Cyber security incident register
The purpose of recording cyber security incidents in a register is to highlight their type and frequency so that corrective action can be taken. This information, along with information on the costs of any remediation activities, can also be used as an input to risk assessments and vulnerability management activities.
Security Control: 0125; Revision: 4; Updated: Aug-19; Applicability: O, P, S, TS
A cyber security incident register is maintained with the following information:
- the date the cyber security incident occurred
- the date the cyber security incident was discovered
- a description of the cyber security incident
- any actions taken in response to the cyber security incident
- to whom the cyber security incident was reported.
Handling and containing data spills
When a data spill occurs, organisations should inform information owners and restrict access to the information. In doing so, affected systems can be powered off, have their network connectivity removed or have additional access controls applied to the information. It should be noted though that powering off systems could destroy information that would be useful for forensic investigations. Furthermore, users should be made aware of appropriate actions to take in the event of a data spill such as not deleting, copying, printing or emailing the information.
Security Control: 0133; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
When a data spill occurs, information owners are advised and access to the information is restricted.
Handling and containing malicious code infections
Taking immediate remediation steps after the discovery of malicious code can minimise the time and cost spent eradicating and recovering from the infection. As a priority, all infected systems and media should be isolated to prevent the infection from spreading further. Once isolated, infected systems and media can be scanned by antivirus software to potentially remove the infection. It is important to note though, a complete system restoration from a known good backup or rebuild may be the only reliable way to ensure that malicious code can be truly eradicated.
Security Control: 0917; Revision: 7; Updated: Oct-19; Applicability: O, P, S, TS
When malicious code is detected, the following steps are taken to handle the infection:
- the infected systems are isolated
- all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary
- antivirus software is used to remove the infection from infected systems and media
- if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt.
Allowing targeted cyber intrusions to continue
When a targeted cyber intrusion is detected, organisations may wish to allow the intrusion to continue for a short period of time in order to understand its extent. Organisations allowing a targeted cyber intrusion to continue on a system should establish with their legal advisors whether the actions are breaching the Telecommunications (Interception and Access) Act 1979.
Security Control: 0137; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Legal advice is sought before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence.
Security Control: 1609; Revision: 0; Updated: Aug-20; Applicability: O, P, S, TS
System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence.
Post-incident analysis after a targeted cyber intrusion can assist in determining whether an adversary has been removed from a system. This can be achieved, in part, by conducting a full network traffic capture for at least seven days. Organisations should then be able to identify anomalous behaviour that may indicate whether the adversary has persisted on the system or not.
Security Control: 1213; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
Post-incident analysis is performed for successful targeted cyber intrusions; this includes storing full network traffic for at least seven days after a targeted cyber intrusion.
Integrity of evidence
When gathering evidence following any form of cyber security incident, it is important that its integrity is maintained. Even though an investigation may not directly lead to a law enforcement agency prosecution, it is important that the integrity of evidence such as manual logs, automatic audit trails and intrusion detection tool outputs be protected.
If the Australian Cyber Security Centre (ACSC) is requested to assist in investigations, the ACSC requests that no actions which could affect the integrity of evidence be carried out before the ACSC becomes involved.
Security Control: 0138; Revision: 4; Updated: Aug-20; Applicability: O, P, S, TS
The integrity of evidence gathered during an investigation is maintained by investigators:
- recording all of their actions
- creating checksums for all evidence
- copying evidence onto media for archiving
- maintaining a proper chain of custody.
Further information on incident response plans can be found in the system-specific security documentation section of the Guidelines for Security Documentation.
Further information on event logging, including retention periods, can be found in the event logging and auditing section of the Guidelines for System Monitoring.
Further information on handling and managing data spills can be found in the ACSC’s Data Spill Management Guide publication at https://www.cyber.gov.au/acsc/view-all-content/publications/data-spill-management-guide.
Further information on responding to cyber security incidents can be found in the ACSC’s Preparing for and Responding to Cyber Security Incidents publication at https://www.cyber.gov.au/acsc/view-all-content/publications/preparing-and-responding-cyber-security-incidents.