Recipe 9.42 Filing an Incident Report

9.42.1 Problem

You want to report a security incident to appropriate authorities, such as a computer security incident response team (CSIRT).

9.42.2 Solution

In advance of any security incident, develop and document a security policy that includes reporting guidelines. Store CSIRT contact information offline, in advance.

When an incident occurs:

  1. Decide if the incident merits an incident report. Consider the impact of the incident.

  2. Gather detailed information about the incident. Organize it, so you can communicate effectively.

  3. Contact system administrators at other sites that were involved in the incident, either as attackers or victims.

  4. Submit incident reports to appropriate CSIRTs. Be sure to respond to any requests for additional information.

9.42.3 Discussion

If your system has been hacked [Recipe 9.41], or you have detected suspicious activity that might indicate an impending break-in, report the incident. A wide range of computer security incident response teams (CSIRTs) are available to help.

CSIRTs act as clearinghouses for security information. They collect and distribute news about ongoing security threats, analyze statistics gathered from incident reports, and coordinate defensive efforts. Collaboration with CSIRTs is an important part of being a responsible network citizen: any contribution, however small, to improving the security of the Internet will help you, too.

Develop a security policy, including procedures and contact information for applicable CSIRTs, before a break-in occurs. Most CSIRTs accept incident reports in a variety of formats, including Web forms, encrypted email, phone, FAX, etc. Since your network access might be disrupted by break-ins or denial of service attacks, store some or all of this information offline.

The Computer Emergency Response Team (CERT) serves the entire Internet, and is one of the most important CSIRTs: this is a good starting point. The Forum of Incident Response and Security Teams (FIRST) is a consortium of CSIRTs (including CERT) that serve more specialized constituencies. See their list of members to determine if any apply to your organization.

Government agencies are increasingly acting as CSIRTs, with an emphasis on law enforcement and prevention. Contact them to report activities that fall within their jurisdiction. An example in the United States is the National Infrastructure Protection Center (NIPC).

What activities qualify as bona fide security incidents? Clearly, malicious activities that destroy data or disrupt operations are included, but every Snort alert [Recipe 9.20] does not merit an incident report. Consider the impact and potential effect of the activities, but if you are in doubt, report what you have noticed. Even reports of well-known security threats are useful to CSIRTs, as they attempt to correlate activities to detect widespread patterns and determine longer-term trends.

Before filing a report, gather the relevant information, including:

  • A detailed description of activities that you noticed

  • Monitoring techniques: how you noticed

  • Hosts and networks involved: yours, apparent attackers, and other victims

  • Supporting data such as log files and network traces

Start by contacting system administrators at other sites. If you are (or were) under attack, note the source, but be aware that IP addresses might have been spoofed. If your system has been compromised and used to attack other sites, notify them as well. ISPs might be interested in activities that involve large amounts of network traffic.

The whois command can obtain technical and administrative contact information based on domain names:

$ whois

Save all of your correspondence?you might need it later. CSIRTs will want copies, and the communication might have legal implications if you are reporting potentially criminal activity.

Next, contact the appropriate CSIRTs according to your security policy. Follow each CSIRT's reporting guidelines, and note the incident tracking numbers assigned to your case, for future reference.

Provide good contact information, and try your best to respond in a timely manner to requests for more details. Don't be disappointed or surprised if you don't receive a reply, though. CSIRTs receive many reports, and if yours is a well-known threat, they might use it primarily for statistical analysis, with no need for a thorough, individual investigation.

In many cases, however, you will at least receive the latest available information about recognized activities. If you have discovered a new threat, you may even receive important technical assistance. CSIRTs often possess information that has not been publicly released.

9.42.4 See Also

The Computer Emergency Response Team (CERT) home page is For incident reporting guidelines, see

The CERT Coordination Center (CERT/CC) incident reporting form is available at the secure web site

The Forum of Incident Response and Security Teams (FIRST) home page is Their member list, with applicable constituencies, is available at

The National Infrastructure Protection Center (NIPC) home page is

    Chapter 9. Testing and Monitoring