REPORTING GUIDELINES

(updated: January 18th 2005)

As it has already been mentioned in the previous section, a report of an incident should contain all information that might be considered useful for the overall process of incident handling. As it may be hard to determine what kind of information is important in such case, in this section the general overview of the required (or rather potentially significant) information is presented. It should also be emphasized at this point, that all information provided to PIONIER-CERT (former: POL34-CERT) is for internal use only in the context of a specific incident. For further discussion of privacy and information disclosure policies see description of PIONIER-CERT (PDF).

The information that should be provided with an incident report can be divided into several categories. All of them are discussed below:

• Contact Information - this section refers to the person reporting the incident, but also to any person delegated to contact with PIONIER-CERT (if varies). The following information is required:
  • Name of organization
  • Name of person reporting an incident
  • Position in organization
  • Contact email address
  • Contact phone number
  • Contact fax number
• Attack Target Information - this section refers to all systems involved in detected attacks, separate description for every case. It should also include information that might be considered significant for example network structure by sharing resources by systems. The following information is required:
  • Hostname
  • IP address
  • Main function of attacked host
  • Operating system
    • vendor, version, applied patches
  • Application
    • same details as above
• Incident Type Information - the following information is required/recommended:
  • All information referring to conditions stated as being a security incident
  • General attack description (using time references)
  • Attempts to classify an incident
  • Determined consequences
  • Actual state (if the offender seems to be still active in the system)
  • Available artifacts or logs (as attachements)
• Attack Source Information - the following information is recommended (if any available):
  • Attack points (networks or hosts)
  • IP addresses of involved hosts
  • Available traces
  • Used non-technological methods (social engineering)
• Various Additional Information - the following information is recommended
  • Any team or police authorities where an incident has been reported (to facilitate co-operation and information exchange)
  • Final comments