Supporting Australian organisations
The Australian Signal’s Directorate’s Australian Cyber Security Centre’s (ASD's ACSC) incident management capabilities provide technical incident response advice and assistance to Australian organisations that have been impacted, or may be impacted by a cyber security incident.
This publication is intended for those individuals who may lead an organisation’s incident response, and provides guidance on:
- Reporting a cyber security incident to the ASD's ACSC
- What types of cyber security incidents should you report to the ASD's ACSC?
- What happens when you report?
- What further involvement you can expect from ASD's ACSC?
- What if you are contacted by the ASD's ACSC?
- How does reporting your incident helps others?
- The ASD's ACSC’s role in whole of government cyber security incident response
- Becoming an ASD Partner
Reporting a cyber security incident to the ASD's ACSC
What types of cyber security incidents should you report to the ASD's ACSC?
Cyber security incidents[1] can be reported to the ASD's ACSC via ReportCyber, or the Australian Cyber Security Centre Hotline on 1300 CYBER1 (1300 292 371).
Types of incidents you should report include, but are not limited to:
- Denial of service (DoS)
- Scanning and reconnaissance
- Intentional or malicious unauthorised access to network or device
- Data exposure, theft or leak
- Malicious code/malware
- Ransomware
- Phishing/spear-phishing (e.g. successful instances, those that may be part of a campaign, or originated from a compromised legitimate business email)
- Any other irregular cyber activity that causes concern.
Timeliness is an important factor when managing a cyber security incident, so the earlier you report the better. ASD's ACSC recommends that you report a potential incident as soon as it’s detected even if you suspect it to be a false alarm.
What happens when you report?
When you report, the ASD's ACSC will seek to establish the nature of the malicious cyber activity that has impacted your organisation. If you request support from the ASD's ACSC, we will provide you with immediate advice and assistance which may include:
- information on how to contain and remediate the incident
- intelligence and advisory products to assist you with your incident response
- linking you to Australian Government entities that may further support your response.
What ASD's ACSC may need from you when you report
ASD's ACSC is here to help your organisation respond to the technical aspects of the incident. To do so, ASD's ACSC may request that you share, where available, evidence of malicious activity. This can include:
- Logs
- Memory dumps
- Disk images
- Network traffic captures
- Network diagrams/documentation
- Indicators of compromise
- Samples of malware
- Other analysis or reporting products.
The ASD's ACSC can also discuss possible tools to assist with provision of these artefacts, along with a secure means to transfer them to the ASD's ACSC.
While these requests can seem resource intensive, the more information you can pass to the ASD's ACSC in a timely manner, the more effective our support to you will be. Remember that your reporting is crucial in helping protect others from cyber threats, and reports from other organisations can in turn help protect you.
Other questions the ASD's ACSC may ask
- Has there been an impact on business activities, provision of services, impact on clients, potential loss of data?
- Do you have a Cyber Incident Response Plan? Has this been implemented? And can this be shared?
- Who has primary responsibility for incident response in your organisation? What are their contact details?
- Do you have an up-to-date after-hours contact list for key personnel and external stakeholders?
- Are procedures in place to provide information and reporting to relevant parties during an incident?
- Do you have technical resources (including an incident response provider) readily available to investigate and mitigate an incident? Can you provide their contact details?
- What actions have been taken so far, why and how have you recorded this? What steps have been taken to contain the threat? Is the threat actor still on your systems?
- Do you have the ability to identify and isolate an affected workstation or system?
- What are your next steps for investigating and mediating this incident?
What further involvement can you expect from the ASD's ACSC?
Following the immediate incident response advice and assistance provided by the ASD's ACSC, we can also provide more hands-on assistance. The ASD's ACSC may:
- triage the incident to determine if there are more detailed actions to be undertaken. This could involve further communication with your organisation, understanding impact to the organisation, facilitating cyber threat intelligence and analysing indicators of compromise.
- if it assesses the incident is likely to cause significant impact to Australia or involves a sophisticated malicious actor, offer a more detailed approach that may include:
- An incident response resource to support your investigation
- A team of digital forensics specialists to support a comprehensive technical investigation
- Guidance on approaching public communications.
- work alongside you to liaise and coordinate technical briefings with other government agencies or industry partners to support your response. This could include the federal/state/territory government chief information security officers, federal law enforcement and international cyber partners. Although the ASD's ACSC coordinates these briefings, it does not equal ASD's ACSC endorsement of system hygiene or assurance.
- once the incident investigation is complete, depending on the responses provided, provide your organisation with information and reports to help you finalise your investigation.
- introduce you to different areas within the ASD's ACSC for additional support such as cyber resilience uplift activities, and if requested, assist you on how to contact the Department of Home Affairs or Australian Federal Police
Working with your commercial incident response provider
Where an organisation has engaged the services of an incident response provider, the ASD's ACSC will work collaboratively with them to establish the full nature and extent of your incident. This collective approach to sharing technical expertise, threat intelligence and capabilities strengthens and provides a more comprehensive investigation into the activity on your organisation’s network.
The success of this collaboration however, relies on your organisation’s authorisation to share information between the ASD's ACSC and your incident response provider.
What if you are contacted by the ASD's ACSC?
In some cases, the ASD's ACSC may notify you of a vulnerability, potential compromise or a confirmed compromise. Where possible we will provide you with this information, which is obtained through numerous trusted sources, or as a result of our own monitoring of the cyber threat environment. Our information may include:
- indicators of compromise
- compromised credentials
- ransomware precursor activity (i.e. from detection of malware or spear phishing activity)
- interactions between malicious infrastructure and Australian networks or devices
If you are an ASD Partner, ensure your contact details are up to date and you’ve registered “out of hours” contact details so we can contact you quickly.
Not sure if you’re talking to a genuine ASD's ACSC representative?
If you’re contacted by the ASD's ACSC, we will provide you with an incident/reference number. If you’re concerned about the legitimacy of a call from the ASD's ACSC, you can verify that you are speaking to a genuine ASD's ACSC representative by calling the Australian Cyber Security Hotline (1300CYBER1) and quoting your incident/reference number.
How does reporting your incident help others?
One of the ASD's ACSC's key strengths is our ability to aggregate and analyse information to produce a national cyber threat picture. We draw upon information gathered through ASD intelligence sources and crucially, the information provided by organisations and entities impacted by cyber incidents in Australia.
We use this understanding to assist with developing new and updated cyber security advice, capabilities, and techniques to better prevent and respond to evolving cyber threats. For example, anonymised information from your incident may be used to produce public communication products to help build whole of economy cyber resilience.
Products could include:
- Advisories published on the Partner Portal
- Alerts published on cyber.gov.au
- Quarterly Trends and Insights reports
- The ASD Annual Cyber Threat Report
Some anonymised technical details, such as indicators of compromise can also be shared via our Cyber Threat Intelligence Shared (CTIS) platform.
How the ASD's ACSC protects your privacy
The ASD's ACSC is subject to rules to protect the privacy of Australians under the Intelligence Services Act 2001. The ASD's ACSC’s staff are also trained to manage sensitive data, and adhere to principles of confidentiality and data protection.
The ASD's ACSC’s role in whole of government cyber security incident response
The ASD's ACSC is the Commonwealth lead for technical cyber incident response and advice for cyber security incidents. We also work closely with other partners including the National Cyber Security Coordinator and the Cyber Security Response Coordination Unit (CSRCU) within the Department of Home Affairs.
Data on the Dark web
As a result of a cyber security incident, if data has been exfiltrated from your system or your data has been released, who will support you?
- The ASD's ACSC will support you in containing the initial compromise.
- The Australian Federal Police (AFP) will support you through a criminal investigation into the perpetrator of the cybercrime.
- The Department of Home Affairs, through the CSRCU can support you to manage the consequences[2] to other Australian organisations as a result of the leaked data.
- The National Cyber Security Coordinator leads the coordination of responses to major cyber security incidents, including bringing together expertise and resources from across government and security agencies.
Remember, the ASD's ACSC is not a regulator. We will only use the information you provide for cyber security purposes.
Providing information to us may not itself meet the regulatory obligations that you may have with the Australian Government, except for your mandatory obligation to report cyber security incidents in accordance with s30BC and/or s30BD of the Security of Critical Infrastructure Act 2018. More information on reporting and compliance, including Mandatory Cyber Incident Reporting, can be found on the Cyber and Infrastructure Security Centre’s website: https://www.cisc.gov.au/compliance-and-reporting/overview.
Similarly, while the ASD's ACSC is not a law enforcement agency, we work closely with the AFP Cyber Command under the standing joint counter cybercrime Operation Aquila. If you refer your incident to the AFP for criminal investigation, we can work collaboratively with the AFP to support your investigation. ASD's ACSC can also assist you in engaging AFP Cyber Command support.
Becoming an ASD's ACSC Partner
As an ASD Network Partner you may be provided access to:
- threat intelligence, news and advice to enhance situational awareness
- collaboration opportunities
- resilience-building activities (e.g. exercises, discussions, workshops)
- the ASD's ACSC State and Territory network.
Review and apply ASD's ACSC advice alerts, advisories, Partner Portal products.
Sign up for the ASD's ACSC’s free cyber security services to reduce your exposure to threats–connect with ASD's ACSC through a click of a link on the Partner Portal.
Footnotes
[1] A cyber security incident is a single or series of unwanted or unexpected event(s) that impact the confidentiality, integrity or availability of a network or system or the information that it stores, processes or communicates.
[2] Consequence management relates to the second and subsequent order effects from cyber security incidents. It requires government and industry to work together to identify and mitigate the secondary harms that may result from a cyber incident.