A Computer Security Incident is an adverse network event in an information system or network or the threat of the occurrence of such an event.
The NCC-CSIRT is the Computer Security Incident Response Team for the Nigerian telecommunications industry, an initiative of the Nigerian Communications Commission (NCC) in line with its mandate from the Nigerian Communications Act 2003.
The NCC-CSIRT serves as a trusted contact point to provide the coordination and necessary support between parties involved in the handling of incidents within the Nigerian telecommunications sector. These parties and stakeholders include the affected organizations, Mobile Network Operators (MNOS), Internet Service Providers (ISPs), Law Enforcement Agencies (LEAs), Ministries, Departments & Agencies of Government (MDAs) and/or other sector CSIRTs.
The NCC-CSIRT shall operate on the basis of call-to-respond; meaning all constituent incident response activities shall be triggered by an Incident Report from the constituency or from the CSIRT member community.
Incident
Reporting
- The preferred method of Incident Reporting to the CSIRT are as follows in the order of preference:
- Email Messages: (for incident reporting only).
- Web Report Form: Click here.
- Telephone Line: +234-9-624-4000 (for incident reporting only).
- Incident Reports by the constituency shall include a description of the incident or event, using the appropriate categorisation taxonomy (see incident categorization tab), and as much of the following information:
- Constituent/Organisation name
- CPOC (Constituent Point of Contact) information including name, telephone number and email address
- Incident category (Click here)
- Incident date and time
- Incident details i.e. description
- Location and name (IP address) of the system(s) involved in the incident
- Method used to identify the incident (i.e. HIDS, NIDS, Audit log, etc.)
- Actions done (date, time, and result)
- Perceived Impact
- Resolution
- Criticality of the system (i.e. critical infrastructure, classified systems, etc.)
- Cases will be assigned to Incident Handlers who may correspond with the CPOC and/or Reporter to gather more evidence to qualify the case and/or launch further investigations.
- The CPOC chooses the initial categorization of the incident that fits best. However, during the identification phase and the triaging process, the categorisation may be changed and/or other categories added, which may lead to the creation of child tickets or splitting of the case ticket.
Incident
Handling
- Initial Assessment: The concept of incident assessment and prioritisation (triaging) shall be applied to incoming Incident Requests (IR).
- Triage: Each time a piece of IR comes in, it shall be individually assessed to discover the relevance to the CSIRT’s constituency, how important (sensitivity assessment) the IR is and how urgent (criticality/impact assessment) it is to act.
- Prioritisation: Due to limited resources of the CSIRT, all IRs will be prioritised and treated according to the threat assessment and impact level. This prioritisation shall be based on the following factors (not in any order):
- Initial Threat Assessment: The initial assessment and classification by the Constituency's Point of Contact (CPOC).
- Severity: The severity in terms of direct or potential impact.
- Criticality: The urgency of the report.
- Impact: The threat in terms of the loss of reputation, customers or money.
- Sensitivity: The classifying of IR according to a "need to know" basis
- Scope: The potential scope and spread of the threat.
- NOTES:
- In terms of scope, note that IR coming into the CSIRT may need to be merged or linked to other IRs through the Incident Triage Process. This decision shall be made by the Incident Manager or the Triage Officer depending on relationship and characteristics of the incident report(s).
- Incident Report will be assigned a unique case ID for tracking purposes and will be assigned to an Incident Handler who may correspond with the CPOC and/or Reporter to gather more evidence to qualify the case and/or launch further investigations.
Information
Exchange
- The CSIRT utilizes the Traffic Light Protocol (TLP) from FIRST (Forum for Incident Response and Security Teams) which provides a simple and intuitive schema for indicating when and how sensitive information can be shared.
- It employs four colors to indicate the sharing limitations to be applied by the recipient(s). Below provides a high-level guidance on the use of the classification system for sending sensitive information to and from the CSIRT:
Confidentiality Level TLP Level Description Confidential TLP:RED - Not for disclosure, restricted to participants only.
Restricted TLP:AMBER - Limited disclosure, restricted to participants’ organizations.
Internal Use TLP:GREEN - Limited disclosure, restricted to the community.
Public TLP:WHITE - Disclosure is not limited.
-
All sensitive and private electronic information should be encrypted using the CSIRT’s public key.
-
All sensitive and private physical information assets should be sealed effectively and transmitted over a secure channel and ensuring acknowledgement from the CSIRT.
- NOTES
-
It is the responsibility of the Asset/Information ‘owner(s)’ to assign proper classifications to their information assets with a view to match the appropriate classification level.
-
The information category shall be embedded in the information itself.
-
All information from the CSIRT community shall be classified TLP:AMBER by default regardless of whether it is marked or not.
-
Incident
Category
- Consistent incident classification will provide the team with proper case handling procedure and prioritisation of response activities.
- All incident reports should be classified into one of the following categories:
Incident Category Description Denial of Service Denial Of Service (DOS) or Distributed Denial Of Service (DDOS) attack. Forensics Any forensic work to be done by CSIRT. Compromised Information
Attempted or successful destruction, corruption, or disclosure of sensitive corporate information or Intellectual Property. Compromised Asset
Compromised host (root account, Trojan, rootkit), network device, application, user account. This includes malware-infected hosts where an attacker is actively controlling the host Unlawful Activity Theft / Fraud / Human Safety / Child Porn. Computer-related incidents of a criminal nature, likely involving law enforcement, Global Investigations, or Loss Prevention. Internal Hacking Reconnaissance or Suspicious activity originating from inside the Company corporate network, excluding malware. External Hacking Reconnaissance or Suspicious Activity originating from outside the Company corporate network (partner network, Internet), excluding malware. Malware A virus or worm typically affecting multiple corporate devices. This does not include compromised hosts that are being actively controlled by an attacker via a backdoor or Trojan. (See Compromised Asset) Email Spoofed email, SPAM, and other email security-related events. Consulting Security consulting unrelated to any confirmed incident. Policy Violations Sharing offensive material, sharing/possession of copyright material.
Deliberate violation of Infosec policy.
Inappropriate use of corporate asset such as computer, network, or application.
Unauthorized escalation of privileges or deliberate attempt to subvert access controls.
Test For test purposes (tests, exercise, drills, etc.)
Incident
Criticality
- The criticality factor defines the nature and scope of the systems under threat. It helps define the response prioritisation and level of resources required by the team.
- The Incident Reporter will assign an initial criticality level if known. If unknown, please use a responsible sense of judgement to indicate one of three levels in the following order – LOW, MEDIUM, or HIGH. The following defines the criticality levels:
-
HIGH: Incident affecting critical information communication with potential to impact health, safety, revenue, service or brand.
-
MEDIUM: Incident affecting non-critical systems or information, not revenue or brand impacting. Incidents that are important but are not time sensitive should typically be classified at this level.
-
LOW: Possible incident, non-critical systems. Incident or investigations that are not time sensitive. Long-term investigations involving extensive research and/or detailed forensic work.
Note: Typically, the Incident handling team will determine the appropriate criticality level based on risk assessment, impact, and time sensitivity of the incident report.
-