Reporting an Incident

Timeliness and accuracy of information is of paramount importance when reporting an incident. No matter how trivial it may seem, a system “glitch” sometimes could be an indication of a major incident. Even when you think that something could be a minor failure, it always helps to be suspicious and dig a bit deeper. After all, prevention is better than cure.

What to report?

Each organisation has its own priorities, context and focus and this can be reflected into their reporting form. We strongly believe that standardisation in reporting is important as it promotes a better cyber situational awareness since standardisation can act as an enabler of information sharing. As such, we subscribe to Carnegie Mellon University’s standard:

Contact information for reporter:

name, organisation, sector type, e-mail address, telephone
number.

Details of affected machine (may be repeated for multiple victims):

hostname and IP address, timezone,
purpose or function.

Source of attack (may be repeated for multiple sources):

hostname or IP, timezone, has contact been established?

Estimated cost of incident.

 

Description of the incident:

 

including dates, methods of intrusion,
intruder tools involved, software versions and patch levels, intruder tool
output, details of vulnerabilities exploited, source of attack, or any other
relevant information.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.