Foreword
This is an UNCLASSIFIED publication issued under the authority of the Head, Canadian Centre for Cyber Security (Cyber Centre). For more information, please email or phone our Contact Centre:
email contact@cyber.gc.ca |Mobile 613-949-7048 or 1‑833‑CYBER‑88
Effective date
This publication takes effect on January 29, 2026.
Revision history
- First release: January 29, 2026
Overview
Organizing and sharing information during a cyber incident involves a structured approach that ensures the effective communication of relevant details to the Canadian Centre for Cyber Security (Cyber Centre). The purpose of this publication is to clarify the types of information the Cyber Centre considers “actionable.”
Introduction
For participating entities, this publication should be shared and circulated internally for consultation and pre-approval from your executive team, including legal and operational teams. You should also share this publication with managed security service providers and ensure cross-organizational support for the approach and pre-approval of the type of information to be shared.
In advance of a cyber incident, your organization should decide whether you can and will share these types of information to:
- best inform next steps
- assist in network rebuild and recovery
- benefit the resilience of the broader cyber ecosystem. For more details, please read Annex A: Pre-cyber incidents.
In addition, information sharing serves as a centralized resource for gathering data on cyber threats and vulnerabilities. We recommend that your organization disseminate information amongst the members of your sector. The goal is to enable collaborative efforts to secure critical infrastructure (CI) and protect against cyber threats. The recommended aspects of intra-community information sharing are described in Annex B: Recommended information sharing.
Information sharing during a cyber incident
During a cyber security incident, the participating entity could disclose artifacts to the Cyber Centre that would be used to investigate and provide clarity and enrichment to the nature of the compromise. This includes contextual information and technical artifacts.
Contextual information
This category includes evidence that provides context to the incident, which assists your organization in understanding the circumstances and implications of the compromise. Contextual information typically consists of user activity anomalies, communications (for example, email) and content. This information helps to provide comprehensive reporting, inform on attribution, and validate the malicious behavior.
This might include the following information:
- summary of the observed activity or incident
- information that would provide clarity regarding the form of threat (if known), such as the
- malware or denial of service
- actor involved
- motivation
- vector and impact
- how the attacker gained access (whether through phishing, exploiting vulnerabilities or other means)
- timeline of events leading up to, during and after the incident
- scope of the incident, including the type of systems affected and the data that was compromised, including
- what operations are impacted
- what disruptions have resulted from this compromise, including to third-party software
- observed network traffic details (if available)
- list of mitigations taken, if any, by the incident handlers
- current status of the incident
- list of indicators of compromise (IOCs) gathered during the investigation
- next steps to be taken
- contact information
Technical artifacts
This category includes all data related to the technical aspects of the incident.
Table 1: Required actionable information and data artifacts details the specific types of actionable information and data artifacts that the Cyber Centre requires from your organization in the event of a cyber security incident. Additionally, the table highlights the analytical process the Cyber Centre takes to analyze the artifacts and the expected outcomes that stem from the analysis.
It is important to note that:
- Internet Protocol (IP) addresses and domains supplied as IoCs are presumed not to be owned by the organization, and that the artifacts shared with the Cyber Centre do not contain any information pertaining to Canadian individuals or persons located in Canada.
- At no time will the Cyber Centre share raw or identifying victim data with any external entity
- The Cyber Centre is bound by provisions in the Communications Security Establishment Act [1] and the Privacy Act [2] that govern our activities. CSE may also establish non-disclosure agreements (NDA) with critical infrastructure partners to protect confidential information during information sharing activities.
| Technical artifacts | Internal analytics process | Expected outcomes |
|---|---|---|
| Suspicious/malicious IPs |
|
|
| Suspicious/malicious domains |
|
|
| Suspicious/malicious file hashes |
|
|
| Suspicious/malicious URLs |
|
|
| Suspicious/malicious documents and files (malware samples) |
|
|
| Security logs (event logs, system logs, access logs, Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) logs, network and firewall logs, endpoint detection and response (EDR) logs, DNS and virtual private network logs, database logs and mail server logs, etc.) |
|
|
| Forensic artifacts: Disk images, memory dumps, registry entries, system drives, etc. |
|
|
Annex A Pre-cyber incident
Before any confirmation that a cyber incident has occurred, the participant organization is encouraged to share information presented in the following sub-sections of this annex with the Cyber Centre. This information can:
- identify gaps
- calibrate the efficiency of the detection
- increase the signal-to-noise ratio
- lower false positives to avoid alert fatigue
Your organization should also share any other information that can be used to retrace a series of events.
Alert rules
Configuration and criteria are set within the organization’s security monitoring system, such as a security information and event management (SIEM) system or an IDS, used to trigger alerts for potential security incidents. This includes the triggers, their thresholds, filters and correlation rules such as:
- excessive login failures
- geographical irregularities
- unusual outbound traffic
- changes in file integrity
Consider implementing endpoint detection and response (EDR) or extended detection and response (XDR) system to assist in detecting and responding to anomalous system activity.
Security logs
Digital records that capture activities and events related to IT security, such as:
- network devices (for example, firewalls, routers, and switches)
- servers and workstations, security appliances (for example, IDS, IPS, and antivirus software)
- applications (for example, database and web server logs)
Annex B Recommended information sharing
This annex includes the recommended information sharing best practices. By sharing various types of information, critical infrastructure community members can significantly enhance their collective cybersecurity posture, reduce the risk of cyber attacks, and respond more effectively to incidents.
Threat intelligence reports
Threat intelligence reports offer detailed analyses of specific threats, including the TTPs used by cyber adversaries. These reports can provide insights into the
- nature of the threat
- affected systems
- mitigation strategies
- recommended protective measures
Indicators of compromise
IoCs are specific artifacts or pieces of information used to detect cyber threats, such as:
- malicious IP addresses
- uniform resource locators (URLs)
- file hashes
- email signatures
Sharing IoCs helps members to quickly identify and respond to potential threats.
Best practices and security recommendations
Information on effective security measures, policies, and practices that organizations can implement to protect themselves from cyber threats. This includes configuration guidelines, security controls, and preventive strategies.
Vulnerability information and patches
Sharing details about newly discovered vulnerabilities, potential impacts, and available patches or workarounds. This helps organizations to address vulnerabilities promptly before they can be exploited by threat actors.
Incident reports
Summaries of security incidents experienced by members, including the nature of the incident, how it was detected, the actions taken, and lessons learned. Sharing incident reports can help others to better prepare for and respond to similar incidents.
Anonymous sharing mechanisms
Some members may prefer to share sensitive information anonymously to protect their privacy or for legal reasons. Consider providing mechanisms for anonymous sharing, ensuring that valuable information can still be disseminated without exposing the source.
Automated threat intelligence sharing platforms
Utilizing platforms like structured threat information expression (STIX) and trusted automated exchange of indicator information (TAXII) for the automated exchange of threat intelligence. These platforms facilitate real-time sharing of threat data in a standardized format, enabling faster detection and mitigation of threats.
Collaborative analysis and research
Joint efforts to analyze specific cyber threats or trends, leveraging the collective expertise and resources of the energy sector members. This collaborative approach can lead to a deeper understanding of complex threats and more effective countermeasures.