Don't panic on green background

When responding to a successful cyberattack, it’s critical to remain calm. Affected businesses are often in a state of turmoil—rushed, unsettled, perhaps even panicked. The situation can pose a serious threat to their very existence. For Sonja Saß and her colleagues, that means being sensitive to the situation, reading the room carefully, and perhaps even picking up on a bit of dark humour. She says: “Imagine hackers take out a warehousing system overnight. Suddenly you can’t manage inventory, you can’t ship products, nothing moves. How long can a business survive something like that? When do customers with just-in-time contracts start walking away? Everything’s on the line.” That’s why the top priority is to develop a clear, actionable plan, communicate it to the company’s decision-makers, and initiate the right steps without delay.

It’s not uncommon for Sonja Saß to have to slow customers down—because their IT infrastructure is a crime scene, littered with valuable clues. It might seem like the best course of action to shut down systems, change passwords, or modify firewalls in an attempt to contain the damage, but uncoordinated steps can actually have the opposite effect and risk destroying critical evidence, too. For Bechtle’s IT forensic experts, the traces found during a coordinated response to a cyberattack are essential. They help uncover how the attackers got in, how far they penetrated the systems, and what they did once inside.

Shut down the system. Contain the attack.

To prevent knee-jerk reactions, the experts at Bechtle’s Cyber Defence Centre assign specific tasks to those involved—actively engaging them in gathering key information:

  • When did the first anomalies appear?
  • Which systems are affected?
  • Are there any offline backups?
  • Does the company use any tools that may have logged any suspicious activity?
Sonja Saß
Sonja Saß, IT forensic expert at the Bechtle Cyber Defence Centre.

Only once these questions have been answered does it make sense to isolate or shut down systems to prevent the attack from spreading further. For digital first responders, there’s one thing that’s more important than anything else, and that’s trust. And that comes through open, honest, and regular communication.

“We aim to centralise all information, keep everyone on the same page, and make decisions together,” says Sonja Saß. That’s why she and her team bring all key stakeholders to the table—from IT administrators and senior management to the legal department and data protection officers, if the situation calls for it. These meetings are crucial, as the situation can change rapidly. When it does, the team needs to adapt its strategy, rethink decisions, initiate new measures, and bring other people on board. And sometimes, that also means engaging with the relevant authorities, such as the police or Germany’s Federal Office for Information Security (BSI). “We support customers in reporting incidents and provide our findings to assist with official investigations, which is often the case when the customer is operating critical infrastructure.” explains Sonja Saß.

Cyberattack checklist.

#1 Remain calm: No knee-jerk reactions. Understand the situation before taking action.

#2 Assess the situation: Which systems are affected? What’s still operational?

#3 Structure communication: Define points of contact and provide regular updates.

#4 Create a step-by-step plan: Set priorities and implement them consistently.

IT forensics – The hunt for artefacts.

When a crisis hits, every single detail and piece of information passes over her desk. Naturally, this includes the findings of the Bechtle team. A range of specialists, from network forensics to threat intelligence experts, are brought in from across Bechtle units to dig deep into the customer’s infrastructure and gather evidence. This mobile task force is flexible yet well-rehearse, highly efficient, experienced, and ready to act in high-pressure situations.

Sonja Saß herself examines the crime scene. Every system, every file, every log may contain a clue—what experts call an artefact. The team’s focus is on reconstructing the path of the attack by answering some key questions:

  • Did the attackers exploit a known vulnerability?
  • Did they use compromised credentials?
  • How did they escalate their privileges?
  • Were there any suspicious connections to external servers?

It’s all about details, patterns, and anomalies—but also about parameters that only a highly specialised team can detect. Sonja Saß and her team are highly focused and structured in their work to guide affected companies through the crisis as effectively as possible.

Once the immediate threat has been contained, the process of rebuilding the company’s IT begins. Bechtle also supports this phase, starting with systems that restore essential processes and functions. Sonja Saß’s team ensures the customer is in the hands of highly qualified colleagues before moving on to the next crime scene. “We’ve witnessed first hand how cyberattacks have evolved over the last few years. Attackers are adopting new methods and offering ransomware-as-a-service on the dark web, enabling even inexperienced criminals to target businesses. They extort companies by encrypting their data, threatening to publish sensitive information, or launching DDoS attacks to take websites offline. Every case brings new challenges.”  Thankfully, the team’s extensive experience allows it to support affected organisations with a calm approach, proven methods, the latest technology, and a great deal of empathy. Because incident response works best when technical expertise and emotional intelligence go hand in hand.