HACKED?

Kontakt

Kontakt Downloads News Veranstaltungen Referenzen

Help, we're stuck!

A cyber emergency has occurred. What should I do now?

Here are our recommended actions and contacts for emergencies

.

▶ I have questions ✔ ✋ I need help❗

Stay calm and follow our tips!

1. Don't panic

If you have reason to suspect that unauthorized third parties have taken over a PC or server in your organization, it is important to remain calm and deliberate in order to successfully resolve the situation. Don't rush into anything; only share your suspicions with a few people, keeping the number of people in the know to a minimum. Seek professional help as quickly as possible, because every minute counts when it comes to containing the damage. Even the suspicion of a breach, even if it is not confirmed, requires knowledge in the field of IT forensics to clarify the facts of the case.

2. Leave the hardware switched on

Switching off individual systems – especially if they are usually switched on – only alerts the attackers unnecessarily and also leads to the destruction of evidence. If possible, try not to use the affected computer system and to pretend normality. There are only a few cases, such as encryption by ransomware, where switching off the hardware immediately is the best solution.

3. Keep the network active – or not

Unplugging network connectors doesn't help either, because this measure can also lead to the attackers quickly starting to “clean up” on another computer system. However, if you are very sure that the attack on your IT system has just taken place and that the attackers are now manipulating data for the first time, it is advisable to immediately disconnect the compromised device from the network. In the case of cryptotrojans, we recommend disconnecting the affected systems from the network to prevent them from spreading within the network (see also Wannacry or Petya). The decision as to whether the network connection and/or the hardware should be switched off must be made on a case-by-case basis. The most effective way to disable a network connection is to unplug the cable or disable the Wi-Fi connection.

4. Documenting and photographing

Note any conspicuous behavior of operating systems, any messages on the screen and other information on paper to the second. It is best to use the clock on your smartphone for a reliable time – the times on the computer could be manipulated. Please do not take screenshots on the computer system on which you suspect the attackers, because you would overwrite the clipboard and also areas of the hard disk. Take a picture of the screen with an external camera; a photo from a cell phone camera can also be very helpful here.

5. Backup of the data backup and all logs

Make sure that you have a functional data backup and protect it at all costs! Prevent the scheduled overwriting of older data backups and check whether you can switch from incremental or differential data backup to “full backup” for the duration of the crisis and back up all data without exception. You should also immediately activate all logging options for operating systems, applications and network hardware and prevent existing logs (especially Windows security event logs) from being overwritten. If you use a SIEM, protect the data collected in it from manipulation and sabotage. Logs and log files are very valuable tools for investigating cyberattacks and illegal access. Attackers are aware of this and will try to destroy this evidence. Be sure to inform your organization's data protection officer about the mass logging of data. We provide our customers with a practical checklist to ensure that no logging is forgotten.

6. Communication over secure channels

Assume that attackers could have also taken control of your mail servers and are now reading all of the company's e-mails. It is best to use (private) cell phones or to meet your contacts in person. Even encrypted e-mails (whether S/MIME or PGP) will get you nowhere on a PC that is under someone else's control, because Trojans can record keyboard entries (“keyloggers”) or automatically take screenshots of the message in plain text.

7. Communication within the company

A successful cyber attack in which you lose control over your own client and server operating systems is a serious data protection and economic threat to the company. The circle of people in the know should be kept as small as possible before the incident has been fully resolved. It does not always have to be an external access, the majority of data thefts are perpetrated by their own employees (i.e. insiders)! Consider informing the following people and parties at the very beginning or later on about the incident:

The responsible head of the IT department or the company's Chief Information Officer (“CIO”)
The appointed data protection officer of the organization
The company management in the form of the managing director or board of directors
The chairman of the supervisory board
The legal department or external law firm
The works council, staff council or corresponding employee representation
The press officer or external PR agency

This list is only a guide and depends on the structure of the company. It is certainly not complete. Depending on the stock exchange regulations, the loss or theft of data may also require a mandatory announcement if the affected company is listed. Don't forget to involve the works council and the data protection officer! The securing and evaluation of data on employees' computers could otherwise be delayed or prevented.

8. The police specialists

At this point, if not before, the company management should decide whether to involve law enforcement authorities.

Federal Criminal Police Office - Bundeskriminalamt: +49 611 55-15037 E-Mail: zac@cyber.bka.de
Cybercrime divisions of State Police: https://www.polizei.de/Polizei/DE/Einrichtungen/ZAC/zac_node.html
Baden-Württemberg: +49 711 5401-2444 E-Mail: cybercrime(at)polizei.bwl.de
Europol EC3: +31 70 302 5000

9. Cyber security from the outset with Medialine

In individual cases, commercial customers may want additional or even exclusive support from us, sometimes even without reporting the incident to the police.

And are you sure about the consequences of reporting it?

We are happy to help such commercial customers in the event of an “I've been hacked” incident and ask for your understanding that we are generally unable to do so for private users.

Our assistance is subject to a few formalities and an assignment. The current hourly rate for an “I've been hacked” consulting instance is €250 plus our travel and cost rates plus the statutory sales tax according to our currently valid terms and conditions.

Do you have any requests, questions or suggestions?

Talk to us. We are here for you. ISO 27001 certified.

Contact form

Do you have questions about cybersecurity or do you want to be prepared for an emergency? Please feel free to contact us using the contact form – we will be happy to advise you!