A cyber security event is an occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security. Show
Cyber security incidentsA cyber security incident is an unwanted or unexpected cyber security event, or a series of such events, that have a significant probability of compromising business operations. Cyber resilienceCyber resilience is the ability to adapt to disruptions caused by cyber security incidents while maintaining continuous business operations. This includes the ability to detect, manage and recover from cyber security incidents. Detecting cyber security incidentsOne of the core elements of detecting and investigating cyber security incidents is the availability of appropriate data sources. Fortunately, many data sources can be extracted from existing systems without requiring specialised capabilities. The following are some of the data sources that an organisation can use for detecting and investigating cyber security incidents:
Intrusion detection and prevention policyEstablishing an intrusion detection and prevention policy can increase the likelihood of detecting, and subsequently preventing, malicious activity on networks and hosts. In doing so, an intrusion detection and prevention policy will likely cover the following:
Control: ISM-0576; Revision: 7; Updated: Aug-19; Applicability: All; Essential Eight: N/A Trusted insider programAs a trusted insider's system access and knowledge of business processes often makes them harder to detect, establishing a trusted insider program can assist an organisation to detect and respond to trusted insider threats before they occur, or limit damage if they do occur. In doing so, an organisation will likely obtain the most benefit by logging and analysing the following user activities:
Control: ISM-1625; Revision: 0; Updated: Nov-20; Applicability: All; Essential Eight: N/A Control: ISM-1626; Revision: 0; Updated: Nov-20; Applicability: All; Essential Eight: N/A Access to sufficient data sources and toolsSuccessful detection of cyber security incidents requires trained cyber security personnel with access to sufficient data sources complemented by tools that support both manual and automated analysis. As such, it is important that during system design and development activities, functionality is added to systems to ensure that sufficient data sources can be captured and provided to cyber security personnel. Control: ISM-0120; Revision: 5; Updated: May-20; Applicability: All; Essential Eight: N/A Further informationFurther information on event logging can be found in the event logging and monitoring section of the Guidelines for System Monitoring. Further information on establishing and operating a trusted insider program can be found in the Carnegie Mellon University’s Software Engineering Institute’s Common Sense Guide to Mitigating Insider Threats publication. Managing cyber security incidentsCyber security incident registerRecording cyber security incidents in a register can assist with ensuring that appropriate remediation activities are undertaken. In addition, the types and frequency of cyber security incidents, along with the costs of any remediation activities, can be used as an input to future risk assessment activities. Control: ISM-0125; Revision: 5; Updated: Jun-21; Applicability: All; Essential Eight: N/A
Handling and containing data spillsWhen a data spill occurs, an organisation should inform data owners and restrict access to the data. In doing so, affected systems can be powered off, have their network connectivity removed or have additional access controls applied to the data. It should be noted though that powering off systems could destroy data that would be useful for forensic investigations. Furthermore, users should be made aware of appropriate actions to take in the event of a data spill, such as not deleting, copying, printing or emailing the data. Control: ISM-0133; Revision: 2; Updated: Jun-21; Applicability: All; Essential Eight: N/A Handling and containing malicious code infectionsTaking immediate remediation steps after the discovery of malicious code can minimise the time and cost spent eradicating and recovering from the infection. As a priority, all infected systems and media should be isolated to prevent the infection from spreading. Once isolated, infected systems and media can be scanned by antivirus software to potentially remove the infection or recover data. It is important to note though, a complete system restoration from a known good backup or rebuild may be the only reliable way to ensure that malicious code can be truly eradicated or data recovered. Control: ISM-0917; Revision: 7; Updated: Oct-19; Applicability: All; Essential Eight: N/A
Handling and containing intrusionsWhen an intrusion is detected on a system, an organisation may wish to allow the intrusion to continue for a short period of time in order to fully understand the extent of the compromise and to assist with planning intrusion remediation activities. However, an organisation allowing an intrusion to continue in order to collect data or evidence should first establish with their legal advisors whether such activities would be breaching the Telecommunications (Interception and Access) Act 1979. To increase the likelihood of intrusion remediation activities successfully removing an adversary from their system, an organisation can take preventative measures to ensure the adversary has limited forewarning and awareness of planned intrusion remediation activities. Specifically, using an alternative system to plan and coordinate intrusion remediation activities will prevent alerting the adversary if they have already compromised email, messaging or collaboration services. In addition, conducting intrusion remediation activities in a coordinated manner during the same planned outage will prevent forewarning the adversary, thereby depriving them of sufficient time to establish alternative access points or persistence methods on the system. Following intrusion remediation activities, an organisation should determine whether the adversary has been successfully removed from the system, including whether or not they have since reacquired access. This can be achieved, in part, by capturing and analysing network traffic for at least seven days following remediation activities. Control: ISM-0137; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A Control: ISM-1609; Revision: 2; Updated: Dec-21; Applicability: All; Essential Eight: N/A Control: ISM-1731; Revision: 0; Updated: Dec-21; Applicability: All; Essential Eight: N/A Control: ISM-1732; Revision: 0; Updated: Dec-21; Applicability: All; Essential Eight: N/A Control: ISM-1213; Revision: 2; Updated: Dec-21; Applicability: All; Essential Eight: N/A Integrity of evidenceWhen gathering evidence following a cyber security incident, it is important that its integrity is maintained. In addition, if the Australian Cyber Security Centre (ACSC) is requested to assist with investigations, no actions which could affect the integrity of evidence should be carried out before the ACSC becomes involved. Control: ISM-0138; Revision: 4; Updated: Aug-20; Applicability: All; Essential Eight: N/A
Further informationFurther information on incident response plans can be found in the system-specific security documentation section of the Guidelines for Security Documentation. Further information on handling and managing data spills can be found in the ACSC’s Data Spill Management Guide publication. Reporting cyber security incidentsReporting cyber security incidentsReporting cyber security incidents, including unplanned outages, to an organisation’s Chief Information Security Officer (CISO), or one of their delegates, as soon as possible after they occur or are discovered provides senior management with the opportunity to assess the impact to their organisation and to take remediation actions if necessary. Note, an organisation should also be cognisant of any legislative obligations in regards to reporting cyber security incidents to authorities, customers or the public. Control: ISM-0123; Revision: 3; Updated: Sep-18; Applicability: All; Essential Eight: N/A Control: ISM-0141; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A Control: ISM-1433; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A Reporting cyber security incidents to the ACSCThe ACSC uses the cyber security incident reports it receives as the basis for providing assistance to organisations. Cyber security incident reports are also used by the ACSC to identify trends and maintain an accurate threat environment picture. The ACSC utilises this understanding to assist in the development of new and updated cyber security advice, capabilities, and techniques to better prevent and respond to evolving cyber threats. An organisation is recommended to internally coordinate their reporting of cyber security incidents to the ACSC. The types of cyber security incidents that should be reported to the ACSC include:
Control: ISM-0140; Revision: 6; Updated: May-19; Applicability: All; Essential Eight: N/A Further informationFurther information on reporting cyber security incidents is available from the ACSC. |