Incident reporting
In the case of a security incident, send the report with a message to cert@cert.si and attach the exact description of the occurrence and all relevant log files, samples of malicious code, injected content on the website, etc.
If you are sending sensitive data and are concerned about the possibility of your messages being intercepted, you can encode them with the PGP (Pretty Good Privacy) or GPG (GNU Privacy Guard) program using public PGP key provided by SI-CERT. If you are not familiar with how to encrypt the data and digitally sign them with this program, you can send the data in a ZIP archive, which is protected with a password, and communicate the password to us via telephone. Using the same approach, you can send us the samples of malicious code or intercepted malicious traffic of the affected systems, since it is possible that one of the mail servers stops a message on its way because of the antivirus protection.
The purpose of the report is providing professional help with identifying the issue, help with troubleshooting, limiting and resolving consequences. Since SI-CERT is not a law enforcement authority, in the case of suspicion of a criminal act a report to the police is necessary too. In the case of personal data breach, a report to the Information Commissioner should be filed as well. SI-CERT cooperates with both authorities for joint investigation when one is needed.
When to report an incident to SI-CERT
Example of an incident | Expected activities of SI-CERT |
Computer infection ransomware, banking trojans, targeted attacks, spambots | Help with removing the infection and its consequences, sample analysis in correlation with known threats. Advising about mitigation. |
Observed intrusion attempt defacement, database exploitation, installation of rootkits | Search for exploited vulnerability, help with intrusion source and consequences, examining evidence on infected systems, advising about damage eradication and further protection. |
E-mail phishing fraudulent e-mails, prompting users to enter their credentials | Identifying fraudulent web sites and initiating their take down, detecting broader and targeted attacks, issuing notices and warnings to media and public, cooperating with banking sector and service providers. |
Denial of service denial of service attack, network traffic flood, attack towards web service with the intent of denial or disruption | Assessment of the means used for the attack, defining possible protection measurements, attempt of disablement of botnet and notifying service providers about infrastructure exploits and its protection. |
Vulnerable or exposed services web management interfaces, industrial control systems, web cameras, vulnerable network infrastructure (with denial of service exploitation possibility) | Notifying system administrators, about secure settings and access limitations, service abuse investigation. |
Passwords and identity theft exploitation through phishing attack or computer infection | Providing advice about password and account recovery, additional protection and potential attacker identification. |