Cybersecurity Incident Report

Many organizations have cybersecurity response teams dedicated to the handling of incidents—events that indicate compromises of systems or data loss. When organizations use tools to help detect events, it is important that organizations have a well-defined incident-handling process to resolve security issues.

During the preparation phase, incident handlers need to make sure that they are familiar with organizational policies and procedures. These policies and procedures should outline information such as drills and escalation contacts. If an incident affects a range of people, critical systems or infrastructure, national security, control systems, economic security, and/or the general health and safety of the public, then it may need to be reported to the federal government. Cybersecurity incidents can be reported to local field offices of the applicable federal agency. The US Justice Department's website lists the federal agencies that assist with cyber crimes and incidents:

Type of CrimeFederal Agency

Computer intrusion (i.e., hacking)

 

  • FBI local office
  • US Secret Service
  • Internet Crime Complaint Center

Password trafficking

 

  • FBI local office
  • US Secret Service
  • Internet Crime Complaint Center

Counterfeiting of currency

 

  • US Secret Service

Child pornography or exploitation

 

  • FBI local office
  • if imported, US Immigration and Customs Enforcement
  • Internet Crime Complaint Center

Child exploitation and internet fraud matters that have a mail nexus

 

  • US Postal Inspection Service
  • Internet Crime Complaint Center

Internet fraud and spam

 

  • FBI local office
  • US Secret Service
  • Federal Trade Commission
  • if securities fraud or investment-related spam emails, Securities and Exchange Commission
  • Internet Crime Complaint Center

Internet harassment

 

  • FBI local office

Internet bomb threats

 

  • FBI local office
  • ATF local office

Trafficking in explosive or incendiary devices or firearms over the internet

 

  • FBI local office
  • ATF local office
Source: US Department of Justice. Reporting computer, internet-related, or intellectual property crime. In the public domain. https://www.justice.gov/criminal-ccips/reporting-computer-internet-related-or-intellectual-property-crime

The table lists a few of the agencies; however, there are more agencies that work on cybercrime such as the National Cyber Investigative Joint Task Force (intrusions and crimes), and the National Cybersecurity and Communications Integration Center (assistance with removing adversary and restoring operations).

The United States Computer Emergency Readiness Team (US-CERT) also assists with handling security incidents and analysis, and includes an online form for reporting information: https://www.us-cert.gov/forms/report

The online form requires the reporter's and affected user's contact information, the type of organization, the critical infrastructure owner or operator, time zone, incident start time, incident detection, impact details and threat vectors (US-CERT). When planning for incident response, it is imperative to have this information.

When creating an internal incident report, include similar information such as provided below by the Department of Defense's Defense Security Cooperation Agency (Multinational Industrial Security Working Group, 2013):

  • reported by (name, position, telephone number, email)
  • business unit details and internal reporting (manager, department)
  • incident details and impact level (dates, affected systems, what happened, classification level, system compromise, type of system, level of impact, government involvement needed/reporting, number of systems, action taken, supporting documents, current incident status)
  • mitigation actions (details, results, additional assistance required)
  • computer network defense incident type (type of malware, vulnerability exploit, disruption of service, access violation, accident or error, user involvement, origin of attack
  • systems affected (network, type of system, operating system, protocols, applications)
  • follow-up activities (has information been provided to authorities, next steps)

References

Multinational Industrial Security Working Group. (2013, December 20). Cyber security incident report format. In International Programs Security Handbook, Defense Security Cooperation Agency, Department of Defense. http://www.discs.dsca.mil/documents/ips/AppJJ_062015.pdf

United States Computer Emergency Readiness Team (US-CERT). (n.d.). US-CERT incident reporting system. https://www.us-cert.gov/forms/report