10 Tips for Properly Handling Hacker Attacks

24. September 2020

Reality shows that it is no longer sufficient to implement only preventive IT security measures. An attack is only a matter of time.

Ad-hoc measures are necessary once a successful attack has taken place. The measures must be individually adapted to the company and the type of attack. We give you an overview of the most important procedural rules:

Be aware of the reporting obligations of cyber insurances and authorities

Report an attack immediately to your cyber insurance company, if you have a cyber policy. They will inform you about the further procedure. In addition, verify if the attack is subject to mandatory reporting.

Change your systems with caution

A system restart can complicate the investigation of the causes. Systems should only be shut down after consultation with an expert.

Evaluate and analyze the incident

First evaluate the incident to be sure there is no technical defect. Once a hacker attack has been confirmed, the following must be clarified: Where did the attacker come from? How could he penetrate the systems? Which systems are affected by the attack? Has any data been stolen and if so, to what extent?

Document the incident and your procedures

Record exactly what happened when, what actions you took and who had access to the evidence. Make sure to keep a record of who made changes to the compromised systems from the point in time when the attack occured. This information is important for the investigation of the incident.

Capture the evidence

Secure all evidence of the attack. This includes system protocols, log files, data media, notes as well as any photos of on-screen content. If you have a cyber insurance, check the specifications for securing evidence.

Respond quickly

Try to contain the damage as quickly as possible. Check whether it is necessary to terminate all unauthorized access and connections to the affected systems. In individual cases, it may make sense to leave everything unchanged in order to learn more about the attack method and possible entry points. 

Monitor the attacker

Make sure that your company network is equipped with network monitoring. This way you can detect and trace the trail of the attacker. If this is not possible, you should log the data flows. Ensure that your proxy logs the internet traffic. 

Coordinate internal and external communication

Inform all relevant departments according to the need-to-know principle about the incident and the further procedure, ideally via short reporting channels. In case of major incidents, management should be involved in order to release necessary resources to return to normal operations. Check whether you need to inform external stakeholders and the public as well.

Maintain an inventory of your IT assets

Having a comprehensive list of your IT assets (system landscapes or applications) is essential for evaluating and checking the potential damage and the countermeasures deployed. If you haven not created the asset list before, you should do so during the attack.

Increase security measures

Be well prepared against further attacks: Implement two-factor authentication for all IT systems that are accessible from the internet. Restrict internet access through proxy servers and keep your network monitoring in place. You should check affected user accounts for access rights and authentication methods. In addition, a penetration test, pentest for short, can be conducted.

Would you like to prepare your company for the worst case scenario? Learn more here or contact us. We will be happy to help you.

Also interesting:

Software Security: Requirement and Threat Analysis

Software Security: Requirement and Threat Analysis

In practice, it is not an easy task for manufacturers to continuously integrate a strong security mindset into complex software projects. In our blog series, Stephan Neumann, Head of usd HeroLab, and Torsten Schlotmann, Head of PCI Security...

Security Advisory for VMware Workspace ONE Intelligent Hub

Security Advisory for VMware Workspace ONE Intelligent Hub

Our usd HeroLab pentesters have identified a vulnerability in VMware Workspace ONE Intelligent Hub software while conducting their security analyses. It is a Hidden Functionality / Backdoor (CWE-912) and affects the versions (Android) and 21.01.0 (build...

Security Advisory 11/2021

Security Advisory 11/2021

The usd HeroLabs pentesters have identified vulnerabilities in various products of well-known manufacturers while conducting their security analyses. These include the CVE database from the open source software company SUSE, an appliance from Sophos that is used in...