Cyber Security Incidents - Are You Ready?

Download ACSC Protect: Cyber Security Incidents - Are You Ready? (400K PDF), March 2014
First published March 2014


  1. The effective management of a cyber security incident can greatly decrease the severity and cost of the incident. Providing all relevant information to the Australian Signals Directorate (ASD) upon request will enable ASD – when required – to act faster in response to a cyber security incident.
  2. This Protect is not a substitute for – but rather draws upon – existing policies on record retention as outlined in the Australian Government Information Security Manual (ISM) and required under the Archives Act 1983. The following advice aims to enable a quicker and more effective response to cyber security incidents. For an explanation of acronyms and terms used in this Protect, please consult the Supporting Information section of the ISM.

Can your agency answer these questions?

Event logging

  1. Have we configured workstations to log events to a central server? Could we provide, at a minimum, the last three months’ worth of these logs to ASD upon request and in a timely manner?
    Why is this important?
    Providing logging data will assist ASD to establish the cause, extent and duration of the compromise.
Example event logs
Workstation logs Network logs Server logs
Application whitelisting logs
Event logs
Anti-virus logs
Firewall logs
Authentication logs
Proxy logs
DHCP logs
DNS logs
VPN logs
Firewall logs
Network device logs
Mail server logs
Authentication server
Web server access
Remote access servers

Roles and responsibilities

  1. Have we documented policies and procedures for cyber security incident response?
    Why is this important?
    Defining your agency’s policies and procedures – and making staff aware of them – will give your agency the best chance of a rapid and coordinated response.
  2. Do our staff understand their incident response roles and responsibilities? Does our service provider understand its roles and responsibilities in the event of an incident? Do we have detail of our outsourced ICT infrastructure and gateway provider readily available (including the public-facing IP address range)?
    Why is this important?
    Clearly defining roles and responsibilities will mean agency staff and providers understand their specific tasks in the event of an incident.

Contact details for your agency

  1. Does our agency have a current OnSecure account with correct contact details for our Information Technology Security Adviser?
    Why is this important?
    Providing up-to-date details will allow ASD to quickly contact the right person in your organisation. Furthermore, OnSecure is where ASD posts and publishes Alerts on significant threats as well as Protect publications and advice that your agency will need to keep up to date with in order to respond to some cyber security incidents.

Initial incident treatment

  1. How quickly can we identify, physically locate and isolate an infected machine on our network? Do we know what our baseline network traffic looks like? Do we have the ability to recognise and assess anomalies in network traffic? Would we pull all plugs on the identified machine, or ensure capture of volatile information for investigation?
    Why is this important?
    A good understanding and sound documentation of your network and all workstations will assist when particular workstations need to be identified quickly. Understanding your network traffic, along with any anomalies when asked, will assist ASD to tailor incident response to your needs. Your agency may choose to contain the identified machine. In this case, it is important to configure the machine for hibernation and then hibernate rather than fully shutting down the machine. This will preserve valuable volatile artefacts that will be used in investigation of the incident.

Assisting with investigations

  1. Once identified, can our agency effectively and safely isolate malware and provide it to the Cyber Security Operations Centre (CSOC)?
    Why is this important?
    Malware provided to CSOC is used to prevent the reoccurrence of similar cyber security incidents across government.

Further information

  1. The Cyber Security Incidents and the Information Security Documentation chapters of the Information Security Manual contain information on planning for, detecting, reporting and managing cyber security incidents. The Access Control chapter of the ISM outlines the requirements for event logging and auditing.
  2. ASD’s Protect publication Preparing for and Responding to Cyber Security Incidents provides guidance for senior managers on cyber security incident response.
  3. Go to OnSecure to apply for an account.

Contact details

  1. Organisations or individuals with questions regarding this advice can contact the ACSC by emailing or calling 1300 CYBER1 (1300 292 371).