The checklist is split into organisational and technical aspects, some of which can be processed in parallel. It is structured in the form of guidelines and guiding questions. Individual steps should be repeated in cycles, if necessary.

Framework conditions

1. This 'technical' checklist for dealing with IT emergencies cannot replace safeguards or appropriate emergency management.
2. As the checklist is designed for widespread use in different IT emergencies covering very heterogeneous environments, a large number of the points can only covered in generic terms.
3. The checklist is aimed primarily at small and medium-sized enterprises that have not yet had the opportunity to prepare for an IT emergency thoroughly and serves as a tool for dealing with an emergency in a structured manner. However, individual aspects can be applied across the board.

The document ' Ransomware: Erste Hilfe bei einem schweren IT-Sicherheitsvorfall Version 1.2' [First aid in the event of a serious IT security incident] describes the following aspects in more detail. In some cases, specific command line commands and/or command line parameters are recommended.

Technical checklist

Do not log in with privileged user accounts on a potentially infected system.

1. Do user accounts with unnecessary privileged rights exist?
2. Are there indications that these privileged rights have been set up by unauthorised persons/attackers -- possibly in the recent past?

Make sure you are using complete and up-to-date information about your network.

1. Identify the affected system(s). Think beyond the obvious. Consider that other systems may also affected and waiting for commands from the attacker.

2. Disconnect affected systems from the internal productive network and the Internet.

   • To do this, pull the network cable.
   • Do not shut down or switch off the device if a technical analysis is intended.
   • If necessary, create a forensic backup including a storage image (yourself, through service providers or law enforcement agencies) if a criminal prosecution is to be initiated. Additional information is available in the 'Leitfaden IT-Forensik' [IT Forensics Guide].
   • Only use AV programs then, as these could make changes to both the volatile and persistent memory.
3. Always regard infected local systems as completely compromised. A selective clean-up is only likely to succeed if it is conducted with comprehensive expertise. As a rule, plan a complete reinstallation.
4. Regard all access data stored on affected systems or entered after the infection as compromised as well.
5. If the Active Directory (AD) has been compromised, regard the entire network as compromised.

If sufficient network monitoring and logging has not yet been activated, consult your Data Protection Officer (and the personnel/supervisory board, if necessary) and set one up in order to be able to detect ongoing attacks or data outflows.

1. Full packet capturing in the network, which is also recommended by the BSI, is considered best practice.

   • The communication of the infected, internal systems with each other or the local command and control server can be detected at the mirror port on internal, central network interface elements.
   • The external C&C servers can be detected if necessary at the transition between LAN and WAN.
   • In many cases, attacks are first detected by external parties as irregularities and reported to those affected. To be able to trace such a report, there must be logging at the firewall.
2. Set up dedicated log servers. Ideally, these are operated outside the productive/office network via an interface in 'promiscuous' mode. Note that attackers can usually take their own defensive measures to prevent logging or make it more difficult. In individual cases, unprotected log data can be manipulated by the attacker.
3. Block recognisable perpetrator accesses now.

Check whether you have up-to-date, clean backups with integrity. Ideally, you should keep them offline. Online backups may have been accidentally or deliberately compromised.

Important data may also be stored at remote offices or on the systems of employees on leave.

Go to organisational aspects

The document mentioned above ' Ransomware: Erste Hilfe bei einem schweren IT-Sicherheitsvorfall Version 1.2' [First aid in the event of a serious IT security incident] focuses on APT attacks and ransomware incidents.

Additional information

Additional information about DDoS is available at:

• Abwehr von DDoS - Angriffen v2.0 [Defending against DDoS attacks v2.0]
• Maßnahmen gegen Reflection Angriffe v1.1 [Safeguarding against reflection attacks v1.1]