Reporting cyber security incidents to ASD

The Australian Signals Directorate (ASD) uses the cyber security incident reports it receives as the basis for providing assistance to organisations. In addition, cyber security incident reports are used to identify trends and maintain an accurate threat environment picture. Finally, ASD utilises this understanding to assist in the development of new and updated cyber security advice, capabilities, and techniques to better prevent and respond to evolving cyber threats. Note, under ASD’s limited use obligation, information voluntarily provided to ASD about cyber security incidents, or potential cyber security incidents, cannot be used for regulatory purposes.

An organisation is recommended to internally coordinate their reporting of cyber security incidents to ASD. In doing so, the organisation should be cognisant of any legislative obligations regarding the reporting of cyber security incidents to ASD.

The types of cyber security incidents that should be reported to ASD include:

• suspicious privileged user account lockouts
• suspicious remote access authentication events
• service accounts suspiciously communicating with internet-based infrastructure
• compromise of sensitive or classified data
• unauthorised access or attempts to access a system
• emails with suspicious attachments or links
• denial-of-service attacks
• ransomware attacks
• suspected tampering of electronic devices.