Cyberthreat Response & Reporting Guidelines

8/11/2019 Cyberthreat Response & Reporting Guidelines

1/12

CIO CYB ERTHREATRESPONSE & REPORTINGGUIDELINESCOMPONENTS

Background and Scope of Project

CIO Cyberthreat Response & Reporting Guidelines

Who to Contact: Law Enforcement

Who to Contact: Reporting Bodies & Resourcesfor Cyberthreat Response

FBI and USSS Field Ofce contact list

Report Formshort, standard, rst-alert form

Contributors


2/12

CIO CYBERTHREAT RESPONSE & REPORTING GUIDELINES

CIO CYBERTHREATRESPONSE & REPORTINGPROJECT

A collaboration among industry professionals, lawenforcement and CIO Magazine to develop guidelinesfor reporting computer security incidents to lawenforcement

At the CIO Perspectives conference in Palm Springs inOctober 2001, audience members (chief informationofcers and other executives) were encouraged by theU.S. Attorney for Los Angeles to report cybersecuritybreaches to law enforcement as part of the war againstterrorism. But, as one CIO asked: We get hit thousands

of times a month; do you want us to report all of theseincidents? And exactly who do we contact? Other audi-ence members expressed similar bewilderment, andthats what prompted this initiative.

Goal This project has a modest goal: to provide abasic understanding of what is required for cyberthreatincident response and to make it as easy as possibleto report such incidents to law enforcement (includingwhom to call and what to tell them). For this effort, werestricted our recommendations to reporting incidentsthat are an attack on information systems or data (com-

puter and/or Internet security). We did not attempt toaddress other types of cybercrime such as Internetfraud or pornography.

A Complex Issue Creating and maintaining a secureinformation environment is difcult, expensive andcomplicated. Risk assessment; control selection anddeployment; monitoring/detection; incident responseand continuous improvement must all be consideredtogether. Prevention is, of course, the primary objective.

Incident response is itself a complex subject, includingthe sometimes difcult decision of whether to share any

information at all. There are many excellent resourcesavailable to help CIOs and CISOs (chief informationsecurity ofcers) understand and address these chal-lenges; youll nd some of them listed at the end of thisdocument under Resources.

Why You Should Report Cybercrime Only by sharinginformation with law enforcement and appropriateindustry groups will we be able to identify and prose-cute cybercriminals, identify new cybersecurity threats

and prevent successful attacks on our critical infra-structures and economy. Law enforcements ability toidentify coordinated threats is directly tied to theamount of reporting that takes place.

We understand that you might be reluctant to shareinformation regarding the impact to your business andthe sensitivity of the data involved. While we will notmake the case here for trusting various agencies ororganizations, we encourage you to learn more abouthow law enforcement and other reporting bodies approachthese issues in terms of the likely impact of their inves-tigation on your business and how they handle sensitiveinformation.


3/12


CIO CYBERTHREATRESPONSE & REPORTINGGUIDELINESAn organization must respond in some way to a com-puter security breachwhether it is an intrusion/hack,the implantation of malicious code such as a virus orworm, or a denial of service attack. The better preparedthe organization is to respond quickly and effectively, thebetter chance it will have to minimize the damage.These guidelines are intended to provide a frameworkand starting point for developing a cyberthreat responseand reporting capability.

PLANNING

Develop an incident response plan and designatepeople to carry it out. The plan should include detailsfor how you will:

detect the incidentanalyze the incidentcontain or eradicate the problemprovide workarounds or xesprevent re-infectionlog eventspreserve evidenceconduct a post-mortem and apply lessons learned

Educate users to raise security awareness and pro-mote security policies.

Build a centralized incident reporting system.Establish escalation procedures that lay out actions

the company should take if an attack turns out tobe protracted or especially damaging.

Make sure your service-level agreements include pro-visions for security compliance, and spell out reportingrequirements and maintenance of systems (includingcontingency plans) in the event of a cyberattack.

Decide in advance under what circumstances youdcall the authorities.

Plan how and when employees, customers and strate-gic partners will be informed of the problem.

Establish communication procedures should thisbecome a media event.

PEOPLEHave a single contact to whom employees should

report suspicious events and who will track changes incontacts or procedures.

Have a single contact who will report incidents to

outside agencies, including law enforcement,regulatory bodies and information sharing organizationssuch as InfraGard and the industry Information Sharingand Analysis Centers (ISACs).

Keep a list of the incident response team membersnames, titles and 24/7 contact information,along with their role in a security breach.

Have contact information for vendors contracted tohelp during a security emergency, as well as ISPsand other relevant technology providers.

Have contact information for major customers andclients who might be affected.

In advance, establish contacts at the relevant law-enforcement agencies: typically, the national infrastruc-ture protection and computer intrusion squad at thelocal FBI eld ofce; the electronic crimes investigatorat the local Secret Service eld ofce; and the elec-tronic crimes investigator at your local police. Havetheir contact information easily accessible.

PROCESSPerform a risk analysis on your plan.Test/rehearse procedures periodically.Develop contingency plans in case your response

infrastructure is attacked.

WHAT TO REPORTYou should report cybersecurity events that have a real

impact on your organization (when damage is done, ac-cess is achieved by the intruder, loss occurs, maliciouscode is implanted) or when you detect something note-worthy or unusual (new trafc pattern, new type of mal-icious code, specic IP as source of persistent attacks).

At this time, we do not recommend that you reportroutine probes, port scans or other common events.Neither law enforcement nor the ISACs are prepared toreceive or analyze the enormous volume of data thiswould entail. While such detailed hit data has potentialvalue in identifying and dening trends, and facilities likethe Internet Storm Center (at the SANS Institute) or the

NIPC may eventually get set up to collect detailed eventlogs, right now it is generally not useful.

Consequently, the form we recommend is designedto report signicant, unusual or noteworthy incidents.

WHEN AND HOW TO REPORT AN INCIDENTIf an attack is under way, youll want to pick up thephone and call your previously established law-enforcement contact immediately and communicate the


4/12


basic information that is included in the CIOCyberthreat Response Form. There is additional infor-mation that will be required to effectively conduct theinvestigation (see bullet points below), but the form is a

good place to start.Sometimes you will report an incident to law enforce-

ment after the factyou have detected that somethinghappened, but your systems are functioning normallyand whatever damage is likely has already been done.In this case, you will want to gather as much informa-tion as possible for the law enforcement agents beforeyou make the call.Here is some additional information that will help lawenforcement agents in their investigation:

What are the primary systems involved?How was the attack carried out?What steps have you taken to mitigate or remediate?Does a suspect exist? If so, is it a current or former

employee/contractor?What evidence is available to assist in the investiga-

tion (e.g., log les, physical evidence, etc.?)To track the status of your case once youve led areport, contact the eld ofce that is conducting theinvestigation.


5/12


6/12


Department of Justice Computer Crime & IntellectualProperty SectionLegal analysis and resources related to computer crime,a how-to-report section and a comprehensive list of

cybercrime cases pending and resolved.www.cybercrime.gov

CERT Coordination Center at Carnegie MellonFederally funded research center provides training, inci-dent handling, R&D, advisories. Lots of good informa-tion resources available to the public.www.cert.org

SANS InstituteCooperative research organization offers alerts, trainingand certication; operates Incidents.org and theInternet Storm Center. Like CERT, has lots of good

information resources on its website.www.sans.orgwww.incidents.org

ADDITIONAL RESOURCESCIO Magazine Security and Privacy Research CenterA collection of articles, guidelines and links for informa-tion security issues from an executive perspective.www.cio.com/research/security

Specic DocumentsPractices for Protecting Information Resources AssetsTexas Dept. of Information Resourceswww.dir.state.tx.us/IRAPC/practices/index.html

Handbook for Computer Security Incident ResponseTeamsCarnegie Mellon Universitywww.sei.cmu.edu/pub/documents/98.reports/pdf/98hb001.pdf

Minimizing Your Potential Vulnerability and EnhancingEffective ResponseNIPCwww.nipc.gov/incident/incident3.htm

Sample Incident Handling Procedurewww.csirt.ws/docs/incident.handling.pro.doc

Best Practices for Seizing Electronic EvidenceA Joint Project of the International Association of Chiefsof Police and the U.S. Secret Servicewww.treas.gov/usss/electronic_evidence.htm


7/12

FBI & USSS FIELD OFFICES ALABAMA-ILLINOISTELEPHONE/FAXADDRESS

ALABAMABirminghamFBI 205.326.6166/205.715.02322121 8th Avenue N.Birmingham, AL 35203-2396USSS 205.731.1144/205.731.0007Daniel Building15 South 20th Street, Suite 1125Birmingham, AL 35233MobileFBI 334.438.3674/251.415.3235One St. Louis Centre1 St. Louis Street, 3rd FloorMobile, AL 36602-3930USSS 334.441.5851/334.441.5250Parkview Ofce Building182 St. Francis Street

Mobile, AL 36602MontgomeryUSSS 334.223.7601/334.223.7523Colonial Financial Center1 Commerce Street, Suite 605Montgomery, AL 36104

ALASKAAnchorageFBI 907.276.4441/907.265.9599101 East Sixth AvenueAnchorage, AK 99501-2524USSS 907.271.5148/907.271.3727Federal Building & U.S. Courthouse222 West 7th Avenue, Room 559Anchorage, AK 99513

ARIZONAPhoenixFBI 602.279.5511/602.650.3024201 East Indianola Avenue, Suite 400Phoenix, AZ 85012-2080USSS 602.640.5580/602.640.55053200 North Central Avenue, Suite 1450Phoenix, AZ 85012TucsonUSSS 520.670.4730/520.670.4826300 West Congress Street, Room 4-VTucson, AZ 85701

ARKANSASLittle RockFBI 501.221.9100/501.228.850924 Shackleford West BoulevardLittle Rock, AR 72211-3755USSS 501.324.6241/501.324.6097111 Center Street, Suite 1700Little Rock, AR 72201-4419

CALIFORNIAFresnoUSSS 209.487.5204/559.487.50135200 North Palm Avenue, Suite 207Fresno, CA 93704

Los AngelesFBI 310.477.6565/310.996.3359Federal Ofce Building11000 Wilshire Boulevard, Suite 1700Los Angeles, CA 90024-3672USSS 213.894.4830 213.894.2948Roybal Federal Building255 East Temple Street, 17th FloorLos Angeles, CA 90012RiversideUSSS 909.276.6781/909.276.66374371 Latham Street, Suite 203Riverside, CA 92501SacramentoFBI 916.481.9110/916.977.23004500 Orange Grove AvenueSacramento, CA 95841-4205

USSS 916.930.2130/916.930.2140501 I Street, Suite 9500Sacramento, CA 95814-2322San DiegoFBI 858.565.1255/858.499.7991Federal Ofce Building9797 Aero DriveSan Diego, CA 92123-1800USSS 619.557.5640/619.557.6658550 West C Street, Suite 660San Diego, CA 92101San FranciscoFBI 415.553.7400/415.553.7674450 Golden Gate Avenue, 13th FloorSan Francisco, CA 94102-9523USSS 415.744.9026/415.744.9051345 Spear Street

San Francisco, CA 94105San JoseUSSS 408.535.5288/408.535.5292U.S. Courthouse & Federal Building280 S. First Street, Suite 2050San Jose, CA 95113Santa AnaUSSS 714.246.8257/714.246.8261200 W. Santa Ana Boulevard,Suite 500Santa Ana, CA 92701-4164VenturaUSSS 805.339.9180/805.339.00155500 Telegraph Road, Suite 161Ventura, CA 93003

COLORADOColorado SpringsUSSS 719.632.3325/719.632.3341212 N. Wahsatch, Room 204Colorado Springs, CO 80903DenverFBI 303.629.7171/303.628.30851961 Stout Street, 18th FloorDenver, CO 80294-1823USSS 303.866.1010/303.866.19341660 Lincoln StreetDenver, CO 80264

CONNECTICUTNew HavenFBI 203.777.6311/203.503.5098600 State StreetNew Haven, CT 06511-6505USSS 203.865.2449/203.865.2525265 Church Street, Suite 1201New Haven, CT 06510

DELAWAREWilmingtonUSSS 302.573.6188/302.573.6190One Rodney Square920 King Street, Suite 414Wilmington, DE 19801

DISTRICT OF COLUMBIA

Washington, D.C.FBI (HDQRS.)202.278.2000/202.278.2478601 4th Street NWWashington, D.C. 20535-0002USSS 202.406.8000/202.406.88031100 L Street NW, Suite 6000Washington, D.C. 20005USSS (HDQRS.)202.406.5850/202.406.5031950 H Street NWWashington, D.C. 20223

FLORIDAJacksonvilleFBI 904.721.1211/904.727.62427820 Arlington Expressway

Jacksonville, FL 32211-7499USSS 904.296.0133/904.296.01887820 Arlington Expressway,Suite 500Jacksonville, FL 32211MiamiFBI 305.944.9101/305.787.653816320 NW Second AvenueNorth Miami Beach, FL 33169-6508USSS 305.629.1800/305.629.18308375 NW 53rd StreetMiami, FL 33166OrlandoUSSS 407.648.6333/407.648.6606135 West Central Boulevard,Suite 670Orlando, FL 32801TallahasseeUSSS 850.942.9523/850.942.9526Building F325 John Knox RoadTallahassee, FL 32303TampaFBI 813.273.4566/813.272.8019Federal Ofce Building500 Zack Street, Room 610Tampa, FL 33602-3917USSS 813.228.2636/813.228.2618501 East Polk Street, Room 1101Tampa, FL 33602

West Palm BeachUSSS 561.659.0184/561.655.8484505 South Flagler DriveWest Palm Beach, FL 33401

GEORGIAAlbanyUSSS 229.430.8442/229.430.8441Albany Tower235 Roosevelt Avenue, Suite 221Albany, GA 31702AtlantaFBI 404.679.9000/404.679.62892635 Century Parkway Northeast,Suite 400Atlanta, GA 30345-3112USSS 404.331.6111/404.331.5058

401 West Peachtree Street, Suite 2906Atlanta, GA 31702SavannahUSSS 912.652.4401/912.652.406233 Bull StreetSavannah, GA 31401

HAWAIIHonoluluFBI 808.566.4300/808.566.4470Kalanianaole Federal Ofce Building300 Ala Moana Boulevard, Room 4-230Honolulu, HI 96850-0053USSS 808.541.1912/808.545.4490Kalanianaole Federal Ofce Building300 Ala Moana Boulevard, Room 6-210Honolulu, HI 96850

IDAHOBoiseUSSS 208.334.1403/208.334.1289Federal Building U.S. Courthouse550 West Fort Street, Room 730Boise, ID 83724-0001

ILLINOISChicagoFBI 312.421.4310/312.786.2525E.M. Dirksen Federal Ofce Building219 South Dearborn Street, Room 905Chicago, IL 60604-1702USSS 312.353.5431/312.353.1225Gateway IV Building300 S. Riverside Plaza, Suite 1200 NorthChicago, IL 60606SpringeldFBI 217.522.9675/217.535.4440400 West Monroe Street, Suite 400Springeld, IL 62704-1800USSS 217.492.4033/217.492.4680400 West Monroe Street, Suite 301Springeld, IL 62704



8/12

FBI & USSS FIELD OFFICES INDIANA-NEW MEXICOTELEPHONE/FAXADDRESS

INDIANAEvansvilleUSSS 812.985.9502/812.985.9504P.O. Box 530Newburgh, IN 47630IndianapolisFBI 317.639.3301/317.321.6193Federal Ofce Building575 N. Pennsylvania Street,Room 679Indianapolis, IN 46204-1585USSS 317.226.6444/317.226.5494Federal Ofce Building575 N. Pennsylvania Street,Suite 211Indianapolis, IN 46204-1585South Bend

USSS 219.273.3140/219.271.9301P.O. Box 477South Bend, IN 46625

IOWADes MoinesUSSS 515.284.4565/515.284.4566210 Walnut Street, Suite 637Des Moines, IA 50309-2107

KANSASWichitaUSSS 316.269.6694/316.269.6154Epic Center301 N. Main Street, Suite 275Wichita, KS 67202

KENTUCKYLexingtonUSSS 859.223.2358/859.223.18193141 Beaumont Centre CircleLexington, KY 40513LouisvilleFBI 502.583.3941/502.569.3869Federal Building600 Martin Luther King Jr. Place,Room 500Louisville, KY 40202-2231USSS 502.582.5171/502.582.6329Federal Building600 Martin Luther King Jr. Place,Room 377Louisville, KY 40202-2231

LOUISIANABaton RougeUSSS 225.389.0763/225.389.0325One American Place, Suite 1502Baton Rouge, LA 70825New OrleansFBI 504.816.3000/504.816.33062901 Leon C. Simon DriveNew Orleans, LA 70126USSS 504.589.4041/504.589.6013Hale Boggs Federal Building501 Magazine StreetNew Orleans, LA 70130

ShreveportUSSS 318.676.3500/318.676.3502401 Edwards StreetShreveport, LA 71101

MAINEPortlandUSSS 207.780.3493/207.780.3301100 Middle StreetWest Tower, 2nd FloorPortland, ME 04101

MARYLANDBaltimoreFBI 410.265.8080/410.281.03397142 Ambassador RoadBaltimore, MD 21244-2754

USSS 410.962.2200/410.962.0840100 S. Charles Street, 11th FloorBaltimore, MD 21201Eastern ShoreUSSS 410.268.7286/410.268.7903U.S. Naval AcademyPolice Dept., Headquarters Building 257,Room 221Annapolis, MD 21402FrederickUSSS 301.293.6434/301.694.8078Rowley Training Center9200 Powder Mill Road, Route 2Laurel, MD 20708

MASSACHUSETTSBostonFBI 617.742.5533/617.223.6327One Center Plaza, Suite 600Boston, MA 02108USSS 617.565.5640/617.565.5659Thomas P. ONeill Jr. Federal Building10 Causeway StreetBoston, MA 02222

MICHIGANDetroitFBI 313.965.2323/313.237.4009Patrick V. McNamara Building477 Michigan Avenue, 26th FloorDetroit, MI 48226USSS 313.226.6400/313.226.3952Patrick V. McNamara Building477 Michigan AvenueDetroit, MI 48226Grand RapidsUSSS 616.454.4671/616.454.5816330 Ionia Avenue NW, Suite 302Grand Rapids, MI 490503-2350SaginawUSSS 989.752.8076/989.752.8048301 E. Genesee, Suite 200Saginaw, MI 48607

MINNESOTAMinneapolisFBI 612.376.3200/612.376.3249111 Washington Avenue South,Suite 1100Minneapolis, MN 55401-2176USSS 612.348.1800/612.348.1807U.S. Courthouse300 South 4th Street, Suite 750Minneapolis, MN 55415

MISSISSIPPIJacksonFBI 601.948.5000/601.360.7550Federal Building100 West Capitol StreetJackson, MS 39269-1601

USSS 601.965.4436/601.965.4012Federal Building100 West Capitol Street, Suite 840Jackson, MS 39269

MISSOURIKansas CityFBI 816.512.8200/816.512.85451300 SummitKansas City, MO 64105-1362USSS 816.460.0600/816.283.03211150 Grand Avenue, Suite 510Kansas City, MO 64106SpringeldUSSS 417.864.8340/417.864.8676901 St. Louis Street, Suite 306Springeld, MO 65806

St. LouisFBI 314.231.4324/314.589.2636222 Market StreetSt. Louis, MO 63103-2516USSS 314.539.2238/314.539.2567Thomas F. Eagleton U.S. Courthouse111 S. 10th Street, Suite 11.346St. Louis, MO 63102

MONTANAGreat FallsUSSS 406.452.8515/406.761.231611 Third Street NorthGreat Falls, MT 59401

NEBRASKAOmahaFBI 402.493.8688/402.492.379910755 Burt StreetOmaha, NE 68114-2000USSS 402.965.9670/402.445.96382707 North 108 Street, Suite 301Omaha, NE 68164

NEVADALas VegasFBI 702.385.1281/702.385.1281John Lawrence Bailey Building700 East Charleston BoulevardLas Vegas, NV 89104-1545USSS 702.388.6571/702.388.6668600 Las Vegas Boulevard South,Suite 600Las Vegas, NV 89101RenoUSSS 775.784.5354/775.784.5991100 West Liberty Street, Suite 850Reno, NV 89501

NEW HAMPSHIREManchester

USSS 603.626.5631/603.626.56531750 Elm Street, Suite 802Manchester, NH 03104

NEW JERSEYAtlantic CityUSSS 609.487.1300/609.487.1491Ventnor Professional Campus6601 Ventnor AvenueVentnor City, NJ 08406NewarkFBI 973.792.3000/973.792.30351 Gateway Center, 22nd FloorNewark, NJ 07102-9889USSS 973.656.4500/973.984.5822Headquarters Plaza, West Towers,Speedwell Avenue, Suite 700

Morristown, NJ 07960TrentonUSSS 609.989.2008/609.989.2174402 East State Street, Suite 3000Trenton, NJ 08608

NEW MEXICOAlbuquerqueFBI 505.224.2000/505.224.2276415 Silver Avenue SW, Suite 300Albuquerque, NM 87102USSS 505.248.5290/505.248.5296505 Marquette Street NWAlbuquerque, NM 87102



9/12

FBI & USSS FIELD OFFICES NEW YORK-TENNESSEETELEPHONE/FAXADDRESS

NEW YORKAlbanyFBI 518.465.7551/518.431.7463200 McCarty AvenueAlbany, NY 12209USSS 518.436.9600/518.436.963539 North Pearl Street, 2nd FloorAlbany, NY 12207BuffaloFBI 716.856.780/716.843.5288One FBI PlazaBuffalo, NY 14202-2698USSS 716.551.4401/716.551.5075610 Main Street, Suite 300Buffalo, NY 14202JFKUSSS 718.553.0911/718.553.7626

John F. Kennedy Intl. AirportBuilding 75, Room 246Jamaica, NY 11430MelvilleUSSS 631.249.0404/631.249.099135 Pinelawn RoadMelville, NY 11747New YorkFBI 212.384.1000/212.384.2745or 274626 Federal Plaza, 23rd FloorNew York, NY 10278-0004USSS 212.637.4500/212.637.4687335 Adams Street, 32nd FloorBrooklyn, NY 11201RochesterUSSS 716.263.6830/716.454.2753Federal Building100 State Street, Room 606Rochester, NY 14614SyracuseUSSS 315.448.0304/315.448.0302James Hanley Federal Building100 S. Clinton Street, Room 1371Syracuse, NY 13261White PlainsUSSS 914.682.6300/914.682.6182140 Grand Street, Suite 300White Plains, NY 10601

NORTH CAROLINACharlotteFBI 704.377.9200/704.331.4595Wachovia Building400 South Tyron Street, Suite 900Charlotte, NC 28285-0001USSS 704.442.8370/704.442.8369One Fairview Center6302 Fairview RoadCharlotte, NC 28210GreensboroUSSS 336.547.4180/336.547.41854905 Koger Boulevard, Suite 220Greensboro, NC 27407RaleighUSSS 919.790.2834/919.790.28324407 Bland Road, Suite 210Raleigh, NC 27609

WilmingtonUSSS 910.815.4511/910.815.4521One Rodney Square920 King Street, Suite 414Wilmington, DE 19801

NORTH DAKOTAFargoUSSS 701.239.5070/701.239.5071657 2nd Avenue North, Suite 302AFargo, ND 58102

OHIOCincinnatiFBI 513.421.4310/513.562.5650John Weld Peck Federal Building550 Main Street, Room 9000

Cincinnati, OH 45202-8501USSS 513.684.3585/513.684.3436John Weld Peck Federal Building550 Main StreetCincinnati, OH 45202ClevelandFBI 216.522.1400/216.622.6717Federal Ofce Building1240 East 9th Street, Room 3005Cleveland, OH 44199-9912USSS 216.706.4365/216.706.44456100 Rockside Woods BoulevardSuite 440Cleveland, OH 44131-2334ColumbusUSSS 614.469.7370/614.469.2049500 South Front Street, Suite 800

Columbus, OH 43215DaytonUSSS 937.225.2900/937.225.2724Federal Building200 West Second Street, Room 811Dayton, OH 45402ToledoUSSS 419.259.6434/419.259.64374 Seagate Center, Suite 702Toledo, OH 43604

OKLAHOMAOklahoma CityFBI 405.290.7770/405.290.38853301 West Memorial DriveOklahoma City, OK 73134USSS 405.810.3000/405.810.3098Lakepoint Towers4013 NW Expressway, Suite 650Oklahoma City, OK 73116TulsaUSSS 918.581.7272Pratt Tower125 West 15th Street, Suite 400Tulsa, OK 74119

OREGONPortlandFBI 503.224.4181/503.552.5400Crown Plaza Building1500 SW 1st Avenue, Suite 400Portland, OR 97201-5828USSS 503.326.2162/503.326.32581001 SW 5th Avenue, Suite 1020Portland, OR 97204

PENNSLYVANIAPhiladelphiaFBI 215.418.4000/215.418.4232William J. Green Jr. FederalOfce Building600 Arch Street, 8th FloorPhiladelphia, PA 19106

USSS 215.861.3300/215.861.33117236 Federal Building600 Arch StreetPhiladelphia, PA 19106PittsburghFBI 412.471.2000/412.432.4188U.S. Post Ofce Building700 Grant Street, Suite 300Pittsburgh, PA 15219-1906USSS 412.395.6484/412.395.63491000 Liberty AvenuePittsburgh, PA 15222ScrantonUSSS 570.346.5781/570.346.3003235 N. Washington Avenue, Suite 247Scranton, PA 18501

RHODE ISLANDProvidenceUSSS 401.331.6456/401.528.4394The Federal Center380 Westminster Street, Suite 343Providence, RI 02903

SOUTH CAROLINACharlestonUSSS 843.747.7242/843.747.77875900 Core Avenue, Suite 500North Charleston, SC 29406ColumbiaFBI 803.551.4200/803.551.4324151 Westpark BoulevardColumbia, SC 29210-3857USSS 803.765.5446/803.765.54451835 Assembly Street, Suite 1425Columbia, SC 29201GreenvilleUSSS 864.233.1490/864.235.6237NCNB Plaza7 Laurens Street, Suite 508Greenville, SC 29601

SOUTH DAKOTASioux FallsUSSS 605.330.4565/605.330.4523230 South Phillips Avenue, Suite 405Sioux Falls, SD 57104

TENNESSEEChattanoogaUSSS 423.752.5125/423.752.5130Post Ofce Building900 Georgia Avenue, Room 204Chattanooga, TN 37402KnoxvilleFBI 865.544.0751/865.544.3590John J. Duncan Federal Ofce Building710 Locust Street, Suite 600Knoxville, TN 37902-2537USSS 865.545.4627/865.545.4633John J. Duncan Federal Ofce Building710 Locust Street, Room 517Knoxville, TN 37902MemphisFBI 901.747.4300/901.747.9621

Eagle Crest Building225 North Humphreys Boulevard,Suite 3000Memphis, TN 38120-2107USSS 901.544.0333/901.544.03425350 Poplar Avenue, Suite 204Memphis, TN 38119NashvilleUSSS 615.736.5841/615.736.5848658 U.S. Courthouse801 Broadway StreetNashville, TN 37203



10/12

FBI & USSS FIELD OFFICES TEXAS-WYOMINGTELEPHONE/FAXADDRESS

TEXASAustinUSSS 512.916.5103/512.916.5365Federal Ofce Building300 E. 8th StreetAustin, TX 78701DallasFBI 214.720.2200/214.922.74591801 North Lamar, Suite 300Dallas, TX 75202-1795USSS 972.868.3200/972.868.3232125 East John W. Carpenter Freeway,Suite 300Irving, TX 75062El PasoFBI 915.832.5000/915.832.5259660 S. Mesa Hills Drive

El Paso, TX 79912USSS 915.533.6950/915.533.8646Mesa One Building4849 North Mesa, Suite 210El Paso, TX 79912HoustonFBI 713.693.5000/713.693.39992500 East TC JesterHouston, TX 77008-1300USSS 713.868.2299/713.868.5093602 Sawyer Street, Suite 500Houston, TX 77007LubbockUSSS 806.472.7347/806.472.75421205 Texas Avenue, Room 813Lubbock, TX 79401McAllenUSSS 956.630.5811/956.630.5838200 S. 10th Street, Suite 1107McAllen, TX 78501San AntonioFBI 210.225.6741/210.978.5380U.S. Post Ofce Building615 East Houston Street, Suite 200San Antonio, TX 78205-9998USSS 210.472.6175/210.472.6185727 East Durango Boulevard,Suite B410San Antonio, TX 78206-1265TylerUSSS 903.534.2933 903.581.95696101 South Broadway, Suite 395Tyler, TX 75703

UTAHSalt Lake CityFBI 801.579.1400/801.579.4500257 Towers Building257 East 200 South, Suite 1200Salt Lake City, UT 84111-2048USSS 801.524.5910/801.524.621657 West 200 South Street, Suite 450Salt Lake City, UT 84101

VERMONTFBI 518.465.7551/518.431.7463Contact eld ofce located inAlbany, NYUSSS 617.565.5640/617.565.5659Contact eld ofce located inBoston, MA

VIRGINIANorfolkFBI 757.455.0100/757.455.2647150 Corporate BoulevardNorfolk, VA 23502-4999USSS 757.441.3200/757.441.3811Federal Building200 Granby Street, Suite 640Norfolk, VA 23510

RichmondFBI 804.261.1044/804.627.44941970 East Parham RoadRichmond, VA 23228USSS 804.771.2274/804.771.2076600 East Main Street, Suite 1910Richmond, VA 23219RoanokeUSSS 540.345.4301/540.857.2151105 Franklin Road SW, Suite 2Roanoke, VA 24011

WASHINGTONSeattleFBI 206.622.0460/206.262.25871110 Third AvenueSeattle, WA 98101

USSS 206.220.6800/206.220.6479890 Federal Building915 Second AvenueSeattle, WA 98174SpokaneUSSS 509.353.2532/509.353.2871601 W. Riverside Avenue, Suite 1340Spokane, WA 99201

WEST VIRGINIACharlestonUSSS 304.347.5188/304.347.51875900 Core Avenue, Suite 500North Charleston, SC 29406

WISCONSINMadisonUSSS 608.264.5191/608.264.5592131 W. Wilson Street, Suite 303Madison, WI 53703MilwaukeeFBI 414.276.4684/414.276.6560330 East Kilbourn AvenueMilwaukee, WI 53202USSS 414.297.3587/414.297.3595572 Courthouse517 E. Wisconsin AvenueMilwaukee, WI 53202

WYOMINGCheyenneUSSS 307.772.2380/307.772.23872120 Capitol Avenue, Suite 3026Cheyenne, WY 82001

The U.S. Secret Service notes thatthe Electronic Crimes Branch of theUSSS Headquarters in Washington,D.C., is ready to eld questions and/oraccept computer intrusion reports. Tel:(202) 406-5850. Fax: (202) 406-5031.Online: www.treas.gov/usss.

The FBI notes computer intrusionreports may also be submitted to theNational Infrastructure Protection

Center. Tel: (202) 323-3205; (888)585-9078. Fax: (202) 323-2079. Email:[email protected]. Online:www.nipc.gov/incident/cirr.htm.

Additional investigative programsmay exist within your local law enforce-ment community (i.e., city, county orstate police, district attorney investiga-tive units, and/or state attorney gener-als ofces).



11/12

CIO CYBERTHREAT REPORT FORMThis form outlines the basic information law enforcement needs on a rst call. You can use it as an internal work-sheet or ll it out and e-mail or fax it to law enforcement. Additional data that will help agents in their investigationis outlined in the CIO Cyberthreat Response & Reporting Guidelines, but the best way to determine what will bemost helpful to investigators in the event of an attack is to ask.

STATUSSite Under Attack Past Incident Repeated Incidents, unresolved

CONTACT INFORMATION

Name_____________________________________________________Title___________________________________________Organization______________________________________________________________________________________________Direct-Dial Phone__________________________________________ E-mail__________________________________________Legal Contact Name_________________________________________________Phone________________________________Location/Site(s) Involved___________________________________________________________________________________Street Address____________________________________________________________________________________________City_____________________________________________________State____________________IP______________________Main Telephone__________________________________________Fax______________________________________________ISP Contact Information___________________________________________________________________________________

INCIDENT DESCRIPTIONDenial of Service Unauthorized Electronic Monitoring (sniffers)Distributed Denial of Service Misuse of Systems (internal or external)Malicious Code (virus, worm) Website Defacement

Intrusion/Hack Probe/ScanOther (specify)_________________________________________________________________________________________

DATE/TIME OF INCIDENT DISCOVERY

Date______________________________________________Time___________________________________________________

Duration of Attack_________________________________________________________________________________________

IMPACT OF ATTACKLoss/Compromise of DataSystem DowntimeDamage to SystemsFinancial Loss (estimated amount: >$_______________________)

Damage to the Integrity or Delivery of Critical Goods, Services or InformationOther Organizations Systems Affected

SEVERITY OF ATTACK, INCLUDING FINANCIAL LOSS, INFRASTRUCTURE, PR IMPACT IF MADE PUBLICHigh Medium Low Unknown

SENSITIVITY OF DATAHigh Medium Low Unknown

How did you detect this?___________________________________________________________________________________

Have you contacted law enforcement about this incident before? Who & when?_________________________________

Has the incident been resolved? Explain_____________________________________________________________________


12/12

INDUSTRY

Peter AllorManager, ISAC OperationsSpecial Operations Group, X-ForceInternet Security Systems, Inc.

Bruce MoultonPast Chairman & Current AdvisorFinancial Services ISAC

John PuckettVP and General Manager, Wireless andInternet TechnologiesPolaroid Corp.

Howard SchmidtVice Chair

Presidents Critical Infrastructure Boardand former Chief Security OfcerMicrosoft Corp.

Alan SonnenbergSenior Director/Engineering andSecurity, Wireless and InternetTechnologiesPolaroid Corp.

Michael YoungPrincipal & Chief InformationSecurity OfcerState Street Global Advisors

UNITED STATES LAW

ENFORCEMENTSteven ChabinskyPrincipal Legal Advisor, NationalInfrastructure Protection Center &Assistant General Counsel, Ofce of theGeneral Counsel, FBI

Steve ColoAssistant DirectorU.S. Secret Service

Ronald L. DickDirector, National InfrastructureProtection Center &Deputy Assistant Director,Counterterrorism Division, FBI

Paul IrvingAssistant Director for Government andPublic AffairsU.S. Secret Service

James SavageDeputy Special Agent in ChargeU.S. Secret ServiceFinancial Crimes Division

Bruce A. TownsendSpecial Agent in ChargeU.S. Secret ServiceFinancial Crimes Division

CXO MEDIA

Abbie LundbergEditor in Chief,CIO Magazine

Lori PiscatelliNews & Information Assistant

Susan WatsonVP, News & Information

Steven AgnoliCIOKirkpatrick &Lockhart LLP

William CrowellFormer CIOMeredith Corp.

Patrick GrayManager, InternetThreat IntelligenceCenterSpecial OperationsGroup, X-ForceInternet SecuritySystems, Inc.

Scott HicarCIOMaxtor Corp.

Paul IngevaldsonSVP, Technologyand InternationalOperations

Ace HardwareScott KellyVP of ITSymtx

Frank OConnorCIOECom Systems, Inc.

StevenSteinbrecherCIOContra CostaCounty

Glenn WestVice President, IT

ServicesLong John Silvers

Marc WestCIOElectronic Arts

Ed WineldCIOFX Coughlin Co.

CONTRIBUTORS

ADDITIONAL REVIEWERS
