• Link to Rss this site
  • Link to LinkedIn
  • Link to Youtube
  • Link to X
  • Link to Instagram
  • English English English en
  • Deutsch Deutsch German de
Sales: +49 5251 304-800 | Support: +49 5251 304-636
NoSpamProxy
  • PRODUCT
    • NoSpamProxy Cloud
    • NoSpamProxy Protection
    • NoSpamProxy Encryption
    • NoSpamProxy Large Files
    • NoSpamProxy Disclaimer
  • SOLUTIONS
    • M365 Mail Security
    • Managed Certificates
    • 32Guards
    • AS4
  • RESOURCES
    • Documentation
    • Forum
    • Webcast Training
    • Training Courses
    • Support
    • Software Download
  • PARTNERS
    • Finding Resellers
    • Becoming Reseller
    • Partner Portal
    • NFR Licenses
  • COMPANY
    • Contact
    • Testimonials
    • Team
    • Career
    • Events
    • Awards
  • PRICES
  • BLOG
  • FREE TRIAL VERSION
    • Price Request
    • Free Trial Version
  • English
    • Deutsch
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu
  • Was tun nach Cyberangriff – die 5 ersten Schritte

How to respond to a cyberattack: 5 steps to take

Stefan Feist | Technischer Redakteur
Author: Stefan FeistTechnical Writerhttps://www.linkedin.com/in/stefan-feist-23b257b0/–Connect on LinkedIn

It can happen at any time: One click is enough, and the computer is infected, then the network, and then… If the computer freezes or the screen goes black or displays a warning, then something is very wrong. Most likely, it is a cyber attack. But what exactly do you have to do if a cyber attack has been successful and your IT environment is affected, and what legal regulations do you have to observe?

07.07.2023|Last edited:16.08.2024

The examples of Heise or Landkreis Anhalt Bitterfeld show what consequences a single click on a contaminated email can have. There is no time to process the initial shock. But not everyone is an expert in IT forensics, and especially the ” regular” employee is quickly overwhelmed in such a situation. In this article, we give you an overview of the most important measures you need to take in the event of an IT emergency.

1. Stay calm

As threatening as the situation is, every step from now on must be well thought out (or already thought through, see below).Wrong action can make a bad situation even worse. In addition, this is also relevant for the later securing of evidence. In any case, it makes sense to get external help from IT forensic experts and incident response specialists (see below).

2. Mitigate damage

Perhaps the most important measure first: make sure that no one with privileged user accounts (administrator rights) logs on to a potentially infected system while it is still on the internal productive network or connected to the Internet.

Next, you need to isolate infected machines to prevent malware from spreading. So, unplug the network cable and prevent WLAN connections. Do not shut down or turn off devices – this could alert the cybercriminals, making it more difficult to track them down later.

The BSI generally recommends considering infected local systems to be completely compromised and rebooting them later. You should also consider all access data stored on infected computers or entered later as compromised. This includes, but is not limited to, web browsers, email clients, RDP/VNC connections, and other applications such as PuTTY, FileZilla, WinSCP, and others.

Also, and especially in the case of Active Directory (AD) compromise, the BSI recommends that the entire network be considered contaminated. It must then be rebuilt afterwards.

3. Stop running backups

A backup won’t do you much good later on if it is also contaminated. Also, check if you have recent and clean backups. Ideally, store your backups offline.

4. Document the situation

Gather information on what the current situation is, what specifically has happened so far, and how the attack can be reconstructed so far:

  • Which devices are affected?

  • When did the problems occur?

  • How did the attack manifest itself on the affected devices?

  • Which programs and documents were open?

  • What exactly happened on the devices?

5. Hire external help for forensic processing

IT forensics and incident response specialists will help you find all relevant data, perform digital forensics and analyze the situation.

This involves reviewing and evaluating network and system logs, log files, photos of screen content, data carriers and other digital information. Employees and other witnesses may also be interviewed. This provides an accurate picture of the extent and nature of the attack.

This information is not only important for processing and subsequent recovery, but also for filing any subsequent criminal charges.

What if I am being blackmailed?

As a rule, do not respond to the extortion and do not pay a ransom. It is very uncertain whether this would solve your problem, and it motivates criminals to launch new attacks.

Which cyberattacks are required to be reported?

Attacks must be reported if there are relevant data breaches. In this case, you must report the incident to the relevant data protection authority within 72 hours. Also report the incident to the Allianz für Cybersicherheit. Reported incidents are recorded there anonymously and the information is used to warn other companies.

In addition, in particularly high-risk cases, you must also inform the natural persons actually affected, for example employees, customers or newsletter recipients, in an understandable manner about the affected data content, the potential for misuse and the protective measures you have taken.

Operators of critical infrastructures and other companies subject to reporting requirements are subject to different regulations and must report IT security incidents in any case.

After the attack is before the attack

It is not uncommon for companies to fall victim to a cyberattack more than once. Therefore, always view an IT incident as an opportunity to find gaps in your environment and learn from mistakes.

Start by monitoring your IT systems particularly closely after a cyberattack and detecting unusual activity. This will help you prevent renewed attacks.

Prepare for the next attack by paying attention to the information in the next point. As a general rule, standstill is dangerous – continuously develop your environment and your processes.

Cyberattack: Preparing for the worst case scenario

A cyberattack can hit you (again) at any time. It is therefore important that you are always in a position to react quickly and unerringly to such an attack. Good emergency management is the foundation here. Ask yourself the following questions:

Organisational measures

Responsibilities & Processes

Have the responsibilities and processes been clarified?

Escalation Lists

Are escalation lists available in which internal and external contact persons are defined?

Communications Strategy

Does a communications strategy exist that is coordinated with corporate communications? Transparency and an open error culture are necessary to respond to incidents promptly and effectively and to protect the corporate image.

Practice the Emergency Case

Routine is always a good path to staying calm.

Technical measures

NoSpamProxy

Use NoSpamProxy to safely block emails with malicious content.

Antivirus Programs

Use antivirus programs with the latest signature updates.

Firewall Configuration

Configure your firewall.

Intrusion Detection and Prevention Systems

Use intrusion detection and prevention systems.

SIEM Data Collection

Collect the data in a SIEM (Security Information and Event Management).

Security Assessments

Have external service providers perform security assessments on a regular basis.

Patches and Updates

Install patches and security updates in a timely manner.

MFA

Set up multi-factor authentication (MFA).

Microsoft 365 Security

Leverage products like Microsoft Defender, Microsoft Sentinel, Microsoft Intune or Windows Hello for Business for optimal Microsoft 365 Security.

Not yet using NoSpamProxy?

With NoSpamProxy you reliably protect your company against cyber attacks. Request your free trial version now!

Get your free NoSpamProxy trial now!
  • share 
  • share 
  • share 
  • email 

SEARCH

PRODUCT

  • All Topics
  • NoSpamProxy Cloud
  • NoSpamProxy Protection
  • NoSpamProxy Encryption
  • NospamProxy Large Files

You need support?

You can find more information about NoSpamProxy in our documentation and forum.

CATEGORY

  • All Topics
  • News
  • Product
  • Tech & Support
  • Events
RSS Feed Logo RSS Feed Logo Subscribeto RSS Feed

NoSpamProxy

  • NoSpamProxy Cloud
  • NoSpamProxy Encryption
  • NoSpamProxy Large Files
  • NoSpamProxy Disclaimer
  • Price request
  • Team
  • Career
  • General terms and conditions
  • Data Protection Information for Business Partners and Applicants
  • Cybersecurity (PSIRT)

Partners

  • Becoming a reseller
  • Partners
  • Order Certificates
  • Newsletter

Categories

  • All topics
  • News
  • Support
  • Updates
  • Order certificates

Latest News

  • Was ist ein Zero Day Exploit Preview
    What is a Zero-Day Exploit?23.04.2025 - 14:00
  • Info Icon
    UPDATE: New Google email sender guidelines: What you need to do17.04.2025 - 12:00
  • Was ist Spoofing Preview
    What is spoofing?11.04.2025 - 14:00
IMPRINT • EULA • Privacy Policy • • © 2025 Net at Work GmbH
  • Link to Rss this site
  • Link to LinkedIn
  • Link to Youtube
  • Link to X
  • Link to Instagram
Link to: Workday-Spam: A new type of spam has a firm grip on the DACH region Link to: Workday-Spam: A new type of spam has a firm grip on the DACH region Workday-Spam: A new type of spam has a firm grip on the DACH regionWorkday Spam – Eine neue Art von Spam hat den DACH-Raum fest im Griff Preview Link to: 32Guards receives government funding Link to: 32Guards receives government funding BSFZ-Siegel32Guards receives government funding
Scroll to top Scroll to top Scroll to top