if I am being blackmailed?
As a rule, do not respond to the extortion and do not pay a ransom. It is very uncertain whether this would solve your problem, and it motivates criminals to launch new attacks.
Which cyberattacks are required to be reported?
Attacks must be reported if there are relevant data breaches. In this case, you must report the incident to the relevant data protection authority within 72 hours. Also report the incident to the Allianz für Cybersicherheit. Reported incidents are recorded there anonymously and the information is used to warn other companies.
In addition, in particularly high-risk cases, you must also inform the natural persons actually affected, for example employees, customers or newsletter recipients, in an understandable manner about the affected data content, the potential for misuse and the protective measures you have taken.
Operators of critical infrastructures and other companies subject to reporting requirements are subject to different regulations and must report IT security incidents in any case.
After the attack is before the attack
It is not uncommon for companies to fall victim to a cyberattack more than once. Therefore, always view an IT incident as an opportunity to find gaps in your environment and learn from mistakes.
Start by monitoring your IT systems particularly closely after a cyberattack and detecting unusual activity. This will help you prevent renewed attacks.
Prepare for the next attack by paying attention to the information in the next point. As a general rule, standstill is dangerous – continuously develop your environment and your processes.
Cyberattack: Preparing for the worst case scenario
A cyberattack can hit you (again) at any time. It is therefore important that you are always in a position to react quickly and unerringly to such an attack. Good emergency management is the foundation here. Ask yourself the following questions:
Organisational measures
Technical measures
Not yet using NoSpamProxy?
With NoSpamProxy you reliably protect your company against cyber attacks. Request your free trial version now!
