Reality shows that it is no longer sufficient to implement only preventive IT security measures. An attack is only a matter of time.
Ad-hoc measures are necessary once a successful attack has taken place. The measures must be individually adapted to the company and the type of attack. We give you an overview of the most important procedural rules:
Be aware of the reporting obligations of cyber insurances and authorities
Report an attack immediately to your cyber insurance company, if you have a cyber policy. They will inform you about the further procedure. In addition, verify if the attack is subject to mandatory reporting.
Change your systems with caution
A system restart can complicate the investigation of the causes. Systems should only be shut down after consultation with an expert.
Evaluate and analyze the incident
First evaluate the incident to be sure there is no technical defect. Once a hacker attack has been confirmed, the following must be clarified: Where did the attacker come from? How could he penetrate the systems? Which systems are affected by the attack? Has any data been stolen and if so, to what extent?
Document the incident and your procedures
Record exactly what happened when, what actions you took and who had access to the evidence. Make sure to keep a record of who made changes to the compromised systems from the point in time when the attack occured. This information is important for the investigation of the incident.
Capture the evidence
Secure all evidence of the attack. This includes system protocols, log files, data media, notes as well as any photos of on-screen content. If you have a cyber insurance, check the specifications for securing evidence.
Try to contain the damage as quickly as possible. Check whether it is necessary to terminate all unauthorized access and connections to the affected systems. In individual cases, it may make sense to leave everything unchanged in order to learn more about the attack method and possible entry points.
Monitor the attacker
Make sure that your company network is equipped with network monitoring. This way you can detect and trace the trail of the attacker. If this is not possible, you should log the data flows. Ensure that your proxy logs the internet traffic.
Coordinate internal and external communication
Inform all relevant departments according to the need-to-know principle about the incident and the further procedure, ideally via short reporting channels. In case of major incidents, management should be involved in order to release necessary resources to return to normal operations. Check whether you need to inform external stakeholders and the public as well.
Maintain an inventory of your IT assets
Having a comprehensive list of your IT assets (system landscapes or applications) is essential for evaluating and checking the potential damage and the countermeasures deployed. If you haven not created the asset list before, you should do so during the attack.
Increase security measures
Be well prepared against further attacks: Implement two-factor authentication for all IT systems that are accessible from the internet. Restrict internet access through proxy servers and keep your network monitoring in place. You should check affected user accounts for access rights and authentication methods. In addition, a penetration test, pentest for short, can be conducted.