The BSI helps public authorities and businesses respond to an IT security incident. What exactly has happened? Which measures need to be taken? Who needs to be informed? The BSI offers a wide range of services to organisations that find themselves in crisis mode. When an security incident is reported, the National IT Situation Centre and CERT-Bund perform an initial assessment. An initial course of action is also discussed with the affected organisation. Along with the immediate technical measures that need to be implemented, the BSI provides initial advice on IT crisis management and related communication. This dialogue with the BSI is complemented by numerous guides and recommendations that can help affected institutions handle an IT security incident. Response strategies for ransomware incidents and recommendations on advanced persistent threat (APT) attacks also provide a means of getting the technical and organisational aspects under control.

Competent in a crisis

During an IT security incident, the BSI can also help affected organisations complete a situational assessment and evaluation. This can involve consultations with technical experts, for example. For the federal administration and critical infrastructure, supplementary BSI expertise in the fields of malware analysis, digital forensics or log file analysis can also be brought in to support incident analysis. In especially sensitive cases, the BSI may opt to deploy a Mobile Incident Response Team (MIRT) to assist on-site. This service is primarily available to clients in the federal administration and operators of critical infrastructure.

Insights from the BSI about known IT security incidents can offer technical indicators that help detect and diagnose an attack. They may also provide specific information about the incident in hand once analysis is complete. With the consent of the affected organisation, the results can be shared in a suitable format with third parties so as to detect attack patterns. This helps to identify and/or prevent further infiltrations at other organisations. The BSI can also aid organisations in locating service providers capable of offering support with incident detection, analysis, and handling. If the affected organisation needs to contact law enforcement agencies and/or the Federal Office for the Protection of the Constitution, the BSI can provide the relevant information.