Documents

Incident Response Guidelines

Description
Incident Response Guidelines
Categories
Published
of 10
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
  UK UNCLASSIFIED 1 of 10 This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk UK UNCLASSIFIED Version 1.2 – 19-June-2013 GUIDELINES   Incident Response Guidelines Executive Summary Government Departments have a responsibility to report computer incidents under the terms laid out in the SPF, issued by Cabinet Office. This document seeks to provide guidance and advice on what must be reported to GovCertUK and what can be tipped to us that doesn’t generate a “formal report” requirement. There are 4 categories of activity: ã  A - Concerted Targeted Attack must be reported to GovCertUK ã  B - Targeted Attack must be reported to GovCertUK ã  C - Non-Targeted GovCertUK is to be tipped ã  D - Other Reporting GovCertUK is to be tipped The categorisation is built primarily around whether the Department has been specifically targeted or not. GovCertUK must always be informed if a Department has been targeted specifically by a malicious actor. Whilst this document is designed to help assess whether to notify GovCertUK of a computer security incident, all personnel can use their professional judgment when deciding whether to tip GovCertUK to those Events that may not reach the formal reporting threshold. Situational Awareness and Victim Notifications GovCertUK is an internationally recognised organisation and receives information from many sources. This information enhances GovCertUKs ability to maintain situational awareness across HMG and enables notifications of potential computer incidents to be sent to the relevant Departments. Telephone (24x7x365) +44 (0) 1242 709311 For Out Of Hours, phone the number above and leave a message. The On Call Duty Office will be paged to return your call   Website http://www.govcertuk.gov.uk    UNCLASSIFIED RESTRICTED (GSi Only) General Enquiries enquiries@govcertuk.gov.uk    General Enquiries  enquiries@govcertuk.gsi.gov.uk    Incidents incidents@govcertuk.gov.uk    Incidents  incidents@govcertuk.gsi.gov.uk   UK UNCLASSIFIED 2 of 10 This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk UK UNCLASSIFIED Information received is often limited in nature and tends to be after the event has occurred. GovCertUK will always seek to pass relevant, useful information to Departments as soon as practicable to the nominated Incident Point(s) of Contact. Appendix B contains a few samples of Victim Notifications that are sent out. A component of Situational Awareness is not only what is happening from “outside” organisations but also what is happening within that is not usually reported. Where Departments have information available on internal incidents, GovCertUK would like to request anonymised versions to be sent to our enquiries mailbox. A sample list of information requested is in Appendix C. Sample of Suspicious or Malicious data Samples, whether part of an incident or not, contribute to GovCertUKs knowledge of current issues across HMG and enable specific Alerts or Advisories to be formed and distributed to assist other Departments in identifying and mitigating malicious activity (whether email, or malware). GovCertUK welcomes any samples of: ã  suspicious emails with mail headers where possible ã  executables ã  logs ã  packet captures ã  paste bin articles ã  forum posts ã  etc. Any suspected or known to be bad information can be sent to our samples mailbox (samples@govcertuk.gsi.gov.uk) inside a password protected zip file with the password “infected”. Reporting and Tipping Traditionally, as part of GovCertUKs formal remit, Departments would make contact during a category A or B incident (see Appendix A) GovCertUK recognises that not all Events require formal reporting as incidents. Departments are able to “Tip” information to the enquiries mailbox that may be useful or where a Department requests information to assist their own investigation into an event. A tip does not declare an Incident with GovCertUK; a ticket will be created purely for tracking purposes if the event escalates to an incident and also so that the information can be data mined in the future. A ticket number is generated and should be used when enquiring about an incident.  UK UNCLASSIFIED 3 of 10 This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk UK UNCLASSIFIED Notification Period It is accepted that during an incident the last task on an Incident Handlers mind is contacting GovCertUK. Whilst this is understandable, GovCertUK has access to a vast pool of information. During an incident GovCertUK may hold some useful information to assist the focus and targeting of your investigation and provide tactical IA advice. Facts About GovCertUK GovCertUK ã  does not maintain a “black book” of “repeat offenders” ã  does not blacklist anyone if a report or tip results in “no further action” ã  is not an audit or vetting body ã  is here to help  UK UNCLASSIFIED 4 of 10 This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk UK UNCLASSIFIED Appendix A - Incident Categorisation Category   Definition   Actions   A   ã  Incidents that are, or suspected to be, a concerted, repeating, targeted, effort causing harm to confidentiality, integrity or availability of ICT systems or data ã  Phone on 24x7x365 to Tip and Seek Advice ã  Interim Report within 24hrs ã  Further Interim Reports as agreed with GovCertUK ã  Full Report when practicable B   ã  Incidents that are or suspected to be targeted attacks attempting to cause harm to confidentiality, integrity or availability of ICT systems or data ã  Incidents in relation to GSi, PSN, GCSx, xGSi, CJ*, GSX, GCX, PNN, N3, etc. ã  Tip GovCertUK via Phone ã  Interim Report within 72hrs ã  Full Report when practicable C   ã  Incidents that are likely to be non-targeted ã  Instances where IT Teams have a “gut feeling” behaviour is suspicious ã  Phone or Email to Tip D   ã  Events that are of a cryptographic nature, loss of laptops / media, protective marking breaches etc. ã  Report to the relevant body (CINRAS, ICO, Cabinet Office, etc) ã  Tip GovCertUK Definitions used for this document Alert – an atomic occurrence that has triggered a system or person to take notice Event – a set of Alerts that are cause for some concern and need investigating Incident – an Event or set of Events that have activated incident response activities or meet GovCertUK Category C or above. Whilst it may be possible that an incident could be categorised in multiple categories, the higher of the categories should take precedence. Note, declaring a specific category of incident does not stop it being re-categorised either up or down the scale as more information in discovered. There are no penalties or black marks for “miscategorising” incidents.
Search
Tags
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x