Professional Documents
Culture Documents
Cyber Crisis Management Plan
Cyber Crisis Management Plan
Cyber Crisis Management Plan
Document Details
Version 1.0
Year 2017-18
Number of Pages 43
Page 1 of 43
Cyber Crisis Management Plan (CCMP)
Version History
Page 2 of 43
Cyber Crisis Management Plan (CCMP)
CONTENT
1 Introduction 4
2 Overview 4
3 Objective/ Purpose 5
5 Plan Exceptions 5
Page 3 of 43
Cyber Crisis Management Plan (CCMP)
1. Introduction
1.1 Crisis is defined as a significant threat to the operations of the organization that can have negative
consequences, if not handled properly. Crisis can create financial and reputational loss by disrupting
operations.
1.2 Cyber crisis is coordinated large scale cyber events that result in or have the potential to result in a
wide spread outage or disrupt multiple infrastructures. Cyber-attack is any type of offensive maneuver
by individuals or whole organizations that targets computer information systems, infrastructures,
computer networks, and/or personal computer devices by various means of malicious acts usually
originating from an anonymous source that either steals, alters, or destroys a specified target by
hacking into a susceptible system. These can be labeled as either a cyber campaign, cyber warfare or
cyber terrorism in different context. Cyber-attacks can range from installing spyware on a PC to
attempts to destroy the infrastructure of the entire Bank.
1.3 Cyber Crisis Management is a critical organizational function. Failure can result in serious harm to
stakeholders, losses for the organization, or end its very existence. The cyber crisis management plan is
prepared in line with Business Continuity Plan.
1.4 RBI vide circular RBI/ 2015-16/ 418 DBS.CO/ CSITE/ BC.11/ 33.01.001/ 2015-16 dated 02.06.2016
mandates that Cyber Crisis Management Plan (CCMP) should be evolved and should be a part of the
overall Board approved strategy.
1.5 RBI guidelines lay down the guiding principles for formulation of an effective Cyber Crisis
Management Plan and its implementation. These guidelines mandates implementation of a CCMP. The
same shall be reviewed periodically. This document on Cyber Crisis Management Plan (CCMP) has been
formulated in compliance with the RBI guidelines.
2. Overview
This document on CCMP is designed to reduce the Bank's risk arising from an unexpected disruption of
the critical functions/ operations necessary for the business due to cyber attacks/ crisis. CCMP can be
defined as a statement of:
• Actions to be taken.
• Resources to be used.
• Procedures to be followed before, during and after a cyber crisis which renders a Business function
totally or partially unavailable.
Page 4 of 43
Cyber Crisis Management Plan (CCMP)
3. Objective/ Purpose
The objective of this Cyber Crisis Management Plan is to counter Cyber Attacks/ Cyber Terrorism by
outlining a framework for dealing with cyber related incidents for a coordinated, multi-disciplinary and
broad based approach for rapid identification, information exchange, swift response and remedial
actions to mitigate and recover from malicious cyber related incidents impacting critical business
functions and processes of the Bank.
The purpose of Cyber Crisis Management Plan (CCMP) is to enable Bank to continue operations in the
event of an interruption to the Business Functions. The plan addresses all business and systems
functions necessary to continue as a viable organization. Strong management support, extensive
planning and a commitment of resources are necessary to adequately plan for both manual and
automated interruptions.
Any serious disruption can cause critical information resources to be inoperative from few hours to
several days, depending upon the criticality of the information resources. The recovery of key business
processes, in a worst-case scenario, would probably involve the use of alternative processing facilities,
where the recovery of software and data files from offsite locations may be required. This CCMP take
into account of all events types that might impact both critical information systems processing facilities
and end-user business operational functions.
This document applies to all activity owners, including Bank Employees, contractors, consultants,
temporary staff and other individuals even if, affiliated with Third Parties, who have access to Bank‘s
Information/ Information Processing Facilities and other resources to have CCMP‘s in place to be in
readiness to tackle serious business disruptions.
5. Plan Exceptions
Every care has been taken in formulating this CCMP. The Information Security Cell cannot possibly
foresee all possible circumstances or situations in which it might apply. It is conceivable that
Page 5 of 43
Cyber Crisis Management Plan (CCMP)
exceptional situations or emergencies may occur when practical considerations clearly override or
negate the statements made herein.
In case anyone identifies a situation in which these plan cannot apply for some reason, it is his/ her
responsibility to raise the matter with the respective GMs/ Head of Branch, Zone, or Department.
GMs/ Head of Branch, Zone, Department taking into consideration the relevant Information resources
Owners and other stakeholders, will take up with the GM-IT who will take decision on whether to
permit or deny such plan exceptions.
Based on the broad guidelines issued by RBI, CCMP addresses the following four aspects:
i. Detection
ii. Response
iii. Recovery, and
iv. Containment
Bank need to take effective measures to prevent Cyber-Attacks and to promptly detect any cyber-
intrusions so as to respond/ recover/ contain the fall out. Bank is expected to be well prepared to face
emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks. Among
other things, bank should take necessary preventive and corrective measures in addressing various
types of cyber threats including, but not limited to, Denial Of Service (DOS), Distributed Denial Of
Services (DDoS), Ransom-Ware/ Crypto Ware, Destructive Malware, Business Email Frauds including
Spam, Email Phishing, Spear Phishing, Whaling, Vishing Frauds, Drive-By Downloads, Browser Gateway
Fraud, Ghost Administrator Exploits, Identity Frauds, Memory Update Frauds, and Password Related
Frauds etc.
CCMP document shall be reviewed, at least, annually or as and when changes in the Bank’s
environment/ infrastructure or threat occur to keep pace with the changes within the Bank. Some of
the typical changes that may be identified and updated in the manual include:
a. The Critical assets, Nature of cyber crisis and possible targets and impact of particular type of
crisis on these targets.
b. Crisis due to focused cyber-attacks affecting the Bank.
c. Different Types of cyber crisis described include large-scale defacement and semantic attacks
on websites, Malicious code attacks, large scale SPAM attacks, Spoofing, Phishing attacks, Social
Engineering, Denial of Service (DoS) and Distributed DoS attacks, attacks on DNS, Applications,
Infrastructure and Routers, Compound attacks and High Energy RF attacks.
Page 6 of 43
Cyber Crisis Management Plan (CCMP)
This section identifies different types of threats and crisis that affect specific targets. Impact of such
crisis on respective targets and critical business functions and services of Bank identified to determine
suitable response and mitigation actions. While preparing the CCMP the following actions are kept in
mind:
Cyber crisis has unique features that are different from a physical crisis. In some cases, the severity of
cyber crisis is high but confined to individuals or few departments within the Bank. In other cases the
severity may be low but widely spread to entire Bank.
There are various types of cyber security incidents that can trigger a crisis at organization level.
b) Large scale defacement and semantic attacks on websites: A website defacement is when a
defacer breaks into a web server and alters the contents of the hosted website. Attackers change
the content of a web page subtly so that the alteration is not immediately apparent. As a result,
false information is disseminated.
c) Malicious Code attacks (virus/ worm/ Trojans/ Botnets): Malicious code or malware is software
designed to infiltrate or damage a computer system without the owner's informed consent.
Page 7 of 43
Cyber Crisis Management Plan (CCMP)
Malicious code is hostile, intrusive, or annoying software or program code. Commonly known
malware are virus, worms, Trojans, spyware, adware and Bots.
d) Malware Affecting Computing Devices: Malicious code and malicious applications (apps)
affecting operating systems/ platforms used for mobile devices such as Symbian, Android, iOS,
Windows Mobile, and Blackberry OS.
e) Large scale SPAM attacks: Spamming is the abuse of electronic messaging systems to
indiscriminately send unsolicited bulk messages. SPAM mails may also contain virus, worm and
other types of malicious software and are used to infect Information Technology systems.
f) Spoofing: Spoofing is an attack aimed at ‘Identity theft’. Spoofing is a situation in which one
person or program successfully masquerades as another by falsifying data and thereby gaining an
illegitimate advantage.
g) Phishing Attacks: Phishing is an attack aimed at stealing the ‘sensitive personal data that can
lead to committing online economic frauds. Phishers attempt to fraudulently acquire sensitive
information, such as usernames, passwords and credit card details etc., by masquerading as a
trustworthy entity in an electronic communication.
h) Social Engineering: Art of manipulating people into performing disclosure actions or divulging
confidential information for using the same for monetary or defacing an individual or corporate
image.
i) Denial of Service (DoS) attacks and Distributed Denial of Service (DDoS) attacks: DoS is an
attempt to make a computer resource unavailable to its intended users. A distributed denial of
service attack (DDoS) occurs when multiple compromised computer systems flood the
communication link (called bandwidth) or resources of a targeted system.
l) Compound Attacks: By combining different attack methods, hackers could launch an even more
destructive attack. The Compound attacks magnify the destructiveness of a physical attack by
launching coordinated cyber-attack.
m) Router Level Attacks: Routers are the traffic controllers of the Internet to ensure the flow of
information (data packets) from source to destination. Routing disruption could lead to massive
routing errors resulting in disruption of Internet communication.
Page 8 of 43
Cyber Crisis Management Plan (CCMP)
o) High Energy Radio Frequency Attacks: Use of physical devices like Antennas to direct focused
beam which can be modulated from a distance to cause RF jamming of communication systems
including Wireless networks leading to attacks such as Denial of Service
p) Cyber Espionage and Advanced Persistent Threats: Targeted attack resulting in compromise of
computer systems through social engineering techniques and specially crafted malware.
The different types of cyber crisis/ attacks mentioned above are indicative but not exhaustive, and
may not include all types of cyber crisis/ attacks. However, the CCMP covers all types of cyber
attacks which may evolve in future also.
Cyber resilience is defined as ability of organization or business process to anticipate, withstand cyber-
attacks and the capability to contain, recover rapidly and evolve to improved capabilities from any
disruptive impact of such cyber-attacks.
• Identification of key information and technology assets that support the services of the Bank by
the concerned divisional head.
• Implementation of controls to protect those assets from cyber attack.
• Implementation of controls to sustain the ability of those assets to operate under disruptive
events and recover rapidly from disruption.
• Development of processes to maintain and repeatedly carry out the protection and recovery
activities.
• Development of appropriate measures to drive these activities.
• Develop a plan for protection of Bank’s IT Infrastructure and its integration with business plan
and implement such plan. The plans shall include establishing mechanisms for secure
information flow (while in process, handling, storage & transit), guidelines and standards, crisis
management plan, proactive security posture assessment and forensically enabled information
infrastructure.
• Closely interact with 24x7 National Critical Information Infrastructure Protection Centre
(NCIIPC) by providing it the necessary and timely information.
Page 9 of 43
Cyber Crisis Management Plan (CCMP)
A matrix showing relation between each of the components within system and their mapping to these
controls, may be referred at Annexure - A.
The crisis arising out of cyber-attacks are categorized and prioritized from level 1 to Level 4.The levels
of concern are mentioned below:
Level 1 – Guarded
Scope: Individual user/ department /Branch
Level 2 – Elevated
Scope: Multiple Departments /Branches
Level 3 – Heightened
Scope: Complete Zone
Level 4 – Serious
Scope: Entire Bank
As and when a cyber-crisis situation develops, respective divisions will immediately convey to the
Information Security Cell and CISO through any quickest possible means. Further, all divisions will take
all necessary actions as given in Annexure - C of this document and Information Security Cell shall
report it to CERT-In, RBI and other agencies, as applicable time to time.
Page 10 of 43
Cyber Crisis Management Plan (CCMP)
Immediately on the occurrence of a crisis, the Contingency Plan would be put into effect. The response
action will be initiated in consultation with CISO/ CERT-In/ NCIIPC/CSITE if the situation has wider
ramifications and warrants response at the national level. During any cyber crisis, to maintain the
continuity of the Business, BCP (Business Continuity Plan) will be invoked.
General Guidelines on Crisis Management and security of Critical Infrastructure are outlined in
Annexure-E. The table outlines the nature of crisis/ contingency affecting the systems of individual
department, multiple departments within a Division, Various Divisions and the entire Bank leading to
crisis of different levels and authorities responsible for mitigation along with agencies that support
mitigation actions. The steps necessary to mitigate crisis will vary with respect to nature and severity of
crisis. Respective authorities responsible for mitigation of a crisis will report the incident to the
concerned authority and step-wise approach for mitigation vis-à-vis nature of crisis/ contingency as
given in the table in Annexure-D.
After successful mitigation and recovery from incident, the following need to be undertaken by
individual department (before closing the incident) for future reference/precaution:
• Perform a Root Cause Analysis (RCA) of the incident as well as the incident response adopted.
• Evaluate and perform assessment of the attack from the technical point of view in order to fine-
tune and optimize the eradication mechanism
• Document lessons learnt from the incident and prepare a incident report, including
infrastructure protection improvements from the post-mortem process
• Share incident report with CISO who will share it to CERT-In/ NCIIPC/CSITE and IB-CART for
future precaution and mitigation of similar attacks
• All critical departments/ Divisions shall implement infrastructure protection improvements
resulting from post-incident reviews or other protection improvement mechanisms.
Names, telephone numbers/ mobile numbers, e-mail IDs and addresses of Members and Alternate
Members of various stakeholders are given in the Annexure - D respectively.
Cyber Crisis Management Plan shall be reviewed atleast annually or whenever any major changes
required due to change in threat landscape or IT Infrastructure/ resources/ stakeholders of the Bank.
Page 11 of 43
Cyber Crisis Management Plan (CCMP)
• Detailed ‘do’s and don’ts’ displayed on the intranet portal of the bank.
• Awareness session and quizzes through Video Conferencing/ Webinar to cover all end-user and
other stakeholders.
Page 12 of 43
Cyber Crisis Management Plan (CCMP)
Annexure - A
Building cyber resilience begins with effective protection of five key components within any system
(i.e. key information and technology assets, user identity, system processes, data and hardware &
software platform along with network of connections between systems.
Achieving cyber resilience is about understanding the sensitivity and interdependency of critical assets
and selecting appropriate technical controls for protection, detection, containment and recovery from
cyber disruptive activities and assigning resilience rating for each system component by the Bank
depending on the services provided by them and their respective Service level Agreements (SLA).
Page 13 of 43
Cyber Crisis Management Plan (CCMP)
• Lockout Policies
Contain
• System isolation.
Data Component
Page 14 of 43
Cyber Crisis Management Plan (CCMP)
Network Component
Page 15 of 43
Cyber Crisis Management Plan (CCMP)
Annexure - B
The table outlines the threat levels, spread of attack and related conditions that become the basis for
declaration of a crisis. The table also outlines the crisis/ contingency affecting the systems of individual
department within a division, multiple departments within a division, one division and entire bank
leading to crisis of different levels. The levels of crisis are interrelated. Each subsequent level will follow
preceding one. No level other than level 1 will come in isolation.
Page 16 of 43
Cyber Crisis Management Plan (CCMP)
Level - 3 Significant breakdown of working of the entire zone due to focused cyber
(One Zone) attacks on IT infrastructure related to that zone.
Level - 4 Significant breakdown of working of the entire Bank due to focused cyber
(Entire Bank) attacks on infrastructure.
Page 17 of 43
Cyber Crisis Management Plan (CCMP)
Annexure - C
Introduction:
The primary objective of incident response actions during first hour is to contain the damage due to
the incident, notify appropriate authorities about the incident and ensure continuity of essential
activities and services of the Bank.
The following guidelines describe the actions to be taken within the Bank during the first hour of
incident. The guidelines also facilitate detailed incident analysis and determination of recovery and
response actions and possible escalation within and outside the Bank.
The reaction by the users or administrators within Bank could be triggered by observation of certain
symptoms and anomalies in the functioning of systems, networks and processes. The trigger for
response action could be infection, attack or intrusion or malfunctioning of a system or reported loss of
damage to information assets/systems etc. Further the actions could be triggered when alerts are
received from external organisations such as CERT-In, NCIIPC, IDRBT and other Incident Response
teams and security agencies.
Means of Detection
The means of detecting anomalies and abnormal conditions that require response actions are Users,
System/ Network Administrators, technical tools and external alerts from security agencies such as
CERT-In/ NCIIPC etc.
Table 1 outlines the general symptoms indicating occurrence of incident noticeable by all types of
users, source of detection, response actions required and persons responsible for the actions.
Table 2 outlines Indications of different types of Cyber Crisis generally noticeable by trained users,
System Administrators & tool based detection mechanisms and response actions required and
authorities responsible for the actions.
Page 18 of 43
Cyber Crisis Management Plan (CCMP)
Table 1 General symptoms of incidents noticeable by all types of users and related response actions.
Common Symptoms
Frequent system crashes User • Scan system with updated Antivirus & User /
Unexplained, poor system Anti-spyware IT Dept /
performance, Presence of • Report to IT Dept/ IT Personnel at IT Personnel at concerned
new files, Presence of Concerned Division(HO) Location
unknown processes,
Changes in the file size or
dates
New suspicious user User, • Disable suspicious user account HO: IT Department
accounts Server Custodian • Do the log analysis
Failed or successful social User, • Collect all details such as email HO: Information Security
engineering attempts System Administrator content, header etc and examine. Cell
Failed log-in attempts by Technical tools/ SOC • Determine the timing, sources of HO: IT Department
unauthorized users. Supervisory review of activities (Application Team)
logs • Trace the attack sources from logs of
system/ directory server.
• Change of password
Unusual time of usage, Supervisory Review of • Correlate with physical access by users HO:IT Department
Unauthorized user accounts logs/ alerts • Correlate with logs of perimeter devices (Application Team)
to find external intrusion
Suspicious Technical tools • Close the ports and services which are HO:IT Department
Probes (IPS/ IDS/ Firewall) not required. (Networking Team)/
• Sent the logs to incident response team HO: Information Security
Cell
Page 19 of 43
Cyber Crisis Management Plan (CCMP)
Abnormal surge in traffic Technical tools, • Trace the specific service/ protocol HO: IT Department
(inbound/outbound) Network Behaviour • Detect the source of (Networking Team)
Analysis, Router generation of abnormal traffic
• Correlate with alerts from
CERT-In/ NCIIPC/ CSITE etc.
Compromise of Sensitive Users/ • Block the affected cards and inform the HO: ATM Cell
Information of customers National Payment customers through SMS/ e-mail.
such as PIN, Card Number, Corporation of India
CVV etc. of Debit card (NPCI)/ Master Card
through various kind of
infections (Malware or
skimmer) within or outside
our infrastructure.
External Alerts
Alert for new CERT- In/ NCIIPC/ • Apply appropriate patches/updates HO: Information Security
vulnerability CSITE • Implement suggested workaround for Cell in consultation with
zero-day vulnerabilities CISO
Alert on propagation of CERT- In/ NCIIPC/ • Update the Antivirus signatures HO: Information Security
malicious code CSITE • Follow the countermeasures suggested Cell in consultation with
in the specific advisory CISO
Alert indicating attack CERT-In/ NCIIPC/ • Block the attack sources notified by HO: Information Security
sources CSITE/ CERT-In/ NCIIPC and other agencies. Cell in consultation with
Security agencies CISO
Note:- In case a user is unable to identify the symptoms/ alerts of any incident, he may contact HO Information
Security Cell for further assistance.
Page 20 of 43
Cyber Crisis Management Plan (CCMP)
Table 2 Indications of different types of Cyber Crises generally noticeable by trained users, System
Administrators & tool based detection mechanisms and Response actions
Common Symptoms
Detection of Users / • Disconnect the web server hosting defaced/ HO IT Department: Website
defacement/intrusion of Web Admin/ compromised website Manager
website External agencies • Examine the compromised system/ website
for specific unauthorized changes
• Restore the website content, Shift and run
website from a different trusted system by
making appropriate DNS changes at the new
system
• Collect relevant logs of server and
application and submit to HO: Information
Security Cell of the Bank.
• Report the incident t o HO: Information
Security Cell which along with logs report it
to CERT-In/ NCIIPC/ CSITE
Unexplained poor system Users • Disconnect infected systems from network HO: Information Security
performance • Scan with updated Antivirus and Anti- Cell
HO: Information spyware
Presence of suspicious Security Cell • Apply appropriate countermeasures in
process/files on system consultation with CISO/ NCIIPC/ CERT-In /
Alerts from CSITE.
Surge in traffic on Antivirus, NIPS
ports/services used by
malware External agencies
Connections to suspicious
remote systems
SPAM attacks
Page 21 of 43
Cyber Crisis Management Plan (CCMP)
Abnormal surge in SMTP Users • Check the mail servers for open relays and HO: IT Department
traffic disable ports not required in the Mail server (Networking Team)
HO: IT Deptt • Identify possible sources of Spam from email
Bandwidth congestion Slow ( Networking Team) headers and invoke blacklists such as SBL,
response of mail servers XBL and PBL
• If attack persists report to NCIIPC/ CERT-In
Non availability of services Users • Identify the type of attack such as flooding of HO: IT Deptt (Application
such as website, email etc particular types of packets/requests (TCP Team) /
SYN, ICMP etc) by examining logs of Router/ HO: IT Deptt (Networking
HO: Information IPS/IDS/ Firewall Team)
System crashes Security Cell
• Identify the attack sources
• Block the attack sources at Router/Packet
Bandwidth congestion Alerts from filtering device
Surge in traffic Antivirus, NIPS • Check Router configuration and implement
Egress and Ingress filtering to block spoofed
packets
External agencies • Disable the non-essential ports/services
• Report to CISO with relevant logs
Slow response or non- User • Change the Primary DNS Server HO: IT Deptt
Availability of web/ mail • Implement Source address validation ( Networking Team)
services HO: IT Deptt through ingress filtering (Implement IETF and
( Networking Team) BCP 38/RFC 2827 ) HO: Information Security
• Use Unicast Reverse Path Forwarding to Cell
mitigate problems that are caused by
malformed or forged IP source addresses
• Run separate DELEGATED and RESOLVING
name servers
• Disable Recursion on DNS server
authoritative for the zone
• Restrict zone transfers to Secondary name
servers only
• Block invalid DNS messages to an
authoritative name server at the network
edge. This includes blocking large IP packets
directed to an authoritative name server.
• Report to CISO
Phishing attacks
Page 22 of 43
Cyber Crisis Management Plan (CCMP)
Reporting of phishing Users • Report phishing incident to CISO HO: Information Security
email/website • Report phishing URL to phishing filters Cell
Anti-phishing/ fraud • Send phishing emails and details of phishing
detection services website to CISO
Unauthorized changes to HO: IT Deptt • Disable suspected user accounts HO: IT Deptt
Data/ Suspicious user (Application Team) • Reduce the interactive features and run (Application Team)
activity/ Elevation of with minimum essential features And
Privileges HO: Information Security
Cell
Unexplained packet loss/ Users • Replace the router with a securely HO: IT Deptt
Non availability of gateway/ configured standby router with Egress and (Networking Team)
Internet services HO:IT Deptt Ingress filtering
( Networking Team) • Check the logs and configuration files of
compromised router to identify attacks
Review of Router • Replace the configuration files with trusted
configurations backup
• Apply appropriate patches/ updates
• Block the attack source
• Report to CISO
Huge amount of IPS/IDS User • Identify the type of scans/ probes by HO: Information Security
alerts examining logs of Router/ IDS/ IPS/ Firewall Cell /
HO: Information • Identify the sources of scans HO: IT Deptt
High volume of dropped Security Cell • Block the sources of scanning (Networking Team)
packets by Firewalls • Report the incidents with relevant logs to
Logs of CISO
Surge in specific traffic relevant devices
Page 23 of 43
Cyber Crisis Management Plan (CCMP)
Annexure-D
The person who notices the incident (In Zonal HO: Information Security Cell
Office)
The person who notices the incident (In Head In-charge of the department
Office)
Reporting of a Security Incident: A computer security incident is any adverse event whereby some
aspect of a computer system is threatened viz. loss of confidentiality, disruption of data or system
integrity, denial of service availability.
By reporting computer security incidents to CERT-In Bank shall receive technical assistance in resolving
these incidents. This will also help CERT-In to correlate the incidents thus reported and analyze them;
draw inference; disseminate up-to-date information and develop effective security guidelines to
prevent occurrence of the incidents in future.
Bank can report an adverse activity or unwanted behavior which they may feel as an incident to CERT-
In through following channels:
Page 24 of 43
Cyber Crisis Management Plan (CCMP)
Email : incident@cert-in.org.in
Helpdesk : +91-1800-11-4949
Fax : +91-1800-11-6969
Website : http://www.cert-in.org.in/
Email : info@cert-in.org.in
Helpdesk : +91-1800-11-4949
Fax : +91-1800-11-6969
Website : http://www.cert-in.org.in/
Email : csite@rbi.org.in
Page 25 of 43
Cyber Crisis Management Plan (CCMP)
MGR/ SRM/ CM/ AGM – ATM Cell (ATM/ Debit Email: atmcell@psb.co.in
Card, POS) Landline: 011 - 64780510, 011 - 25899872, 011 -
25782927
The following cyber security incidents should be reported to CERT-In/ NCIIPC/ CSITE in the format
prescribed in Annexure D, within one hour of occurrence of the incident or noticing the incident :
Page 26 of 43
Cyber Crisis Management Plan (CCMP)
The following information (as much as possible) may be given while reporting the incident:
HO Information Security Cell will then analyze the information provided by the reporting authority and
identify the existence of an incident. In case it is found that an incident has occurred, a tracking
number will be assigned to the incident. Accordingly, the report will be acknowledged and the
reporting authority will be informed of the assigned tracking number. HO: Information Security Cell will
designate a team as needed.
Incident Response: The designated team will assist the concerned System Administrator in following
broad aspects of incident handling:
Identification: to determine whether an incident has occurred, if so analyzing the nature of such
incident, identification and protection of evidence and reporting of the same.
Containment: to limit the scope of the incident quickly and minimize the damage.
NCIIPC/ CERT-In will provide support to the CISO/ System Administrators in identification, containment,
eradication, and recovery during the incident handling in the form of advice.
7. Reporting Formats
A. CSITE, RBI: Cyber Security Incident reporting format is available online on the Data Collector
Portal (URL: https://datacollector.rbi.org.in) of Reserve of India (RBI).
B. IB-CART, IDRBT: Security incident reports are available online on the IB-CART Portal of IDRBT
(Institute for Development and Research in Banking Technology), Hyderabad.
C. CERT-In: Security Incident should be reported to CERT-In in the Incident Reporting form format
given below:
Page 27 of 43
Cyber Crisis Management Plan (CCMP)
Address:
Date: Time:
5. Is the affected system/network critical to the organization’s mission? (Yes / No). Details.
Page 28 of 43
Cyber Crisis Management Plan (CCMP)
7. Type of Incident:
8. Description of Incident:
Anomalies
Page 29 of 43
Cyber Crisis Management Plan (CCMP)
router rules, or firewall rules Data modification or deletion
An indicated last time of usage of a user account that Unusual usage patterns
does not correspond to the actual last time of usage Unusual log file entries
A system alarm or similar indication from an Changes in system directories and files
Altered home pages, which are usually the Activity during non-working hours or
13. Additional Information: (Include any other details noticed, relevant to the Security Incident.)
OPTIONAL INFORMATION
Page 30 of 43
Cyber Crisis Management Plan (CCMP)
Name OS Version/Release
Anti-Virus
Intrusion Detection/Prevention
Systems
Secure Remote
Access/Authorization Tools
Packet Filtering/Firewall
Others
Page 31 of 43
Cyber Crisis Management Plan (CCMP)
Other___________________
Network
Mail/Fax this Form to: CERT- In, Electronics Niketan, CGO Complex, New Delhi 110003 Fax:+91-11-
Page 32 of 43
Cyber Crisis Management Plan (CCMP)
1. Organisation Details
Name of CI
Address of CI
Name of CISO
incident
Website Defacement
Exploitation
Page 33 of 43
Cyber Crisis Management Plan (CCMP)
Attacks
a) Immediate
Page 34 of 43
Cyber Crisis Management Plan (CCMP)
b) Long term
7. Whether other agencies such as CERT have also been informed? If yes, please mention here
System (software/hardware)
Sabotage
Page 35 of 43
Cyber Crisis Management Plan (CCMP)
a) Attacking IP address
b) Forensic Report
c) Audit Report
a) Physical Location
b) Operating System
c) IP Address
d) MAC Address
e) DNS Entry
f) Domain/Workgroup
Page 36 of 43
Cyber Crisis Management Plan (CCMP)
17. Was Crisis Management Plan Offered? Please explain the details
Page 37 of 43
Cyber Crisis Management Plan (CCMP)
Annexure - E
Page 38 of 43
Cyber Crisis Management Plan (CCMP)
DoS/ DDoS attacks • Take a copy of all the logs at the perimeter level (IDS/IPS,
firewall) and traffic trends
• Identify the type of attack such as flooding of particular
types of packets/requests
• Allocate traffic to unaffected available network paths, if
possible, to continue the services.
• Apply appropriate rate limiting strategies at the
local perimeter and if necessary consult ISP
• Implement Egress and Ingress filtering to block spoofed
packets
• Use appropriate DoS prevention tools
• Install updated software patches on all the network
devices such as Routers, Firewalls, IDS, IPS and switches.
Page 39 of 43
Cyber Crisis Management Plan (CCMP)
DNS Attack • Check for version updates at the DNS server and
install latest software patches
• Implement spoofing countermeasures
• Use Unicast Reverse Path Forwarding to mitigate
problems that are caused by malformed or forged IP
source addresses
• Adopt source IP address verification
• implement DNSSec
Mail Server attacks • Deploy hot standby mail servers in physically separated
networks and places which can be made operational
when the main server is attacked
• Disable all other ports and services on mail servers
• Enforce strong password policy and encourage users to
change passwords periodically
Level 2 General
Response
• Monitor and detect anomalous behaviour and
(Impact : (One or
degradation of service in network and systems
More
Zone/Multiple • Take all logs (system, application, security, access, error
Department) etc) of affected systems and data therein and keep them
separately for analysis and forensics
• Forward a copy of all the logs of affected systems and
Page 40 of 43
Cyber Crisis Management Plan (CCMP)
Page 41 of 43
Cyber Crisis Management Plan (CCMP)
Mail server attacks • Activate hot standby mail servers and direct mail traffic
appropriately.
Page 42 of 43
Cyber Crisis Management Plan (CCMP)
Page 43 of 43