Incident Response & Forensik

If preventive measures have not been sufficient and you have fallen victim to a cyberattack, we can also help you with reactive measures such as forensic analyses, short-term remediation measures and long-term mitigation measures to reduce the risk of cyberattacks.

We offer the following services:

  • Investigation and Defense
  • Forensics that can be used in court
  • Application and improvement of the disaster recovery plan (DRP)
  • Application and improvement of Business Continuity Management (BCM)
  • System and application recovery
  • Internal & external crisis communication
  • Cloud forensics
  • Malware analysis

We also support you with cyber attacks such as Ransomware, Crypto Trojan, CEO fraud

Incident Response & Desaster Recovery

In the event of a cyberattack, we help you to take the necessary measures to contain the damage, clean up your systems and protect you from further attacks. Our approach is based on the following model, which has proven itself in many projects:

Incident Response

  1. Immediate measures: inform all relevant people, isolate systems, deactivate infected users

  2. Backup traces: back up logs and data carriers: Images of hard disks and storage media, working memory, network logs, snapshots of VMs

  3. Forensic analyses: file disk forensics, memory forensics, network forensics, mobile device management forensics, SIEM

  4. Clean-up and recovery: blocking C&C IPs, removing malicious code based on forensics, restoring systems (qualitative backup concept required)

  5. Post-incident activities: Remediation of vulnerabilities, reporting of the attack, lessons learned, risk and vulnerability management and emergency concept

Compromise Assessment & Forensik

During a Compromise Assessment, we investigate whether your network has been affected by a cyber attack, what the consequences were and how you can protect yourself against them. Compromise Assessment is an important part of Incident Response & Forensics as it helps us to answer the following questions:

  • How did the attacker infiltrate your network?
  • What systems, data or applications were compromised or stolen?
  • How long was the attacker active in your network?
  • What traces did the attacker leave behind?
  • How can you close the security gaps and clean up the affected systems?

Compromise assessment is important because it enables you to respond quickly and effectively to a cyber attack, minimize the damage, analyze the causes and improve security. We use specialized tools and expertise to detect, collect and interpret the signs of an attack. Compromise assessment can also be performed preventively to identify potential vulnerabilities or anomalies in your network before they are exploited.

As part of our forensic analysis, the following components are examined to evaluate how the attackers proceeded, what data they stole and which systems were affected:

  • IT systems
  • Data carriers (HDD, virtual HDDs, HDD images)
  • Check and, if necessary, adjust the log storage duration
  • Logs (system logs, firewalls, IDS/IPS, WAF, proxy, AV, mail server, etc.)
  • Cloud forensics
    • AWS
    • Azure and MS 365
    • GCP

The following measures guarantee a forensic analysis that can be used in court:

  • Our forensic analyses are always performed exclusively on images of the data carriers to be examined.
  • Hardware write blockers are used when creating the images to ensure that the evidence is not altered.
  • Cryptographic hash algorithms guarantee the integrity of the data carriers.
  • Secure storage of evidence and documentation of the chain of custody.
  • Use of recognized software to carry out forensic analyses.
  • Four-eyes principle: forensic analysis is carried out by two forensic experts to avoid potential errors and ensure that specifications and guidelines are adhered to.

Implementation of crisis exercises

We work with you to carry out cyber attack simulations based on the MITRE Att@ck Matrix. This is a framework that describes the most common attack techniques and tactics used by cyber criminals. We create customized scenarios for you that match your context and situation, taking into account the current state-of-the-art cyber attacks. The simulations are carried out without prior briefing of the exercise participants in order to increase the realism. The exercise participants are employees from various departments, service providers and stakeholders involved in IT crisis management. The simulations include various possible scenarios, such as

  • Communication infrastructure failure MS Teams / Azure AD accounts
  • Ransomware cyber attack Supplier chain attack
  • DDoS attack
  • Advanced Persistent Threat (APT)

The simulations aim to train and improve the following aspects:

  • The concretization of the criteria for declaring a crisis: monetary, reputation, etc.
  • Communication with all affected Group brands, customers, departments and stakeholders
  • Collaboration with external interfaces and service providers to minimize the impact
  • Identifying and eliminating operational weaknesses in crisis management
  • Establishing immediate measures in the event of suspected cyber attacks
  • Defining how to deal with ransom demands
  • External communication with relevant authorities and institutions, such as
    • State data protection authority
    • LKA
    • BSI
  • External communication with the public, such as the
    • Media
    • Social media

The simulations are externally observed and evaluated by our certified experts. We provide you with comprehensive feedback on your strengths and weaknesses, as well as specific recommendations for improving your IT crisis management.

scroll to top