Report Security Incident Template

Template for reporting incidents

Any security incident which occurs in GridPP or NGS is handled according to the approved EGI Security Incident Response Procedure written by the EGI CSIRT team. Please follow this procedure.

This template is aimed at helping you provide information that may be useful when reporting an incident.

Sites must report an incident or possible incident to abuse at egi.eu (at least within 4 hours after the suspected incident has been discovered). UK sites may also cc gridpp_csirts at jiscmail.ac.uk if they wish.

The people behind the UKNGI-SECURITY at JISCMAIL.ac.uk are the UK security team, and behind the abuse at egi.eu are the EGI CSIRT Incident response task force and will do what they can to help you. If you think you have discovered and incident, and you do not know what to do, DON'T PANIC, just send an e-mail and they will help you.

FROM: <you>
TO: abuse at egi.eu; UKNGI-SECURITY at jiscmail.ac.uk; <your local site security team>
SUBJECT: Security incident suspected at <site> [EGI-<DATE>] TLP: AMBER
** AMBER Information – Limited Distribution                        **
** This may be shared with trusted security teams on a need-to-know basis **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
Dear CSIRT team/security contacts,
A suspected security incident has been detected at <site>.
Summary of the information available so far:

<Ex1: A malicious SSH connection was detected from 012.012.012.012. The extent of the incident is
unclear for now, and more information will be published in the coming hours as forensics are
progressing at our site. However, all sites should check for successful SSH connection from
012.012.012.012 as a precautionary measure.>

<Ex2: We have noticed a potentially malicious user <user id> logged on at <site>.
process status result:
.....
Suspect Files found:>

Name:
E-mail address(es):
Telephone/mobile Number(s):

Back to Report Security Incident