If you've been hacked, you should start mitigation and documentation immediately. In this article we will guide you step by step through the processing of a hacking incident.
(Last update: August 25.03.2025th, XNUMX)
Malicious programs or activities of black hats cannot always be immediately recognized by endpoint protection or antivirus programs due to their current nature or obfuscation techniques. Here you need a combination of different measures in order to notice attackers in time:
It is also important that your users report any abnormalities promptly.
By IT security consulting you can get advice from experts before an incident or a Vulnerability Analysis of your system.
If you've been hacked, you can prevent further damage by doing the following:
There are a number of official emergency numbers for victims of cybercrime in Germany. You can view the list here - and it's best to write down the numbers relevant to you BEFORE an incident: Emergency numbers cyber attack
As soon as you discover a hacking attack on your company, you should start with the documentation immediately: Write down exactly what steps you take to process the attack and what information you collect. This documentation is not only helpful for later reviews in connection with this incident, but it also serves as evidence in possible subsequent legal proceedings.
The first step is to stop the data leak and deny the attacker access to your system. The obvious measure is to separate infected devices from the intranet and the internet. The following sections clarify which alternatives there are and what advantages and disadvantages the variants have.
The First Response topics change depending on the variant selected. Ideally, you have a checklist that makes it easy to make a decision and makes all further steps clear. Otherwise, this can lead to resources working incorrectly or not in a targeted manner to protect the company.
With the first variant, all infected devices remain switched on and connected to the Internet, but they are cleanly separated from the rest of your company's network. The decisive advantage of this variant relates to the forensic analysis of the attack: Extensive information about the attacker can be obtained from the information about which IP addresses and domains were accessed and which processes were executed.
The suspicion of a compromise usually does not initially provide any detailed information about the attack. If the connection is maintained, valuable data can be gathered to answer the following questions: who are the attackers and how did they proceed? How long have you been on the network? Which other systems have already been compromised?
The more information you can collect, the more efficiently you can ensure that the attacker has finally been removed from the network.
From a forensic point of view, this variant enables the greatest possible preservation of evidence. However, the prerequisite is that you or your IT partner have the necessary expertise to cleanly separate the affected machines from the rest of the network when there is an existing Internet connection.
With Azure, acting quickly can stop the flow of data. By adjusting the Conditional Access settings, rolling out 2FA for all employees and a session revoke, you can most likely revoke access to the attacker. After the reaction, an extensive evaluation of the log files is now required to ensure that the attacker has not changed any settings anywhere and thus made access possible in other ways.
If you do not have the necessary expertise to safely carry out the first variant, the second variant is the right one for you.
In this case, you must immediately take infected devices offline. Otherwise, the attacker will have longer access to the systems and greater data leakage or spread is possible.
If the affected devices are offline, they can Malware and hackers do not spread it further and spread it to other IT devices in the network or contact command and control servers on the Internet. Common malware, such as encryption Trojans, cannot send a key to the blackmailer or attacker if the connection is interrupted. This prevents attackers from accessing the encrypted data.
For later forensic analysis, you should create an image of the infected system and the main memory. In this way, you can later access critical information about the malware or the activities of the black hats, which is located in log files or the main memory.
As the IT manager or responsible person in your company, you have to decide which variant is the right one for you and classify your specialist knowledge correctly. It is important that you act decisively and quickly.
If the hacked systems serve as an exit or entry point to or for other companies and their networks, you must notify them. On the one hand, you can counteract any possible spread in their network and, on the other hand, you can start an incident response if the origin of the compromise lies in another network.
You should carefully check and monitor devices that are essential to the company. Limit their communication with the rest of the network to the absolute minimum or, if necessary, turn them off completely until a clean network can be established without compromise. In this way, you reduce potential consequential damage caused by an undetected infected or hacked device.
Especially if you suspect a long-term compromise or hacking attack, you have to think about restoring a long-ago backup or even a complete reset. Inform potentially affected customers quickly to prevent damage to them and reputational damage.
The next step is to check and change computer, service and user accounts. This will prevent accounts that have already been hacked from being used for further attacks.
You should definitely analyze newly created accounts. You should deactivate accounts that are suspected of having been hacked, as well as legacy accounts, and revoke their permissions. Change the existing credentials of all remaining accounts and thoroughly review existing permissions. This way you minimize the risk of overprivileged accounts.
Include in these changes and reviews not only corporate services, but also private services (e.g. social media platforms, exchange platforms) that are used with the same credentials, where appropriate.
After a hacking incident, it is essential to have your system forensically analyzed by a competent IT professional, especially if legal action is taken.
It is important for a forensic analysis that the original data is not changed in order to rule out advantageous manipulation by the forensic scientist or third parties. As a rule, the verification using images will take place in a sandbox environment.
Detailed checks are carried out in the forensic part to log the nature and impact of the compromise caused by the hack. The vulnerabilities through which the systems were hacked are identified. This results in further steps such as installing security updates for the hacked services to prevent other systems in the company network from being infected.
After the analysis, the forensic scientist can make a recommendation as to whether data can still be saved under certain circumstances, or whether there is a risk of another attack (e.g. through the spread of a worm in a backup) and is therefore not advisable.
Following the forensic review, you or an external expert will search the infected systems for remnants of hackers and malware and clear them of them. It is important to ensure that the hacked systems are really clean.
Depending on the severity and type of compromise, you can reinstall the systems after wiping and reformatting the storage - preferably with a backup that was definitely created before the compromise. However, you may need to revert to the image of the system that was created prior to going live.
You then apply all the necessary patches, switch off unused services and eliminate vulnerabilities that were exploited. In particularly severe cases, it may be necessary to purchase new systems due to economic considerations and operational requirements.
Another important step is necessary before the affected and restored systems can be reintegrated into the productive environment: define measures and phases to ensure that the systems are not compromised again. These should include the following points:
After successfully completing the previous steps, you must finally make the decision to switch from emergency mode to normal mode. Depending on the previous results and after completing the checklists, carry out this step together in your company.
It is important here to also integrate and pick up the users. Communicates the upcoming change cleanly and asks for special awareness during the implementation in case it was a directed attack or an attack from the inside. This is the only way to avoid another incident occurring immediately afterwards.
The most important step in an incident response is the lessons and consequences that are drawn from it. This includes completing all documentation on the incident now at the latest.
Design the documentation of the incident in such a way that you can answer the following questions at any point during the incident:
Who? What? Where? Why? How?
On the one hand, the documentation should serve as a basis for drawing conclusions for your company's IT environment. On the other hand, you can use them for training your IT staff and as reference material in case you get hacked again.
The documentation serves to have a proven track record should a similar incident occur and to improve the incident response process.
Finally, you should hold a Lessons Learned Meeting, which includes the following points based on the documentation:
In addition, a round table should be included where IT staff can discuss suggestions and topics for improving IT and organization to increase overall effectiveness for future incidents.
Here you will find an overview of all 7 steps for processing a hacking incident:
From now on, note down all steps taken and all information collected. Stop the data flow and deny the attacker access to your system.
Variant 1: Leave infected devices online, but cleanly separate them from the rest of the company network.
Variant 2: Take infected devices offline.
Notify any companies using your infected systems as a starting point or entry point. Also inform potentially affected customers about the incident.
Check all computer, service and user accounts and change all login information. Analyze newly created accounts and deactivate accounts that are no longer required. Check all existing permissions and adjust them if necessary. In addition to corporate services, also include private services such as social media platforms
Have your IT system forensically checked by experts to log the nature and effects of the hack and to find vulnerabilities. Be sure to leave original data unaltered for forensic review. Verification is typically performed against images in a sandbox environment.
IT security experts ensure that your systems are cleaned of all leftovers from hackers. They close all vulnerabilities, for example by installing patches, and thus secure your network from future attacks
Before reintegrating the affected systems, determine measures and phases to avoid being compromised again: Period of integration; Specification of how the systems are to be tested for functionality; duration of monitoring for abnormal behavior; List of tools used to monitor the systems
Make the joint decision in your company to switch from emergency to normal operation. Also includes the users in the process and asks them for special awareness in the transition phase.
SANS Institute Incident Handbook:
https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
