Some common questions that NCCIC receives from partners are “What is an incident?” and “When should we report to NCCIC?” A good but fairly general definition of an incident is the act of violating an explicit or implied security policy. This definition relies on the existence of a security policy that, while generally understood, varies among organizations. For the federal government, an incident, defined by NIST Special Publication 800-61, is a violation or the imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.
Examples of incidents are:
- Phishing or spear-phishing emails that are sent or received, or other attempts to lure users to open malicious attachments or click on links hosting malware;
- Attempts to gain unauthorized access to a system or its data;
- Insider/Privilege misuse;
- Intentional or unintentional malware or other malicious code in the corporate or control environment; and
- Unauthorized changes to system hardware, firmware, or software characteristics.
Federal incident notification guidelines, including definitions and reporting timeframes can be found at https://www.us-cert.gov/incident-notification-guidelines.
Organizations can report to NCCIC by emailing NCCICCUSTOMERSERVICE@hq.dhs.gov (link sends e-mail) or by calling 888-282-0870.
When to report to NCCIC?
We encourage organizations to report any activities that they think meet the criteria for an incident whether suspicious or confirmed. We are also interested in hearing about any activity associated with our alerts and advisories regardless of whether or not a compromise actually occurred. NCCIC’s policy is to keep confidential any reported information specific to your organization or activity. Organizations can also leverage the Protective Critical Infrastructure Information (PCII) program to further protect and safeguard their information. Generally speaking, NCCIC is best positioned to assist organizations with threats that are targeted in nature. These types of threats typically involve
- APT related threats;
- Well-crafted spear-phishing emails;
- Unusual or destructive malware; and
- Anything anomalous occurring or found in the control environment.
In addition, any denial of service or scanning of control systems assets should also be reported for tracking and correlation. If an organization detects malicious activity but is unsure if they should be concerned, NCCIC recommends reporting the incident. In those cases, organizations can leverage NCCIC as a barometer to quickly evaluate, through a few questions and some quick analysis, whether the activity is targeted or severe in nature or is general non-targeted activity.
Why should I report to NCCIC?
Reporting is completely voluntary when working with NCCIC, however, your information is extremely useful for understanding the threat landscape that includes the techniques adversaries are using, types of malware, possible intent, and sectors targeted. Reporting to NCCIC allows for the correlation of incident activity and has led to the discovery of campaigns aimed at certain sectors or groups. Moreover, the reports are anonymized and the analytically relevant data such as attacker IP addresses, command and control domains, malware, time stamps, email address and header information, etc. is shared with the rest of the critical infrastructure community to alert them of malicious activity. Prompt and detailed reporting can lead to early detection and prevent incidents from occurring against the nation’s critical infrastructure.
If assistance is needed in responding to the incident, NCCIC can provide analytic support (malware, hard-drive, log file analysis), detailed remediation recommendations, and onsite support in responding to a cyber incident. Your information will always be protected up to and including the use of PCII when appropriate.
Organizations can download our PGP Public Key.