This form may be used as a guide or vehicle for reporting cyber threat and computer intrusion incident information to the NIPC or other law enforcement organization. It is recommended that these Cyber Incident Reporting Guidelines be used when submitting a report to a local FBI Field Office.

Do NOT include CLASSIFIED information on this form unless you adhere to applicable procedures for proper marking, handling and transmission of classified information. Please contact NIPC Watch Operations Center (202) 323-3205 to arrange secure means to submit classified information.

Information concerning the identity of the reporting agency, department, company, or individual(s) will be treated on a confidential basis. If additional information is required, you will be contacted directly.

Report Date/Time:

Name:

Title:

Telephone/Fax Number:

E-mail:

Organization:

Address: Street:

City:

State:

Zip Code:

Country:

1. Name of Organization: (if same as above, enter "SAME")
   
   (Check here if Federal Government Agency)
   Organization's contact Information:
   Telephone Number:
   
   Address: (if same as above, enter "SAME")
   Street:
   City, State, Zip Code:
   Country:
   E-mail:
   
   
2. Physical Location (s) of victim's computer system/network (Be Specific):
   
   
   
3. Date/Time and duration of incident:
   
   
4. Is the affected system/network critical to the organization?
   

   Yes

   No

   
   
5. Critical Infrastructure sector(s) affected. (Check only one)
   

   Power	Transportation
   Banking and Finance	Emergency Services
   Government Operations	Water Supply Systems
   Gas & Oil Storage and Delivery	Other (Provide details in remarks)
   Telecommunications	Not applicable

   
   

   Remarks:

   No Remarks

   
   
6. Nature of Problem? (Check only one)
   

   Intrusion	System impairment/denial resources
   Unauthorized root access	Web site defacement
   Compromise of system integrity	Hoax
   Theft	Damage
   Unknown	Other:

   
   
7. Has this problem been experienced before? (If yes, please explain in remarks section):
   

   Yes

   No

   
   

   Remarks:

   No Remarks

   
   
   
8. Suspect method of intrusion/attack (Check only one)
   

   Virus (provide name if known)	Vulnerability exploited (explain)
   Denial of Service	Trojan horse
   Distributed Denial of Service	Trapdoor
   Unknown	Other (Provide details in remarks)

   
   

   Remarks:

   No Remarks

   
   
9. Suspect perpetrator(s) or possible motivation(s) of the attack (Check only one)
   

   Insider/Disgruntled employee	Former employee
   Competitor	Other (Explain in remarks)
   Unknown

   
   

   Remarks:

   No Remarks

   
   
10. The apparent source (IP address) of the intrusion/attack:
    
    
    
11. Evidence of spoofing?
    

    Yes	No
    Unknown

    
    
12. What computers/systems (hardware and software) were affected? (Check only one)
    (Operating system, version):
    

    Unix	OS2
    Linux	VAX/VMS
    NT	Windows
    Sun OS/Solaris	Other (Provide specify in remarks)

    
    

    Remarks:

    No Remarks

    
    
13. Security Infrastructure in place. (Check all that apply)
    

    Incident/Emergency Response Team	Encryption
    Firewall	Secure Remote Access/Authorization tools
    Intrusion Detection System	Banners
    Security Auditing Tools	Access Control Lists
    Packet filtering

    
    
14. Did the intrusion/attack result in a loss/compromise of sensitive, classifed or proprietary information?
    

    Yes (Provide details in remarks)	No
    Unknown

    
    

    Remarks:

    No Remarks

    
    
15. Did the intrusion/attack result in damage to system(s) or data?
    

    Yes (Provide details in remarks)

    No

    
    

    Remarks:

    No Remarks

    
    
16. What actions and technical mitigation have been taken?
    

    System(s) disconnected from the network	System Binaries checked
    Backup of affected system(s)	Other (Please provide details in remarks)
    Log files examined	No action(s)

    
    

    Remarks:

    No Remarks

    
    
17. Has the local FBI field office been informed?
    

    Yes (Which Office)

    No

    
    
18. Has another agency/organization been informed? If so, please provide name and phone number.
    

    Yes	No
    State/local police:
    Inspector General:
    CERT-CC
    FedCIRC
    JTF-CND
    Other (Incident Response, law enforcement,etc.)

    
    
19. When was the last time your system was modified or update?
    Date:
    Company/Organization that did work (Address, phone, POC information):
    
    
    
20. Is the System Administrator a contractor?
    

    Yes (Provide POC Information)

    No

    
    
    
21. In addition to being used for law enforcement or national security purposes, the intrusion-related information I reported may be shared with:
    

    The Public

    InfraGard Members with Secure Access

    
    
    
22. Additional Remarks: (Please limit to 500 characters. Amplifying information may be submitted separately.)
    No additional remarks
    

If the reported incident is determined to be a criminal matter you may be contacted by an agent for additional information.