This document outlines suggested steps for reporting incidents to the CERT Coordination Center (CERT/CC). System administrators can use this information to report incidents effectively to the CERT/CC, other computer security incident response teams (CSIRT's), or other sites.
What type of activity should I report?
The CERT/CC's incident definition
The CERT/CC's incident priorities
Why should I report an incident?
You may receive technical assistance.
We may be able to associate activity with other incidents.
Your report will allow us to provide better incident statistics.
Contacting others raises security awareness.
Your report helps us to provide you with better documents.
Your organization's policies may require you to report the activity.
Reporting incidents is part of being a responsible site on the Internet.
Who should I report an incident to?
Your site security coordinator
Your representative CSIRT
The CERT Coordination Center
Other sites involved in the incident
What should I include in my incident report?
When reporting an incident to the CERT/CC
When reporting to other sites and CSIRT's
Incident reference numbers
Information about how to contact you
A summary of hosts involved
A description of the activity
Log extracts showing the activity
Your timezone and the accuracy of your clock
Clarify what you would like from the recipient
How should I report an incident to the CERT/CC?
Encrypting Reports to the CERT/CC
Pretty Good Privacy (PGP)
Data Encryption Standard (DES)
When should I report an incident?
Document revision history
What type of activity you should report, and the level of detail included in your report, depends on to whom you are reporting. Your local policies and procedures may have detailed information about what types of activity should be reported, and the appropriate person to whom you should report.
The CERT Coordination Center is interested in receiving reports of security incidents involving the Internet. A good but fairly general definition of an incident is: The act of violating an explicit or implied security policy.
Unfortunately, this definition relies on the existence of a security policy that, while generally understood, varies between organizations. We have attempted to characterize below the types of activity we believe are widely recognized as being in violation of a typical security policy. These activities include but are not limited to: attempts (either failed or successful) to gain unauthorized access to a system or its data unwanted disruption or denial of service the unauthorized use of a system for the processing or storage of data changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent.
We encourage you to report any activities that you feel meet these criteria for being an incident. Note that our policy is to keep any information specific to your site confidential unless we receive your permission to release that information.
Due to limited resources and the growing number of incident reports, we may not be able to respond to every incident reported to us. We must prioritize our responses to have the greatest impact on the Internet community. The following type of reports receive the highest priority and are considered emergencies:
possible life-threatening activity
attacks on the Internet infrastructure, such as:
root name servers
domain name servers
major archive sites
network access points (NAPs)
widespread automated attacks against Internet sites
new types of attacks or new vulnerabilities
There are several reasons to report an incident to the CERT Coordination Center. We may be able to provide technical assistance in responding to the incident, or put you in touch with other sites involved in the same activity. Your reports allow us to collect and distribute better information about intruder activity through our statistics and documents. Reporting incidents to the CERT/CC and others helps to promote greater security awareness and improve the security of the Internet. Your organizational policies or local laws may require you to report the activity to us or some other CSIRT. Finally, notifying other sites of possible security intrusions is an important part of being a good Internet citizen.
A primary part of our mission is to provide a reliable, trusted, 24-hour, single point of contact for security emergencies involving the Internet. We facilitate communication among experts working to solve security problems and serve as a central point for identifying and correcting vulnerabilities in computer systems.
When you report an incident to us, we can provide pointers to technical documents, offer suggestions on recovering the security of your systems, and share information about recent intruder activity. In our role as a coordination center, we may have access to information that is not yet widely available to assist in responding to your incident.
Unfortunately, our limited resources and the increasing number of incidents reported to us may prevent us from responding to each report individually. We must prioritize our responses to have the greatest impact on the Internet community.
The CERT/CC receives reports of security incidents from all over the world. In many cases, these incidents have similar characteristics or involve the same intruders. By reporting your incident, you allow us to collect information about recent activity in the intruder community as it relates to your incident. We may also be able to put you in touch with other sites who are pursuing legal actions against the intruder.
The CERT/CC collects statistics on the incidents reported to us. Your reports help identify vulnerabilities that are being actively exploited in the intruder community, provide information about the frequency of these attacks, and identify areas where greater community awareness is needed.
These statistics are made publicly available via our web page, the CERT/CC annual report, and at presentations made at conferences.
When you report an incident to the CERT/CC, we suggest that you contact the other sites involved in the activity, and that you include us in those messages. This benefits the other sites by alerting them to possible intruder activity on their systems. In many cases, unsuccessful probes you report may identify more serious security issues at the originating site.
Additionally, contacting other sites may help you respond to your security concerns by providing more information, a different perspective, or even by identifying the intruder.
The comments and suggestions that you provide while involved in the handling of an incident allows us to improve our tech tips, advisories, and other computer security publications. Your questions help us to understand what subjects require greater attention in future documents. And taken as a whole, your reports allow us to understand the current state of the computer security practice.
Your organization's policies may require that you report this activity to the CERT/CC or another CSIRT. On the other hand, your policy may require that you not report or discuss this activity with anyone other than your site security coordinator. Before reporting activity to the CERT/CC or anyone else, check your local policies and procedures on how to proceed.
Local and/or federal laws may further dictate your behavior regarding the handling of computer security incidents. If you work for a public agency, you may be required to report the activity to a specific CSIRT. If your systems involve sensitive data, you may not be able to discuss the incident without permission. Before reporting activity to the CERT/CC or anyone else, check with your management and legal counsel.
There is a strong historical precedent for communicating with other sites about security incidents. The Request for Comments document "Guidelines for the Secure Operation of the Internet" (RFC1281) reads:
The Internet is a cooperative venture. The culture and practice in the Internet is to render assistance in security matters to other sites and networks. Each site is expected to notify other sites if it detects a penetration in progress at the other sites, and all sites are expected to help one another respond to security violations. This assistance may include tracing connections, tracking violators and assisting law enforcement efforts.
To determine who you should report a security incident to, first consult your local security policies and procedures. If the procedures do not explicitly identify who you should report an activity to, you should discuss the incident with your management and legal counsel before proceeding.
Many security procedures identify a site security coordinator who serves as a central resource for handling violations of your security policies. This person may coordinate and handle all communications with other CSIRT's, law enforcement and other sites.
Many companies, universities, and countries have a computer security incident response team (CSIRT) dedicated to handling incidents involving their constituency. The Forum of Incident Response and Security Teams (FIRST) is a coalition of such CSIRT's. FIRST aims to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing among members and the community at large.
More information about FIRST can be found on their web page at: http://www.first.org/
To determine if your site is represented by a member of FIRST, you may want to review the list of FIRST teams which includes email addresses, telephone numbers, and brief descriptions of each team's constituency.
The CERT Coordination Center welcomes reports from any site experiencing a computer security problem involving the Internet. We encourage you to include the CERT/CC on any messages you send to other sites or CSIRT's (within the limits of your site's security policies and procedures). This information will enable us to better meet our incident coordination objectives.
Information about how to contact the CERT/CC is available in section V of this document.
Since intruders frequently use compromised hosts or accounts to attack other systems, we encourage you to report any intruder activity directly to the registered point of contact(s) of the originating host. They may be unaware of the activity involving their systems, and your note will provide the incentive to check for signs of intrusion.
We would appreciate being included on the "Cc:" line of any messages you may send to other sites regarding intruder activity.
Information about finding contact information for sites involved in incidents is available at: http://www.cert.org/tech_tips/finding_site_contacts.html
The CERT Coordination Center is not an investigative or law enforcement agency. We do not investigate (or maintain or disclose information about) individual intruders, and we do not conduct criminal investigations. Our activities focus on providing technical assistance and facilitating communications in response to computer security incidents involving hosts on the Internet.
If you are interested in contacting law enforcement to conduct a legal investigation, we encourage you to review your local policies and procedures for guidance on how to proceed. We also encourage you to discuss the intruder's activity with your management and legal counsel before contacting law enforcement. Your legal counsel can provide you with legal options and courses of action based on your or your organization's needs. We do not have legal expertise and cannot offer legal advice or opinions.
U.S. sites interested in an investigation of crimes involving the Internet can contact their local Federal Bureau of Investigation (FBI) field office. To find contact information for your local FBI field office, please consult your local telephone directory or see the FBI's contact web page, available at: http://www.fbi.gov/contact.htm
Sites in other countries may want to discuss the activity with their local law enforcement agency to determine the appropriate steps that should be taken with regard to pursuing an investigation.
When reporting intruder activity, it is important to ensure that you provide enough information for the other site or CSIRT to be able to understand and respond to your report.
The CERT Coordination Center has developed an Incident Reporting Form (IRF) designed to assist you in reporting an incident. This form is available at: ftp://ftp.cert.org/pub/incident_reporting_form.
This form prompts for all of the information discussed below in an organized manner. Completing the form may help you have a more complete understanding of the intruder's activity, even if you do not send it to the CERT/CC.
Many of the questions are optional, but having the answers to all the questions enables us to provide the best assistance. Completing the form can also help avoid delays introduced when we request the additional information needed to assist you.
The CERT/CC IRF is not intended for reporting activity to other sites or CSIRT's. Some of the information requested on the form may be sensitive in nature and is requested for the CERT/CC's internal use only. Note that our policy is to keep any information specific to your site confidential unless we receive your permission to release that information.
Some CSIRT's have adapted the CERT/CC IRF for use within their constituency. Before reporting activity to another CSIRT, we encourage you to see if they provide a similar incident reporting form.
The CERT/CC and many other CSIRT's assign incident reference numbers (e.g., CERT#XXXX) to reported activity. These numbers help us to track correspondence and identify related activity. Please be sure to include all incident reference numbers that have been assigned to the incident, either by the CERT/ CC or other CSIRT's.
Each CSIRT has their own procedures regarding the assignment of incident tracking numbers. The CERT/CC attempts to assign a single number to all activity involving one intruder. Each number is unique and randomly selected. We encourage you to reference this number when corresponding with other sites or CSIRT's that are involved in the incident.
When reporting activity that may be the work of multiple intruders, we request that you report each incident separately. (A common example would be two probes originating from different sites, with no other indications that the probes are related.)
Most CSIRT's, including the CERT/CC, request that the incident reference number be clearly displayed in the "Subject:" line of any mail messages regarding the incident.
When contacting other sites, remember that they may not be able to contact you as easily as you might think. Perhaps they disconnected from the Internet immediately after you alerted them to the intruder's activity, and are now unable to respond to your e-mail message. Also, some companies limit long distance or international dialing from company telephones.
To ensure that others are able to respond, provide as much contact information as you are willing to disclose. In most cases, this should include at least an e-mail address and a telephone number. You may also wish to include a pager number, a fax number, or even a cellular telephone number. A traditional mail address may help the other site understand where you are located geographically.
It is also a good idea to specify an alternate contact at your site in case you are unavailable. Similar contact information should be provided for the alternate contact.
The CERT Coordination Center's policy is to not release any information about a site's involvement in an incident, without the site's explicit permission to do so. While this policy ensures that you can report intruder activity to us in confidence, it also hinders our ability to put you in contact with other sites involved in the incident.
If we are authorized to offer information about your involvement in an incident to the other sites involved, other CSIRT's, or law enforcement, please state this clearly in the incident report.
Most CSIRT's have nondisclosure policies, and many sites will respect your nondisclosure requests as well. In general, a short statement describing your concerns (or lack thereof) should be included in any incident report to help the recipient understand and respect your wishes. Keep in mind however, that there is no way to ensure that other sites involved in the activity will comply with your request.
In many incidents, the most obvious indication of related activity is the hosts involved. For example, several of the hosts used to attack your site may have been used to attack another compromised host last week. For this reason, it is a good idea to include a brief summary of the hostnames and IP addresses known to be involved and their relationship to the incident.
However, you may want to exercise caution in identifying compromised hosts at your site, particularly before recovering the security of these systems. Your policies and procedures for handling computer security incidents may specify how much information you are able to release about the hosts involved at your site.
One of the most important parts of any incident report is a description of the intruder's activity. Mention any vulnerabilities which were exploited, modifications that were made to the system, or software that was installed.
When reporting to a CSIRT, this information will allow the incident handler to provide assistance specific to the activity at your site. When reporting to another site, it helps the recipient understand what kind of intruder activity to look for on their systems.
When describing intruder activity, it is important to remember that other administrators may have more or less experience with computer security. You may want to include references to advisories or other documents which describe the activity in more detail.
Whenever possible, you should include log entries showing the activity with your report, particularly when the logs provide significantly more detail than your description. Log entries may also be more easily understood by sites that do not speak your language fluently.
Log entries that are not related to the intruder activity should be removed to help avoid confusion. What you immediately recognize as normal entries may appear to be intruder activity to someone else.
If the intruder's activity generated a large number of very similar entries, it is usually sufficient to extract a sample portion of the log, and indicate this in the message. A quick estimate of the number of log entries is useful as well.
A description of the log format may also be helpful to system administrators who are not familiar with the logs provided. This is very important for log entries that do not include descriptive text, or are generated by tools that are not widely distributed.
When sending log entries to other sites, take care to ensure that you do not violate any nondisclosure policies you may have. Sensitive information can be removed by replacing it with X's. You may want to make a note of this in your report to ensure that the other site is aware of the changes.
If you do not have logs showing the intruder's activity (perhaps because they were deleted by the intruder), then state this clearly in your report to help minimize requests for this information.
Even if you do not include log entries showing the activity, we encourage you to describe the date and time when the events occurred. This allows the other site to review their logs when looking for related activity at their site.
Since the recipient may be in a different time zone, you should clearly identify the time zone for your comments and logs. A time-zone reference relative to GMT (or UTC) such as GMT-5 is preferred, since less formal time-zone designations can be misinterpreted. For example, EST (Eastern Standard Time) may have different meanings for people inside and outside the United States.
If the times recorded in the log entries are known to be inaccurate by more than a minute or two, you may want to include a statement warning the recipient of this inaccuracy. On the other hand, if the system was synchronized with a national time server via NTP (Network Time Protocol), then you may want to mention this as well.
Dates, times and time zones are just a few examples of several topics that can be very confusing when used casually in international communications. Danny Smith of the Australian incident response team (AUSCERT) has prepared a document for FIRST, with several suggestions on preventing confusion when communicating with sites or CSIRT's in other countries. This document is available from: http://www.first.org/docs/international_comms.html.
If you are reporting intruder activity solely for the other site's benefit, let them know that you do not expect a response from them regarding your report. If you would like them to take a specific action, such as acknowledging your message, or providing you with additional information regarding the activity, request this politely in your message.
Keep in mind that the other site's incident handling policies and procedures may prevent them from responding as you have requested. Internet service providers frequently have policies protecting the identity of their customers, and will not release this information without a subpoena.
If a site requests information or an action from you that violates your site's security policy, politely explain that you are unable to respond as they requested.
Finally, when requesting assistance from the CERT/CC or another CSIRT, remember that resource limitations may prevent them from responding as you have requested.
You can report intruder activity to the CERT/CC via electronic mail, telephone hotline, or FAX machine. We encourage you to encrypt your reports to ensure your privacy, and to authenticate your identity.
The CERT Coordination Center's preferred mechanism for receiving incident reports is through electronic mail. Electronic mail allows us to prioritize the incidents reported to us, and to reply to those messages quickly and efficiently.
Electronic mail also provides an accurate and efficient medium for exchanging information too complex to discuss over the telephone, such as packet dumps, or large log files. Finally, e-mail provides a reliable log of communications that we may refer to in the process of responding to an incident.
Our electronic e-mail address is: <email@example.com>.
If you have disconnected from the Internet to recover from a compromise, or if you are unable to send mail due to a denial of service attack, you can contact the CERT/CC on our telephone hotline.
Our telephone hotline number is: +1 412-268-7090.
Occasionally, a compromised system's electronic mail will be monitored by the intruder. If you are unable to obtain Internet mail access from a secure system, and you do not want to alert the intruder by using e-mail on the compromised system, you may also want to contact us on the telephone.
Please keep in mind that while the CERT hotline is staffed 24 hours a day, outside of normal working hours incident handlers are available only for emergency calls. Normal working hours are from 8:00am to 8:00pm EST(GMT-5)/ EDT(GMT-4), Monday through Friday. Hours may vary on holidays or under other special circumstances.
When electronic mail is not available or provides inadequate security, and you have logs or other information that is not easily conveyed on the telephone, you may want to send that information to us via FAX.
The CERT/CC FAX machine is checked regularly during normal working hours. Faxes received during the evenings, weekends, and holidays will be reviewed on the next business day.
Our FAX number is: +1 412-268-6989.
Electronic mail provides little or no privacy for the information you send across the Internet. If you wish to ensure that mail sent to the CERT/CC is not read by unauthorized people while in transit, we encourage you to use a strong encryption algorithm.
The CERT Coordination Center currently supports two encryption mechanisms. The first is a public key based on the Pretty Good Privacy (PGP) product. We also support shared private keys through the Data Encryption Standard (DES).
PGP is the CERT/CC's preferred encryption mechanism. It provides authentication and privacy. No special arrangements have to be made with us in advance in order to communicate securely via PGP.
You can obtain our public key from our web server at: http://www.cert.org/contact_cert/encryptmail.html
This key will allow you to ensure the privacy of messages sent to us, and verify the authenticity of messages you receive from us.
If you encrypt messages you send to the CERT/CC, we will respond with encrypted messages whenever possible. Since it can be difficult for us to confirm the validity of your public PGP key, please be sure to include your public key in the body of any encrypted messages you send to us.
The CERT/CC signs all outgoing mail with our PGP key. If you receive any communication from us without a PGP signature, or with an invalid PGP signature, please consider the message suspect, and let us know. We encourage all sites communicating with us to encrypt and sign their e-mail messages with PGP.
More information about PGP is available from: http://www.pgp.com/
A shared private DES key must be established over a secure communication channel before messages can be exchanged. Please call our telephone hotline during normal business hours to establish a shared private DES key.
Incident reports that are sent shortly after the incident occurred are the most likely to be valuable to the recipient and to us. This does not imply that an incident report becomes useless after some period of time. We encourage you to report all activity you discover, even if the intruder's activity is quite old by the time you report it.
Other then being extra careful to ensure that the date of the activity is clearly identified, we encourage you to report the incident as you would any other incident, since other sites may not yet be aware of the incident.
This document is available from: http://www.cert.org/tech_tips/incident_reporting.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
CERT personnel answer the hotline 08:00 20:00 EST(GMT-5)/EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by e-mail. Our public PGP key is available from http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send email to <firstname.lastname@example.org> and include SUBSCRIBE your-email-address in the subject of your message.
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
Copyright 1998, 1999, 2000 Carnegie Mellon University.
CERT Coordination Center