Sofortmaßnahmen:
Was Sie jetzt tun sollten
Bevor unsere Experten eintreffen, können diese drei Schritte entscheiden, wie schnell Ihr Unternehmen wieder voll handlungsfähig ist.
Keine Panik
Bewahren Sie Ruhe. Server nicht herunterfahren! Virtuelle Maschinen pausieren (Memory bleibt erhalten). Bei physikalischen Servern: Memory Dump erstellen, dann erst herunterfahren.
Isolation
Trennen Sie betroffene Systeme sofort vom Netzwerk (Kabel ziehen, WLAN deaktivieren), um eine weitere Ausbreitung der Bedrohung zu verhindern.
Dokumentation
Notieren Sie Zeitpunkt, Symptome und erste Beobachtungen chronologisch. Führen Sie keine Dateimanipulationen auf betroffenen Systemen durch.
Expertise, die man sofort spürt
Wir arbeiten nicht nach Bauchgefühl, sondern nach präzisen Playbooks. Erkunden Sie unsere Bibliothek an Maßnahmen für typische Cyber-Bedrohungen.
Renew Expired SSL/TLS Certificate
An expired SSL/TLS certificate was detected. This breaks HTTPS trust and may expose users to man-in-the-middle attacks.
Replace Weak SSL/TLS Cipher Suites
Weak cipher suites (DES, 3DES, RC4, export ciphers) are enabled, potentially allowing decryption of traffic.
Replace Self-Signed Certificate
A self-signed certificate provides no chain of trust. Users will see browser warnings, and the certificate cannot be verified by clients.
Disable Deprecated TLS/SSL Protocols
Deprecated protocols (SSLv2, SSLv3, TLS 1.0, TLS 1.1) are still enabled, vulnerable to known attacks like POODLE, BEAST.
Disable Telnet and Switch to SSH
Telnet transmits all data including credentials in cleartext. It should be replaced with SSH for all remote access.
Replace FTP with SFTP/SCP
FTP transmits files and credentials in cleartext. Replace with SFTP or SCP which use SSH encryption.
Enable SMB Signing
SMB signing is disabled, allowing man-in-the-middle attacks and NTLM relay attacks on file sharing connections.
Harden SSH Configuration
SSH configuration allows potentially insecure settings like root login, password authentication, or old protocols.
Secure SNMP Configuration
SNMP is using default community strings (public/private), allowing anyone to read/modify device configurations.
Disable Open DNS Resolver
An open DNS resolver can be abused for DNS amplification DDoS attacks and DNS cache poisoning.
Fix SQL Injection Vulnerability
SQL injection allows attackers to read, modify, or delete database contents and potentially execute system commands.
Fix Cross-Site Scripting (XSS) Vulnerability
XSS allows attackers to inject malicious scripts that execute in users' browsers, stealing sessions, credentials, or defacing content.
Implement CSRF Protection
Missing CSRF tokens allow attackers to trick authenticated users into performing unintended actions.
Disable Directory Listing
Web server directory listing exposes file structure, potentially revealing sensitive files, backups, or configuration files.
Add Missing Security Headers
Important HTTP security headers are missing, leaving the application vulnerable to clickjacking, MIME-sniffing, and other attacks.
Change Default Credentials
Default manufacturer/vendor credentials are in use. These are publicly known and can be exploited trivially.
Strengthen Password Policy
Weak password policy allows easily guessable passwords, increasing risk of brute-force and credential stuffing attacks.
Implement Multi-Factor Authentication
Critical services lack multi-factor authentication, making them vulnerable to credential compromise.
Update Outdated Software
Software with known vulnerabilities is running. Apply available patches to prevent exploitation.
Apply CVE Security Patch
A known CVE with an available patch has been identified. Apply the vendor patch immediately to prevent exploitation.
Remediate Kerberoasting Risk
Service accounts with SPNs are vulnerable to Kerberoasting — offline password cracking of Kerberos TGS tickets.
Fix AS-REP Roasting Vulnerability
Accounts without Kerberos pre-authentication can have their password hashes retrieved and cracked offline.
Remove Unconstrained Kerberos Delegation
Systems with unconstrained delegation can impersonate any user to any service, enabling domain compromise if the system is compromised.
Fix Accounts with Non-Expiring Passwords
User accounts with 'Password never expires' flag increase risk of credential compromise from stale passwords.
Disable Inactive Privileged Accounts
Privileged accounts that have not been used for extended periods pose a significant security risk.
Remediate Active Directory Attack Path
An attack path to Domain Admin has been identified, allowing privilege escalation from compromised accounts.
Enable SMB Signing on Domain Systems
SMB signing is not enforced, allowing NTLM relay and man-in-the-middle attacks against domain systems.
Deploy LAPS for Local Admin Passwords
Local administrator passwords are identical across workstations, enabling lateral movement after any single compromise.
Fix Insecure File Permissions
Sensitive system files have overly permissive access controls, potentially exposing credentials or configurations.
Apply Kernel Security Hardening
Linux kernel parameters are not hardened, leaving the system vulnerable to various network and local attacks.
Disable Unnecessary System Services
Non-essential services are running, increasing the attack surface of the system.
Configure System Audit Logging
System audit logging is not configured or insufficient, hindering incident detection and forensics.
Remove Exposed Secrets from Code/Files
Sensitive credentials, API keys, or tokens were found in source code or configuration files.
Secure Exposed Database Ports
Database services (MySQL, PostgreSQL, MSSQL, MongoDB) are directly accessible, risking unauthorized data access.
Secure or Restrict RDP Access
Remote Desktop Protocol (RDP) is exposed, making the system vulnerable to brute-force and credential stuffing attacks.
Re-enable Windows Defender Real-Time Protection
Windows Defender real-time protection is disabled, leaving the system without active malware protection.
Update Windows Defender Antivirus Signatures
Antivirus definitions are outdated, reducing detection capability for recent malware threats.
Resolve Detected Malware Threats
Windows Defender has detected threats that have not been fully remediated or quarantined.
Mitigate NTLM Relay Attack Risk
NTLM authentication is enabled and systems are vulnerable to relay attacks allowing credential forwarding.
Unser strukturierter IR-Prozess
Nach NIST- und SANS-Standards führen wir Ihr Unternehmen systematisch durch die Krise zurück in den Normalbetrieb.
Triage & Analyse
Sofortige Lagebewertung und Priorisierung der Maßnahmen.
Eindämmung
Isolierung betroffener Systeme zur Schadensbegrenzung.
Beseitigung
Vollständige Entfernung von Bedrohungen und Schwachstellen.
Wiederherstellung
Sicherer Rückgang zum operativen Normalbetrieb.
Nachbereitung
Analyse der Ursachen und dauerhafte Systemhärtung.