Introduction
Context
Australian organisations are continually targeted by malicious actors, with the Australian Signals Directorate (ASD) assessing that malicious cyber activity against Australia’s national and economic interests is increasing in frequency, scale and sophistication. As malicious actors become more adept, the likelihood and severity of cyber attacks is also increasing due to the interconnectivity and availability of information technology (IT) platforms, devices and systems exposed to the internet.
Managing responses to cyber security incidents is the responsibility of affected organisations. As such, all organisations should have a Cyber Security Incident Response Plan (CSIRP) to ensure an effective response and prompt recovery in the event that system controls do not prevent a cyber security incident from occurring. This plan should be regularly tested and reviewed.
To be effective, a CSIRP should align with organisations’ emergency, crisis and business continuity arrangements, as well as jurisdictional and national cyber and emergency arrangements. It should support personnel to fulfil their roles by outlining their responsibilities and all legal and regulatory obligations.
While organisations are responsible for managing cyber security incidents affecting their business, Australia’s Cyber Incident Management Arrangements outline the inter-jurisdictional coordination arrangements and principles when responding to national cyber security incidents.
Purpose
This guidance (which acts as a CSIRP Template) and the Cyber Security Incident Response Readiness Checklist (Appendix B) are intended to be used as a starting point for organisations to develop their own CSIRP and readiness checklists. Each organisation’s CSIRP and checklist will need to be tailored according to their own unique operating environment, priorities, resources and obligations.
In addition to a CSIRP, organisations can develop more detailed day-to-day processes and procedures to supplement the CSIRP. This could include detailed playbooks to aid in the response to common types of cyber security incidents, such as ransomware or data breaches, and Standard Operating Procedures (SOPs) to respond to cyber security incidents affecting specific assets.
Using this guidance
This guidance is designed to assist organisations in the development of their own CSIRP as part of cyber security incident response planning activities. As part of this guidance, a separate CSIRP Template is available for organisations to fill in with some fields containing example text for demonstrative purposes. Note, the CSIRP Template is not exhaustive. Each organisation’s CSIRP should be tailored according to their own unique operating environment, priorities, resources and obligations.
Acknowledgements
This guidance was created using multiple resources. ASD acknowledges the following resources used in its development:
- ASD Information Security Manual
- Australian Prudential Regulation Authority Prudential Practice Guide CPG 234 Information Security
- CSIRP Template developed by the Australian Energy Sector Readiness and Resilience Working Group in 2019, specifically with support from the Australian Energy Market Operator, Tasmanian Department of State Growth, the Victorian Government Department of Premier and Cabinet and ASD
- Queensland Government Incident Management Guideline
- Victorian Government Cyber Incident Management Plan and Cyber Incident Response Plan Template
- Cybersecurity & Infrastructure Security Agency Federal Government Cybersecurity Incident and Vulnerability Response Playbooks
- National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61 Rev. 2, Computer Security Incident Handling Guide
- International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27035-1:2023, Information technology – Information security incident management – Part 1: Principles and process
- ISO/IEC 27035-2:2023, Information technology – Information security incident management – Part 2: Guidelines to plan and prepare for incident response
- ISO/IEC 27035-3:2020, Information technology – Information security incident management – Part 3: Guidelines for ICT incident response operations.
Contact details
If you have any questions regarding this guidance you can write to us or call us on 1300 CYBER1 (1300 292 371).
Authority and review
Include information about the document owner, document reviewer, approver, version control and date of next review or other thresholds to review the CSIRP. For example, a CSIRP could be reviewed on a time bound basis, such as bi-annually or annually. A CSIRP could also be reviewed when implementing changes following a cyber security incident, a cyber security exercise or organisational shifts. Finally, a CSIRP could be reviewed following changes to relevant policies, plans, legislation, regulation or jurisdictional arrangements.
Document control and review
| Document Control | |
|---|---|
| Author | Person responsible for developing the CSIRP. |
| Owner | The risk owner or role responsible for enacting the CSIRP. |
| Date created | |
| Last reviewed by | |
| Last date reviewed | |
| Endorsed by and date | |
| Next review due date | |
Version control
| Version | Date of Approval | Approved By | Description of Change |
|---|---|---|---|
| 0.1 | 20/06/2022 | Action Officer | Initial Draft |
Purpose and objectives
Include the purpose and objectives of the CSIRP.
Purpose
To support a swift and effective response to cyber security incidents aligned with the organisation’s security and business objectives.
Objectives
- To provide guidance on the steps required to respond to cyber security incidents.
- To outline the roles, responsibilities, accountabilities and authorities of personnel and teams required to manage responses to cyber security incidents.
- To outline legal and regulatory compliance requirements for cyber security incidents.
- To outline internal and external communication processes when responding to cyber security incidents.
- To provide guidance on post cyber security incident activities to support continuous improvement.
Standards and frameworks
Include the relevant standards and frameworks used to inform the CSIRP.
- National standards and frameworks:
- State/Territory Government standards and frameworks
- New South Wales Government Cyber Security Incident Emergency Sub Plan
- Queensland Government Incident Management Guideline
- South Australian Government Cyber Security Incident Management
- Tasmanian Government Incident Management Cyber Security Standard
- Victorian Government Cyber Incident Management Plan
- Western Australian Government Cyber Security Incident Coordination Framework
- International standards and frameworks:
- NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide
- ISO/IEC 27035-1:2023, Information technology – Information security incident management – Part 1: Principles and process
- ISO/IEC 27035-2:2023, Information technology – Information security incident management – Part 2: Guidelines to plan and prepare for incident response
- ISO/IEC 27035-3:2020, Information technology – Information security incident management – Part 3: Guidelines for ICT incident response operations.
High level cyber security incident response process
Include a summary of the cyber security incident response process.
Common cyber security incidents and responses
Include commonly used terms and their definitions. A list of commonly used terms and definitions is provided at Appendix A.
Common threat vectors
Include a summary of common threat vectors.
| Type | Description |
|---|---|
| Attrition | An attack that employs brute force methods to compromise, degrade or destroy systems, services or networks (e.g. a Distributed Denial of Service intended to impair or deny access to a service or application; or a brute force attack against an authentication mechanism, such as passwords or digital signatures). |
| An attack executed via an email message or attachment (e.g. exploit code disguised as an attached document or a link to a malicious website in the body of an email message). | |
| External/Removable Media | An attack executed from removable media or a peripheral device (e.g. malicious code spreading to a system from infected removable media). |
| Impersonation | An attack involving replacement of something benign with something malicious (e.g. spoofing, person-in-the-middle attacks, rogue wireless access points and SQL injection attacks). |
| Improper usage | Any event resulting from the violation of an organisation’s acceptable usage policies by an authorised user (e.g. a user installs file sharing software, leading to the loss of sensitive data; or a user performs illegal activities on a system). |
Loss or theft of equipment
| The loss or theft of a computing device or media used by an organisation, such as a laptop, smartphone or authentication token. |
| Web | An attack executed from a website or web-based application (e.g. a cross-site scripting attack used to steal credentials or redirect to a site that exploits a web browser vulnerability and installs malware). |
| Other | An attack that does not fit into any of the above categories. |
Common cyber security incidents
Include a summary of common cyber security incident types and the initial response activities.
| Type/Description | Response |
|---|---|
| Data breach: Unauthorised access and disclosure of data. | |
| Denial of Service and Distributed Denial of Service: Overwhelming a service with traffic, sometimes impacting availability. | |
| Industrial Control System compromise: Unauthorised access to an Industrial Control System. | |
| Malware: A trojan, virus, worm or any other malicious software that can harm systems, services or networks. | |
| Phishing: Deceptive messaging designed to elicit users’ sensitive data (such as banking logins or business login credentials) or used to execute malicious code to enable remote access. | |
| Ransomware: A tool used to lock or encrypt victims’ files until a ransom is paid. |
Roles and responsibilities
Include details of the roles and responsibilities of core personnel and teams responsible for cyber security incident response and decision making. At a minimum, include the personnel responsible for receiving the initial notification, the operational level Cyber Security Incident Response Team (CSIRT) and the strategic level Senior Executive Management Team (SEMT).
All personnel listed should be familiar with their responsibilities in the CSIRP and have practise their response.
Points of contact for reporting cyber security incidents
Include details about primary and secondary internal points of contact for personnel or stakeholders to report cyber security incidents to over a 24/7 period.
| Name | Availability | Contact Details | Role/Title | Responsibilities |
|---|---|---|---|---|
| On-call point of contact |
|
Cyber Security Incident Response Team
Include details of the CSIRT personnel responsible for managing responses to cyber security incidents. The composition of the CSIRT will vary depending on the size of an organisation and available skills and resources.
Include details of any 3rd party vendors that provide or manage systems, services and/or networks. If applicable, include details of external cyber security incident response providers and the services they provide.
| Name | Availability | Contact Details | Role/Title | Responsibilities |
|---|---|---|---|---|
| Cyber Security Incident Manager |
| |||
| Deputy Cyber Security Incident Manager |
| |||
| Security Manager |
| |||
| Cyber Security Incident Responder |
| |||
| Communications, Engagement and Media Advisor |
|
Other CSIRT roles could include system administrators, network engineers, change managers, internal auditors, legal advisors, finance and procurement specialists, and administration and recording keeping personnel.
Surge arrangements
Include process for implementing surge arrangements, the resources involved in those arrangements and thresholds for triggering those surge arrangements. Surge arrangements can include, but are not limited to people, hardware, software and financial resources.
Senior Executive Management Team
Significant cyber security incidents may require the formation of the SEMT to provide strategic oversight, direction and support to the CSIRT, with a focus on:
- strategic issues identification and management
- stakeholder engagement and communications (including Board and ministerial liaison, if applicable)
- resource and capability demand (including urgent logistics or finance requirements, and human resources considerations during response effort).
Include details of the SEMT responsible for managing responses to cyber security incidents. The composition and roles of the SEMT may vary depending on the cyber security incident impact and size and structure of an organisation, as some roles may not be relevant or multiple roles may be held by the same individual.
| Name | Availability | Contact Details | Role/Title | Responsibilities |
|---|---|---|---|---|
| Chief Executive Officer |
| |||
| Chief Information Officer |
| |||
| Chief Information Security Officer |
| |||
| Chief Operating Officer |
| |||
| Chief Financial Officer/Procurement Manager |
| |||
| Legal Council |
| |||
| Media and Communications Manager |
| |||
| People and Culture Manager |
|
Roles and responsibilities
Include a diagram picturing the relationship between the key personnel and teams involved in cyber security incident response. For example, the below diagram is taken from the Queensland Government Incident Management Guideline.
Communications
Include the process for managing internal and external communications. Be prepared to:
- support the CSIRT and SEMT communications requirements
- respond to potential increases in internal and external enquiries or complaints about the cyber security incident or the effects, with common questions including:
- How will the customer helpdesk manage enquiries and be supported?
- How will the IT helpdesk (or equivalent) manage enquiries and be supported?
- What communication channels are available to affected customers (e.g. telephone hotline, information on the website or social media)?
- communicate externally about the cyber security incident, including to the public and the media:
- Who has the primary responsibility for authorising and speaking on behalf of the organisation? How will this person be supported?
- Who has responsibility for producing and approving information for release to the public and media?
- monitor news media, social media and other forms of media and use it to support communications.
Include details for backup communication channels to communicate with stakeholders and customers.
Internal communications
Include the process and expected timeframes to communicate relevant cyber security incident information to personnel (for example, system users, customer service teams, senior executives and the Board).
In internal messaging, consider how to inform personnel about the cyber security incident and support business continuity. Consider providing:
- a brief summary of the cyber security incident and business impact
- actions currently being undertaken to resolve the cyber security incident
- actions personnel can take to assist
- business continuity options for personnel who are affected by the cyber security incident
- messaging for external stakeholders
- key points of contact for enquiries
- expected timeframes for further updates.
External communications
Include the process and timeframes to communicate relevant cyber security incident information to external stakeholders and customers.
Depending on the impact and severity of the cyber security incident, it may be necessary to communicate with:
- stakeholders required to support with cyber security incident response activities such as government bodies, third party cyber security incident response, law enforcement, insurance providers and/or sector organisations
- the media and customers seeking information about the cyber security incident, such as the general public, government bodies, clients, shareholders, suppliers and/or sector organisations.
In external messaging, consider how to inform external stakeholders and customers about the cyber security incident based upon their role or interest. Consider:
- information they need to know:
- systems, services or networks affected
- steps being taken to resolve the cyber security incident
- who is supporting cyber security incident remediation activities
- any options or actions for stakeholders affected by the cyber security incident to take
- key points of contact for enquiries
- expected timeframes for further updates.
Consider supporting requests for information from interested sector and government bodies following the cyber security incident for the purpose of information sharing and learning from the experience.
Supporting procedures and playbooks
Supporting procedures
Include a list of SOPs developed to support cyber security incident response, and their physical and electronic locations. Examples of SOPs are:
- event detection, triage and analysis
- post cyber security event/incident detection or notification
- cyber security incident detection, investigation and analysis
- cyber security incident containment, remediation and recovery
- Communications Plan (internal and external)
- Emergency Management Plan
- Crisis Management Plan
- Business Continuity Plan
- Disaster Recovery Plan.
Supporting playbooks
Playbooks are documents that are intended to contain easy to follow instructions to assist in ensuring all appropriate steps are taken when responding to specific types of cyber security incidents. Include a list of playbooks and their physical and electronic locations. Example cyber security incidents that may have a playbook are:
- Cyber Security Incident Response Playbook – Phishing
- Cyber Security Incident Response Playbook – Data Breach/Theft
- Cyber Security Incident Response Playbook – Malware
- Cyber Security Incident Response Playbook – Ransomware
- Cyber Security Incident Response Playbook – Denial of Service.
Sector, jurisdictional and national cyber security incident response arrangements
Include information about the relevant sector, state and/or territory and national arrangements for cyber security incident related activities, including, but not limited to, notification, reporting and/or seeking additional support.
The CSIRP could include a process chart of when to report cyber security incidents to relevant government bodies and/or seek assistance.
Sector arrangements
Include information about the relevant sector arrangements and the process for implementing these arrangements.
Jurisdictional arrangements
Each state/territory jurisdiction has its own cyber security incident response arrangements. Organisations should contact the relevant government body in their jurisdiction to understand the arrangements that apply.
Include information about the process for reporting to and/or seeking assistance from state/territory law enforcement.
National arrangements
Include information about the process for reporting to and/or seeking assistance from Federal Government bodies. For example, Australia’s Cyber Incident Management Arrangements outline the inter-jurisdictional coordination arrangements and principles when responding to national cyber security incidents.
Examples of potential national cyber security incidents include:
- an organisation with links across multiple jurisdictions being compromised through a cyber security incident
- malicious cyber activity affecting critical national infrastructure where the consequences have the potential to cause sustained disruption of essential services or threaten national security
- malicious cyber activity where the cause and potential extent of its geographic impact is uncertain
- a large-scale breach of sensitive data affecting persons or organisations in multiple jurisdictions.
ASD leads the Australian Government’s response to cyber security incidents. For information on how to report cyber security incidents to ASD, and to seek advice and assistance, visit ASD’s reporting website. Note, cyber security incidents reported to ASD by organisations may be protected under the limited use obligation. Under the limited use obligation, any information voluntarily provided to ASD about cyber security incidents or vulnerabilities cannot be used for regulatory purposes.
Appendix C lists some of the common triage questions ASD will use to assess the severity of a reported cyber security incident.
Cyber security incident notification and reporting
Include internal and external processes for cyber security incident notification and reporting. Consider sector, state/territory and national cyber security incident notification and reporting obligations.
Include details about who is responsible for cyber security incident notification and reporting to external entities.
| Type | Organisation to Notify | Reporting Contact Details | Key Reporting Requirements | Reporting Personnel |
|---|---|---|---|---|
| Ransomware | ASD | https://www.cyber.gov.au/about-us/about-asd-acsc/contact-us | https://www.cyber.gov.au/report-and-recover/report | Chief Information Security Officer (CISO) |
| Data breach | Office of the Australian Information Commissioner (OAIC) | https://www.oaic.gov.au/contact-us | https://www.oaic.gov.au/privacy/notifiable-data-breaches/report-a-data-breach | CISO |
Legal and regulatory requirements
Include details about any legal and regulatory obligations, such as contractual and legislative reporting requirements. Work with any compliance and legal personnel to ensure the CSIRP covers all relevant requirements, noting that different cyber security incidents may require different or multiple legal and regulatory responses.
The CSIRP could include a process chart of when to report cyber security incidents to relevant government bodies, regulators and other external parties.
Insurance
Include relevant details about any insurance policies for cyber security incidents.
Detection, investigation, analysis and activation
Include the decision making framework for activating the CSIRP.
Detecting cyber security incidents
Cyber security incidents could be detected in several ways, including, but not limited to:
- self-detected (e.g. via Intrusion Detection and Prevention Systems)
- notifications received from service providers or vendors
- notifications received from trusted third parties, such as ASD.
Cyber security incident classification
Include the framework and decision making process for classifying a cyber security incident. This can assist with prioritising resources. Classification factors could include:
- effects of the cyber security incident (confidentiality, integrity and availability of systems and their resources)
- stakeholders affected (internal and external)
- cyber security incident type
- impact on the business and community.
| Classification | Description |
|---|---|
| Critical |
|
| High |
|
| Medium |
|
| Low |
|
For information about the ASD Cyber Security Incident Categorisation Matrix see Appendix K.
Cyber Security Incident Response Team activation
Include the decision making framework for activating the CSIRT. This could align with the cyber security incident classification framework. Note, some smaller cyber security incidents may be manageable without activation of the CSIRT.
Logistics and communications
Include core logistical and communications protocols and mechanisms used to support cyber security incident response. For example:
- operations room/security operations centre (SOC) location and setup
- equipment required for offsite cyber security incident response
- communications technologies such as phone/teleconference/online dial-in details and out-of-band communications (e.g. Slack or other similar applications).
Investigation questions
To guide cyber security incident response efforts, and understanding of the scope and impact of the cyber security incident, develop a list of investigation questions. Note, not all questions may be answerable with the data available and questions may change as investigations progress.
Possible investigation questions include:
- What was the initial intrusion vector?
- What post-exploitation activity occurred? Have accounts been compromised? What level of privilege was involved?
- Does the malicious actor have persistence on systems, services or networks?
- Is lateral movement suspected or known? Where has the malicious actor laterally moved to and how?
- How is the malicious actor maintaining command and control?
- Has data been accessed or exfiltrated and, if so, what kind of data?
Escalation and de-escalation
Include the escalation and de-escalation triggers and/or thresholds and decision making authorities.
| Classification | Action | Triggers/Thresholds for Escalation and De-escalation | Minimum Level of Authority |
|---|---|---|---|
| Critical | De-escalation to High | ||
| High | Escalation to Critical | ||
| De-escalation to Medium | |||
| Medium | Escalation to High | ||
| De-escalation to Low | |||
| Low | Escalation to Medium |
Containment, evidence collection and remediation
Containment
Containment actions are implemented in order to minimise damage, prevent the cyber security incident from spreading or escalating, and prevent malicious actors from destroying evidence.
When planning containment actions, consider:
- any additional impacts there could be to systems, services or networks
- time and resources required to contain the cyber security incident
- effectiveness of the containment solution (e.g. partial vs full containment)
- duration that the containment solution will remain in place (e.g. temporary vs permanent solution).
Documentation
Include processes and procedures for documenting the cyber security incident, including responsible personnel and timeframes. Refer to Appendix D for a Situation Report Template and Appendix E for a Cyber Security Incident Log Template.
Situation Reports may contain the following information:
- cyber security incident date and time
- status of the cyber security incident
- cyber security incident type and classification
- cyber security incident scope and impact
- cyber security incident severity
- external assistance required
- actions taken to resolve the cyber security incident
- contact details for key CSIRT personnel
- date and time of the next update.
Evidence collection and preservation
Include processes and procedures for collecting, preserving, handling and storing evidence, including responsible personnel and timeframes. As this can be complex, if necessary, seek advice from digital forensic professionals, legal advisors or law enforcement.
When gathering evidence, maintain a detailed log that clearly documents how all evidence has been collected. This should include who collected or handled the evidence, the time and date (including time zone) evidence was collected and handled, and the details of each item collected (including the physical location, serial number, model number, hostname, media access control [MAC] address, Internet Protocol [IP] address and hash values). See Appendix F for a template.
Examples of commonly collected evidence include:
- hard drive/host images
- network packet captures and flows
- IP addresses
- log files
- network diagrams
- configuration files
- databases
- investigation notes
- screenshots
- social media posts
- close-circuit television, video and audio recordings.
Remediation Action Plan
Include processes and procedures for developing and implementing a Remediation Action Plan to resolve the cyber security incident following successful containment and evidence collection. See Appendix G for a template.
When developing the Remediation Action Plan, consider:
- What actions are required to resolve the cyber security incident?
- What resources are required to resolve the cyber security incident (if not already included in the CSIRT)?
- Are there additional external resources required?
- Who is responsible for remediation actions?
- What systems, services or networks should be prioritised?
- What systems, services or networks will be affected during the remediation process?
- How will these systems, services or networks be affected?
- What is the expected resolution time?
Recovery
Include processes and procedures for developing, authorising and executing an agreed Recovery Plan.
The Recovery Plan should detail the approach to recovering IT and/or operational technology (OT) systems, services and networks once containment and remediation is complete.
When developing the Recovery Plan, consider:
- How will systems, services and networks be restored to normal operation and in what timeframe?
- How will systems, services and networks be monitored to ensure they are no longer compromised and are functioning as expected?
- How will identified vulnerabilities be managed to prevent similar cyber security incidents from occurring in the future?
Stand down
Include decision making processes and procedures for standing down the CSIRT and SEMT.
Include the processes and procedures for completing a Cyber Security Incident Report, including responsible personnel and timeframes. Consider creating a Cyber Security Incident Report Template as an appendix to the CSIRP.
Learn and improve
Include an approach to capture lessons learn from the cyber security incident.
Post cyber security incident review
A post cyber security incident review is a detailed review conducted after an organisation has experienced a cyber security incident. It can include a hot debrief which is held immediately after an organisation has recovered its systems, services or networks from a cyber security incident and/or a formal debrief held after the Cyber Security Incident Report has been completed, such as within two weeks.
Key questions to consider during a post cyber security incident review include:
- What were the root causes of the cyber security incident?
- Could the cyber security incident have been prevented? How?
- What worked well in the response to the cyber security incident?
- How could our response be improved for future cyber security incidents?
Refer to Appendix H for more detailed questions to consider in post cyber security incident reviews.
Recommendations that arise from the review can be documented in a corresponding Action Register. Refer to Appendix I for an Action Register Template.
PPOSTTE model
The PPOSTTE model can assist in reflecting on key elements of the cyber security incident response:
- People: Roles, responsibilities, accountabilities, skills.
- Process: Plans, policies, procedures, protocols, processes, templates, arrangements.
- Organisation: Structures, culture, jurisdictional arrangements.
- Support: Infrastructure, facilities, maintenance.
- Technology: Equipment, systems, standards, security, inter-operability.
- Training: Qualifications/skill levels, identification of required courses.
- Exercise management: Exercise development, structure, management, conduct.
Update and test Cyber Security Incident Response Plan
The post cyber security incident review may result in changes to the CSIRP, playbooks and templates. Changes should be communicated to the relevant personnel.
Significant changes may require the CSIRP, playbooks and templates to be tested. Regular testing is important to ensure these documents remain current and are familiar to relevant personnel. Testing methods could include tabletop exercises or functional exercises.
Training
Include training activities, and associated support, required for personnel to effectively undertake their roles when responding to a cyber security incident.
The post cyber security incident review may identify additional specialised training for personnel involved in cyber security incident response or general cyber security awareness training for all personnel.
Appendix A – Terminology and definitions
Use of consistent and pre-defined terminology to describe cyber security incidents and their effects can be helpful as part of cyber security incident response planning.
Cyber threat
A cyber threat is any circumstance or event with the potential to harm systems or data.
Examples of cyber threats include (but are not limited to):
- business email compromise
- cybercrime
- cyber supply chain compromise
- exploitation of vulnerabilities
- phishing emails and scams
- ransomware.
Cyber security alert
A cyber security alert is a notification generated in response to a deviation from normal behaviour. Cyber security alerts are used to highlight cyber security events.
Cyber security event
A cyber security event is an occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security.
Examples of cyber security events include (but are not limited to):
- a user has disabled the antivirus on their computer
- a user has deleted or modified system files
- a user restarted a server
- unauthorised access to a server or computer.
Cyber security incident
An unwanted or unexpected cyber security event, or a series of such events, that either has compromised business operations or has a significant probability of compromising business operations.
Examples of cyber security incidents include (but are not limited to):
- denial-of-service attacks
- unauthorised access or attempts to access a system
- compromise of sensitive data
- virus or malware outbreak (including ransomware).
Appendix B – Cyber Security Incident Response Readiness Checklist
This checklist is provided to aid the initial assessment of an organisation’s readiness to respond to a cyber security incident. This checklist is not an exhaustive list of all readiness activities.
| PREPARATION | |
|---|---|
| ☐ | Your organisation has a cyber security policy or strategy that outlines your organisation’s approach to prevention, preparedness, detection, response, recovery, review and improvement. For example, your organisation has a position on not paying ransoms, reporting cyber security incidents to government, publicly acknowledging cyber security incidents, and sharing information about cyber security incidents with trusted industry and government partners. |
| ☐ | A CSIRP has been developed which:
|
| ☐ | Personnel involved in managing cyber security incidents have received cyber security incident response training. |
| ☐ | Up-to-date hard copy versions of the CSIRP and playbooks are stored in a secure location (in case of electronic or hardware failure) and are accessible to authorised personnel. |
| ☐ | Specific playbooks to supplement the CSIRP have been developed and define step-by-step guidance for response actions to common cyber security incidents. |
| ☐ | A CSIRT and SEMT, or equivalents, have been identified to manage any responses to cyber security incidents. |
| ☐ | All relevant IT and OT SOPs are documented and have been reviewed or tested in an exercise to ensure they are current and responsible personnel are aware of their roles and responsibilities. |
| ☐ | Arrangements for service providers, including cloud and managed services, to provide and retain logs have been established and tested to ensure they include useful data which can be provided in a timely manner. |
| ☐ | Log retention mechanisms for critical systems, services and networks have been adequately configured and tested to ensure that they capture useful data. |
| ☐ | Your organisation has internal or third party arrangements and capabilities to detect and analyse cyber security events/incidents. If these capabilities are outsourced, your organisation has an active service agreement/contract. |
| ☐ | Critical assets (systems, services and networks) have been identified and documented. |
| ☐ | SOPs have been developed, and roles and responsibilities assigned, for use of facilities and communications technologies in response to cyber security incidents, and these resources are confirmed as available. This includes for alternative/backup IT-based communication channels. |
| ☐ | Cyber security incident logging/records and tracking technologies used to manage any response to cyber security incidents are confirmed as available and have been tested. |
| ☐ | Role cards have been developed for personnel involved in the CSIRT and the SEMT. |
| ☐ | Your organisation has internal or third party arrangements and capabilities to monitor cyber threats. Situational awareness information is collected from internal and external data sources, including:
|
| DETECTION, INVESTIGATION, ANALYSIS AND ACTIVATION | |
| SOPs have been developed, and roles and responsibilities assigned, for: | |
| ☐ | Detection mechanisms which can be used to identify cyber security events/incidents, such as scanning, sensor and logging mechanisms. These mechanisms require monitoring processes to identify unusual or suspicious activity commensurate with the potential impact of a cyber security incident. Common monitoring techniques include:
|
| ☐ | Cyber security incident detection, including self-detected cyber security incidents, notifications received from service providers or vendors, and notifications received from trusted third parties (e.g. ASD). |
| ☐ | Cyber security incident analysis, including how cyber security incidents are to be categorised, classified and prioritised, and controls related to how data is stored and transmitted. |
| ☐ | Activating a CSIRT to manage cyber security incidents, with roles and responsibilities assigned. |
| ☐ | Activating a SEMT to manage cyber security incidents, with roles and responsibilities assigned. |
| CONTAINMENT, EVIDENCE COLLECTION AND REMEDIATION | |
| ☐ | SOPs, playbooks and templates have been developed, and roles and responsibilities assigned, for containment, evidence collection and remediation. |
| ☐ | A secure location is available for storing data captured during cyber security incidents, which could be used as evidence of the malicious actor’s tradecraft, and is ready to be provided to third-party stakeholders if requested. |
| COMMUNICATIONS | |
| ☐ | SOPs, playbooks and templates have been developed to support communicating with internal and external stakeholders. |
| ☐ | SOPs, playbooks and templates for media and communications professionals have been developed, and roles and responsibilities assigned, to support public and media messaging. |
| ☐ | You organisation has assigned a public and media spokesperson who is supported by technical subject matter experts. |
| ☐ | Personnel have been trained to implement communications processes and execute their roles and responsibilities. |
| ☐ | All personnel are cognisant of your organisation’s policy, and their responsibilities, when a cyber security incident occurs (e.g. exercising discretion, using approved talking points, referring enquiries to the designated public and media spokesperson). |
| CYBER SECURITY INCIDENT NOTIFICATION AND REPORTING | |
| ☐ | Processes and procedures are documented to support your organisation to meet its legal and regulatory requirements on cyber security incident notification and reporting with roles and responsibilities within your organisation assigned. This includes the processes for obtaining authority to release and share information. |
| ☐ | Processes and procedures are documented for communicating with any cyber insurance providers. |
| POST CYBER SECURITY INCIDENT REVIEW | |
| ☐ | Processes are procedures are documented to support post cyber security incident reviews following the resolution of cyber security incidents, with Post Cyber Security Incident Review Reports submitted to management for endorsement. |
| ☐ | Processes and procedures are documented to ensure actions following cyber security incidents and/or exercises are tracked and completed (e.g. within an Action Register). |
Appendix C – ASD cyber security incident triage questions
Where applicable, personnel reporting cyber security incidents to ASD on behalf of their organisation should try to have information available to answer the following questions:
- Who is reporting the cyber security incident? (e.g. CISO, SOC Manager)
- Who/what is the affected organisation/entity?
- What type of cyber security incident is being reported? (e.g. ransomware, denial of service, data breach, malware)
- Is the cyber security incident still active?
- When was the cyber security incident first identified?
- Is reporting for ASD awareness or is ASD assistance required?
- If ASD assistance is required, what assistance is required?
- What type of system, service or network has been affected?
- What was observed (e.g. the sequence of events)?
- date/time
- effect/event
- Who or what identified the problem?
- Has a data breach occurred?
- What type of data was exposed?
- What volume of data was exposed?
- What impact will this have on your organisation?
- What impact (if any) will the data breach have on public safety or services?
- Was it a misconfiguration/error, or was a malicious exfiltration or theft of data identified?
- If applicable under the Notifiable Data Breaches scheme, has it been reported to the OAIC?
- What actions have been taken to rectify the issue?
- Are internal or external cyber security incident response providers involved?
- Are business as usual operations interrupted? If so, how long before operations will be back to normal?
- Will information about the cyber security incident be communicating publicly (e.g. with customers and/or the media)?
- If so, please notify ASD beforehand if you will be referencing ASD.
Appendix D – Situation Report Template
| Date of Entry: | Time of Entry: | Author: |
|---|---|---|
| Date/time cyber security incident was detected | ||
| Current cyber security incident status | New, In Progress, Resolved | |
| Cyber security incident type | ||
| Cyber security incident classification | Critical, High, Medium, Low | |
| Cyber security incident scope | List the affected systems, services and/or networks; highlight any change to scope since the previous log. | |
| Cyber security incident impact | List the affected stakeholder(s); highlight any change in impact since the previous log entry. | |
| Cyber security incident severity | Outline the impact of the cyber security incident on your organisation(s) and public safety or services; highlight any change to severity since the previous log entry. | |
| Notifications Actioned/Pending | What other organisations need to be notified? (e.g. ASD, law enforcement, OAIC, customers, media) | |
| Assistance required | What assistance is required from other organisations? (e.g. ASD, law enforcement) | |
| Actions being taken to resolve the cyber security incident | ||
| Additional notes | ||
| Contact details for the cyber security incident manager (and others if required) | ||
| Date and time of the next update |
Appendix E – Cyber Security Incident Log Template
| Date/Time | Notes (relevant facts, decisions, rationale) |
|---|---|
| 20220330 – 0835hrs | SOC identified phishing that resulted in the successful deployment of ransomware to the system. |
| 20220331 – 1455hrs | CSIRT collected forensic artefacts (listed in the Evidence Register). An initial investigation has assessed the cyber security incident as ‘High’. The following systems are currently offline: ... |
| 20220401 – 1150hrs | SEMT voted to escalate the cyber security incident to ‘Critical’. Next actions were agreed to as follows: … |
Appendix F – Evidence Register Template
| Date/Time and Location of Collection | Collected by (name, title, contact and phone number) | Item Details (quantity, serial number, model number, hostname, MAC address, IP addresses and hash values) | Storage Location and Label Number | Access |
|---|---|---|---|---|
20220402 – 1200hrs – Head Office | Jane Doe – CSIRT – Contact Details | 1 x disk and memory image, XYZ Desktop, ABC Model Number, IP ###.###.###.###, ... | Stored on hard drive asset number ####, in IT Security Office and on network drive H:\... | CSIRT team, law enforcement, ASD |
Appendix G – Remediation Action Plan Template
| Date/Time | Category (Contain, Eradicate, Recover) | Action | Action Owner | Status (Unallocated, In Progress, Closed) |
|---|---|---|---|---|
| 20220425 – 0900hrs | Contain | Isolated hosts identified as infected per CSIRT investigation. | CSIRT Team Leader | In Progress |
Appendix H – Post cyber security incident reviews
A post cyber security incident review is a detailed review conducted after an organisation has experienced a cyber security incident. The content of the review will vary for each organisation, but primarily focuses on establishing learnings and providing recommended actions to mitigate future cyber security incidents. The purpose of this guide is to provide organisations that have experienced a cyber security incident with tools and techniques to conduct a post cyber security incident review.
How to use this guide
This guide contains high level steps recommended for organisations to follow after experiencing a cyber security incident. The guide should be used as a resource, and will need to be further tailored by organisations to suit their individual requirements. The templates provided are generic and will need to be tailored to suit specific organisational requirements.
Post cyber security incident review steps
Step 1 – Hold cyber security incident debriefs
Post cyber security incident debriefs are useful for capturing observations from personnel directly involved in managing a cyber security incident and identifying actions to improve how their organisation managed its response, as well as how the cyber security incident could have been prevented. There are two types of debriefs organisations may hold after experiencing a cyber security incident: a hot debrief and a formal debrief (also known as a cold debrief).
A hot debrief is held immediately after an organisation has recovered its systems, services or networks from a cyber security incident. The benefits of holding a hot debrief include:
- the team involved in responding to the cyber security incident can provide instant feedback and lessons learned
- any urgent issues identified during the cyber security incident can be addressed immediately
- personnel involved in the cyber security incident are more likely to recall information and detail as it is still fresh in their minds.
A formal debrief is held days to weeks after an organisation has recovered its systems, services or networks from a cyber security incident. The benefits of holding a formal debrief include:
- it provides an opportunity to discuss the cyber security incident in detail after it is resolved to gather key insights, learnings and opportunities for improvement
- it provides time between the cyber security incident and debrief allowing emotions to settle, particularly for stressful cyber security incidents
- it ensures all key personnel required for discussions are present, especially senior management who will need to drive the implementation of actions.
Hot debrief guidance
Time
30 minutes – 1 hour.
Aim
The aim of the hot debrief is to review the cyber security incident, receive feedback on personnel observations and insights, and identify any urgent issues requiring immediate action.
Participants
The hot debrief should be led by a facilitator (such as a manager who was involved during the cyber security incident) and supported by a scribe whose role is to document attendance, key insights and immediate actions. It is recommended that hot debrief participants include all personnel involved during the detection, response and recovery phases of the cyber security incident, with upper management excluded (e.g. Chief Executive Officers and General Managers). This will ensure personnel involved in the cyber security incident can speak openly without fear of repercussion.
Content
The facilitator could guide discussion using the following questions:
- What went well?
- What could we do differently next time to improve?
- What action has been taken to remediate immediate risk?
- Are there any further issues that require immediate resolution?
Note, it is essential for the facilitator to remain objective during the discussion, and treat the cyber security incident as a learning point for all involved, without attributing blame to an individual or team.
Conclusion
At the end of the hot debrief, the facilitator should provide a summary of the discussions to participants who can confirm whether the key issues and actions were captured. The facilitator should explain the next steps and the expected timeframes for these.
Formal debrief guidance
Time
1–2 hours.
Aim
The aim of the formal debrief is to review the cyber security incident, validate what worked, and produce actions and assigned responsibilities to improve current arrangements.
Participants
The formal debrief should be led by a facilitator who asks key questions, supported by a scribe to document attendance, key insights and actions.
It is recommended that formal debrief participants include:
- technical personnel who were involved in detecting, responding to and resolving the cyber security incident
- non-technical personnel who were involved during the cyber security incident
- communications/media personnel involved in the cyber security incident.
Content
Questions to consider in the formal debrief can be found in the Post Cyber Security Incident Review Analysis Template. The facilitator can use this guidance to lead the conversation with the participants while the scribe documents the discussion directly into the template. The scribe can also use the Action Register Template to document any actions resulting from the discussion.
Conclusion
At the end of the debrief, a decision should be made about whether additional discussions are required, or if finalisation of the cyber security incident documentation can be completed. If email correspondence is selected to disseminate the documentation, an action officer will need to be identified for completing them and circulating them to staff for endorsement.
Step 2 – Complete cyber security incident documentation
Based on the findings of the debriefs, the action officer should complete a draft of the Post Cyber Security Incident Review Analysis and the Action Register and circulate them to the personnel involved in the debrief for their feedback and endorsement. Note, it is important that the Action Register details an assigned lead (action officer) for closing out each action.
Once feedback is received and incorporated, documentation should be sent to an executive staff member (e.g. a Chief Executive Officer or General Manager) for endorsement. The executive staff member may advise their expectations on the frequency of progress reporting of agreed actions and nominate a person to lead tracking and reporting.
Step 3 – Cyber security incident tracking and reporting
The identified actions should be tracked and reported at agreed frequencies.
Post Cyber Security Incident Review Analysis Template
| CYBER SECURITY INCIDENT SUMMARY | |
|---|---|
| Cyber security incident name | |
| Date of cyber security incident | dd/mm/yyyy |
| Cyber security incident priority | Low/Medium/High Established from the impact and/or risk to the business. |
| Time cyber security incident occurred | |
| Time cyber security incident was resolved | |
| Cyber security incident type | |
| Personnel involved | Names of the individuals involved in resolving the cyber security incident and their functions(s), including any service providers. |
| Cyber security incident impact | What impact did the cyber security incident have (e.g. loss of systems, services or networks). |
| Brief summary | What happened? |
Cyber security incident analysis
Cyber security incident analysis is broken into the following categories:
- Timeline: Summary of what happened and when. Provides high level areas for improvement.
- Protection: Identifies the control mechanisms that were in place at the time of the cyber security incident and their effectiveness. Establishes how to improve the protection of systems, services and networks.
- Detection: Establishes how to reduce the time to identify a cyber security incident. Addresses what detection mechanisms were in place and how those mechanisms could be improved.
- Response: Identifies improvements for the cyber security incident response.
- Recovery: Addresses improvements for cyber security incident recovery.
| TIMELINE | |
|---|---|
| Date and time of detection | |
| When was the cyber security incident acknowledged? | When did the organisation identify that a cyber security incident was occurring? |
| Date and time of cyber security incident response | |
| Date and time of cyber security incident recovery | |
| Who discovered the cyber security incident first and how? | Or who was alerted to it first? How did the discovery or alert happen? |
| Was the cyber security incident reported externally? If yes, when? | For example, did the organisation report it to ASD or the OAIC? |
| Who supported resolving the cyber security incident? When did they provide support? | List the names of personnel involved in resolving the cyber security incident and the time (and date if not all on the same day) they joined in. |
| What activities were conducted to resolved the cyber security incident? When were they conducted and what was their impact? | It is easier to do this in a list. For example: Time > Task > Impact. |
| PROPOSED ACTIONS | Detail any resulting actions that can be incorporated into the Action Register. Brief description of action > Proposed Action Officer. |
| PROTECTION | |
| What controls were in place that were expected to stop a cyber security incident similar to this? | |
| How effective were those controls? | Did they work? Why/why not? How could they be improved? |
| Are there other controls considered better for protecting against a similar cyber security incident? | What are they? |
| What business processes and procedures were in place to prevent this type of cyber security incident from occurring? | |
| How effective were those business processes and procedures? | Did they work? Why/why not? How could they be improved? |
| Any other findings and/or suggestions for improvement? | See the PPOSTTE model for guidance. |
| PROPOSED ACTIONS | Detail any resulting actions that can be incorporated into the Action Register. Brief description of action > Proposed Action Officer. |
| DETECTION | |
| How was the cyber security incident detected? | How did the organisation know a cyber security incident was happening? |
| What controls were in place to detect the cyber security incident? | |
| Were those controls effective? | Did they work? Why/why not? How could they be improved? |
| Are there any ways to improve the ‘time to detection’? | How could the organisation reduce that time? |
| Are there any indicators that can be used to detect similar cyber security incidents in the future? | |
| Are there any additional tools or resources that are required in the future to detect similar cyber security incidents? | Is there anything from a detection perspective that would help mitigate future cyber security incidents? |
| Any other findings and/or suggestions for improvement? | What activities worked well? What activities did not work so well? What could be changed with hindsight? See the PPOSTTE model for guidance. |
| PROPOSED ACTIONS | Detail any resulting actions that can be incorporated into the Action Register. Brief description of action > Proposed Action Officer. |
| RESPONSE | |
| What was the cause of the cyber security incident? | |
| How was the cyber security incident resolved? | What needed to happen for the cyber security incident to be resolved? |
| What obstacles were faced when responding to the cyber security incident? | |
| Were any business processes and procedures used in responding to the cyber security incident? | For example, does the organisation have a CSIRP, and was this followed? |
| Were those business processes and procedures effective? | Did they work? Why/why not? |
| What delays and obstacles were experienced when responding? | |
| Were there any escalation points? | Were there any escalation points that the cyber security incident went through? |
| If there were escalation points, did they hamper the response or were they at the appropriate level? | For example, having to escalate to a Chief Operating Officer to take action on an ongoing cyber security incident had severe timeline impacts for the response. |
| How well did the information sharing and communications work within your organisation? | What worked well/what did not work well? How could it be improved? Was there any information that was needed sooner? How did the organisation communicate within the IR team, across jurisdictions, across time zones, legal teams and external comms teams? |
| Were there any media enquiries received during the cyber security incident? | If yes, how did the organisation respond? |
| Was media produced during the cyber security incident? | If yes, what was the media that was produced? |
| Were stakeholders and/or customers notified during the cyber security incident? | Why/why not? When? How? Was it effective? How could it be improved? |
| Were trained personnel available to respond? | Are there any personnel knowledge and/or skills gaps? What are they? Were there enough resources available to respond? |
| Any other findings and/or suggestions for improvement? | See the PPOSTTE model for guidance. |
| PROPOSED ACTIONS | Detail any resulting actions that can be incorporated into the Action Register. Brief description of action > Proposed Action Officer. |
| RECOVERY | |
| How long did it take for all systems, services and networks to recover? | |
| How could this time be improved? | For example, how could the recovery time be reduced? |
| Are there any obligations to report externally about the cyber security incident? | If yes, to who? |
| Were there any media enquiries after the cyber security incident? | If yes, how did the organisation respond? |
| Were stakeholders and/or customers notified following the cyber security incident? | Why/why not? When? How? Was it effective? How could it be improved? |
| Any other findings and/or suggestions for improvement? | See the PPOSTTE model for guidance. |
| PROPOSED ACTIONS | Detail any resulting actions that can be incorporated into the Action Register. Brief description of action > Proposed Action Officer. |
Appendix I – Action Register Template
| ID | Action | Action Officer | Date Expected to Completed | Status | Updates | Comments |
|---|---|---|---|---|---|---|
| 01 | Describe the action in detail. | Name of the person who will be leading the action. | Date the action is expected to be completed. | Complete In progress Not yet started | Insert date, and any updates to progressing the action. Detail any blockers here. | Any relevant information relating to closing out the action. |
Appendix J – Role cards
Example of a role card:
Appendix K – ASD Cyber Security Incident Categorisation Matrix
ASD categorises cyber security incidents by severity using a matrix that considers the:
- cyber effect (i.e. the impact, success, sustained and/or intent)
- significance (i.e. sensitivity of the organisation).
The severity of the cyber security incident informs the type and nature of cyber security incident response and crisis management arrangements that are activated. Depending on the severity of the cyber security incident, ASD has a suite of capabilities that it may deploy to support the affected parties. However, ASD determines which capabilities are appropriate and available given competing priorities. Organisations must not rely on ASD for their ability to respond to cyber security incidents in an appropriate and timely manner.