Detecting cyber security incidents Cyber security events A cyber security event is an occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security. Cyber security incidents A cyber security incident is an unwanted or unexpected cyber security event, or a series of such events, that have a significant probability of compromising business operations. Cyber resilience Cyber resilience is the ability to adapt to disruptions caused by cyber security incidents while maintaining continuous business operations. This includes the ability to detect, manage and recover from cyber security incidents. Detecting cyber security incidents One of the core elements of detecting and investigating cyber security incidents is the availability of appropriate data sources. Fortunately, many data sources can be extracted from existing systems without requiring specialised capabilities. The following are some of the data sources that an organisation can use for detecting and investigating cyber security incidents: Domain Name System event logs: Can assist in identifying attempts to resolve malicious domains or Internet Protocol addresses which can indicate an exploitation attempt or successful compromise. Email server event logs: Can assist in identifying users targeted with spear-phishing emails. Can also assist in identifying the initial vector of a compromise. Gateway event logs: Can assist in identifying anomalous or malicious network traffic which can indicate an exploitation attempt or successful compromise. Operating system and application event logs: Can assist in identifying anomalous or malicious activity which can indicate an exploitation attempt or successful compromise. Remote access event logs: Can assist in identifying unusual source addresses, times of access and logon/logoff times associated with malicious activity. Web proxy event logs: Can assist in identifying Hypertext Transfer Protocol-based vectors and malicious network traffic. Intrusion detection and prevention policy Establishing an intrusion detection and prevention policy can increase the likelihood of detecting, and subsequently preventing, malicious activity on networks and hosts. In doing so, an intrusion detection and prevention policy will likely cover the following: methods of network-based intrusion detection and prevention used methods of host-based intrusion detection and prevention used guidelines for reporting and responding to detected intrusions resources assigned to intrusion detection and prevention activities. Security Control: ISM-0576; Revision: 7; Updated: Aug-19; Applicability: All; Essential Eight: N/A An intrusion detection and prevention policy is developed and implemented. Trusted insider program As a trusted insider's system access and knowledge of business processes often makes them harder to detect, establishing a trusted insider program can assist an organisation to detect and respond to trusted insider threats before they occur, or limit damage if they do occur. In doing so, an organisation will likely obtain the most benefit by logging and analysing the following user activities: excessive copying or modification of files unauthorised or excessive use of removable media connecting devices capable of data storage to systems unusual system usage outside of normal business hours excessive data access or printing compared to their peers data transfers to unauthorised cloud services or webmail use of unauthorised Virtual Private Networks, file transfer applications or anonymity networks. Security Control: ISM-1625; Revision: 0; Updated: Nov-20; Applicability: All; Essential Eight: N/A A trusted insider program is developed and implemented. Security Control: ISM-1626; Revision: 0; Updated: Nov-20; Applicability: All; Essential Eight: N/A Legal advice is sought regarding the development and implementation of a trusted insider program. Access to sufficient data sources and tools Successful detection of cyber security incidents requires trained cyber security personnel with access to sufficient data sources complemented by tools that support both manual and automated analysis. As such, it is important that during system design and development activities, functionality is added to systems to ensure that sufficient data sources can be captured and provided to cyber security personnel. Security Control: ISM-0120; Revision: 5; Updated: May-20; Applicability: All; Essential Eight: N/A Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise. Further information Further information on event logging can be found in the event logging and monitoring section of the Guidelines for System Monitoring. Further information on establishing and operating a trusted insider program can be found in the Carnegie Mellon University’s Software Engineering Institute’s Common Sense Guide to Mitigating Insider Threats publication. Managing cyber security incidents Cyber security incident register Recording cyber security incidents in a register can assist with ensuring that appropriate remediation activities are undertaken. In addition, the types and frequency of cyber security incidents, along with the costs of any remediation activities, can be used as an input to future risk assessment activities. Security Control: ISM-0125; Revision: 5; Updated: Jun-21; Applicability: All; Essential Eight: N/A A cyber security incident register is maintained that covers the following: the date the cyber security incident occurred the date the cyber security incident was discovered a description of the cyber security incident any actions taken in response to the cyber security incident to whom the cyber security incident was reported. Handling and containing data spills When a data spill occurs, an organisation should inform data owners and restrict access to the data. In doing so, affected systems can be powered off, have their network connectivity removed or have additional access controls applied to the data. It should be noted though that powering off systems could destroy data that would be useful for forensic investigations. Furthermore, users should be made aware of appropriate actions to take in the event of a data spill, such as not deleting, copying, printing or emailing the data. Security Control: ISM-0133; Revision: 2; Updated: Jun-21; Applicability: All; Essential Eight: N/A When a data spill occurs, data owners are advised and access to the data is restricted. Handling and containing malicious code infections Taking immediate remediation steps after the discovery of malicious code can minimise the time and cost spent eradicating and recovering from the infection. As a priority, all infected systems and media should be isolated to prevent the infection from spreading. Once isolated, infected systems and media can be scanned by antivirus software to potentially remove the infection or recover data. It is important to note though, a complete system restoration from a known good backup or rebuild may be the only reliable way to ensure that malicious code can be truly eradicated or data recovered. Security Control: ISM-0917; Revision: 7; Updated: Oct-19; Applicability: All; Essential Eight: N/A When malicious code is detected, the following steps are taken to handle the infection: the infected systems are isolated all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary antivirus software is used to remove the infection from infected systems and media if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt. Handling and containing intrusions When an intrusion is detected on a system, an organisation may wish to allow the intrusion to continue for a short period of time in order to fully understand the extent of the compromise and to assist with planning intrusion remediation activities. However, an organisation allowing an intrusion to continue in order to collect data or evidence should first establish with their legal advisors whether such activities would be breaching the Telecommunications (Interception and Access) Act 1979. To increase the likelihood of intrusion remediation activities successfully removing an adversary from their system, an organisation can take preventative measures to ensure the adversary has limited forewarning and awareness of planned intrusion remediation activities. Specifically, using an alternative system to plan and coordinate intrusion remediation activities will prevent alerting the adversary if they have already compromised email, messaging or collaboration services. In addition, conducting intrusion remediation activities in a coordinated manner during the same planned outage will prevent forewarning the adversary, thereby depriving them of sufficient time to establish alternative access points or persistence methods on the system. Following intrusion remediation activities, an organisation should determine whether the adversary has been successfully removed from the system, including whether or not they have since reacquired access. This can be achieved, in part, by capturing and analysing network traffic for at least seven days following remediation activities. Security Control: ISM-0137; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A Legal advice is sought before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence. Security Control: ISM-1609; Revision: 2; Updated: Dec-21; Applicability: All; Essential Eight: N/A System owners are consulted before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence. Security Control: ISM-1731; Revision: 0; Updated: Dec-21; Applicability: All; Essential Eight: N/A Planning and coordination of intrusion remediation activities are conducted on a separate system to that which has been compromised. Security Control: ISM-1732; Revision: 0; Updated: Dec-21; Applicability: All; Essential Eight: N/A To the extent possible, all intrusion remediation activities are conducted in a coordinated manner during the same planned outage. Security Control: ISM-1213; Revision: 2; Updated: Dec-21; Applicability: All; Essential Eight: N/A Following intrusion remediation activities, full network traffic is captured for at least seven days and analysed to determine whether the adversary has been successfully removed from the system. Integrity of evidence When gathering evidence following a cyber security incident, it is important that its integrity is maintained. In addition, if the Australian Cyber Security Centre (ACSC) is requested to assist with investigations, no actions which could affect the integrity of evidence should be carried out before the ACSC becomes involved. Security Control: ISM-0138; Revision: 4; Updated: Aug-20; Applicability: All; Essential Eight: N/A The integrity of evidence gathered during an investigation is maintained by investigators: recording all of their actions creating checksums for all evidence copying evidence onto media for archiving maintaining a proper chain of custody. Further information Further information on incident response plans can be found in the system-specific security documentation section of the Guidelines for Security Documentation. Further information on handling and managing data spills can be found in the ACSC’s Data Spill Management Guide publication. Reporting cyber security incidents Reporting cyber security incidents Reporting cyber security incidents, including unplanned outages, to an organisation’s Chief Information Security Officer (CISO), or one of their delegates, as soon as possible after they occur or are discovered provides senior management with the opportunity to assess the impact to their organisation and to take remediation actions if necessary. Note, an organisation should also be cognisant of any legislative obligations in regards to reporting cyber security incidents to authorities, customers or the public. Security Control: ISM-0123; Revision: 3; Updated: Sep-18; Applicability: All; Essential Eight: N/A Cyber security incidents are reported to an organisation’s CISO, or one of their delegates, as soon as possible after they occur or are discovered. Security Control: ISM-0141; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A Service providers report cyber security incidents to their customer’s CISO, or one of their delegates, as soon as possible after they occur or are discovered. Security Control: ISM-1433; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A Service providers and their customers maintain 24/7 contact details for each other, including additional out-of-band contact details for when normal communication channels fail, in order to report cyber security incidents. Reporting cyber security incidents to the ACSC The ACSC uses the cyber security incident reports it receives as the basis for providing assistance to organisations. Cyber security incident reports are also used by the ACSC to identify trends and maintain an accurate threat environment picture. The ACSC utilises this understanding to assist in the development of new and updated cyber security advice, capabilities, and techniques to better prevent and respond to evolving cyber threats. An organisation is recommended to internally coordinate their reporting of cyber security incidents to the ACSC. The types of cyber security incidents that should be reported to the ACSC include: suspicious activities, such as privileged account lockouts and unusual remote access activities compromise of sensitive or classified data unauthorised access or attempts to access a system emails with suspicious attachments or links denial-of-service attacks ransomware attacks suspected tampering of ICT equipment. Security Control: ISM-0140; Revision: 6; Updated: May-19; Applicability: All; Essential Eight: N/A Cyber security incidents are reported to the ACSC. Further information Further information on reporting cyber security incidents is available from the ACSC.