The Australian Government has recently issued a set of Guidelines for Cyber Security Incidents (“the Guidelines), outlining the ways in which these incidents can be detected, managed and reported.
By adopting these best practices, businesses can decrease the chances that they will be adversely affected by malicious cyber acts.
What is a ‘cyber security incident’?
The first step leading towards a cyber security incident is the occurrence of a cyber security event. A cyber security events occurs when a system has experienced a potential breach of security.
When it becomes apparent that an unwanted event is likely to compromise business functions, the event then escalates to a cyber security incident.
Detection and preparation
Organisations can utilise a range of readily available data to detect and investigate cyber security incidents. For example, email server logs can assist in identifying users targeted with phishing emails.
Other data sources which can help to identify malicious activity and its source include Domain Name System logs, Operating system event logs, Web proxy logs, Virtual Private Network and remote access logs.
The Guidelines recommend the creation of a corporate policy outlining how intrusions will be detected and prevented, reported, managed, and what resources will be allocated to these activities. It is best practice to have trained cyber security personnel with access to sufficient data sources and tools.
How to effectively manage a cyber security incident
Once a cyber security incident has been detected, effective management will include the following key components:
- Cyber security incident register: reporting on the type and frequency of incidents can inform required corrective actions and aid future security risk assessments.
- Handling and containing data spills: information owners are advised of the incident and appropriate actions to take, and access to the information is restricted.
- Handling and containing malicious code infections: all affected systems and media should be isolated, scanned by antivirus software to potentially remove the infection, and if possible, restored from a known good backup or rebuilt.
- Post-incident analysis: assists in determining whether an adversary has been removed from a system, and involves storing full network traffic for at least seven days after the incident.
- Maintaining integrity of evidence: investigators should record all their actions and ensure raw audit trails are copied onto media for archiving.
In some instances, organisations may wish to allow the intrusion to continue for a short period of time to collect information or evidence, however specialist legal advice should be sought to ensure that this can be done legally.
Further information is available on incident response plans and system monitoring, as outlined in the Guidelines.
Cyber security incidents should be reported to an organisation’s Chief Information Security Officer (CISO) as soon as possible after they occur or are discovered. Where organisations use outsourced information technology or cloud services, their service providers must follow the same reporting protocol.
In some situations, organisations may wish to seek advice from the Australian Cyber Security Centre (ACSC). The ACSC uses the cyber security incident reports it receives as the basis for providing assistance to organisations.