This paper brings together some concepts and ideas to support organisations in implementing Cyber Incident collaboration and Coordination, focussing on the need for fast time communications.
Last updated
Was this helpful?
Fast Time Cyber Collaboration & Communications
This prime contains a wide range of references to be used in preparing your own plans, processes and approaches. The approach is aligned to ISO27010:2015[80].
This paper highlights outputs from the Welsh Government Cyber Security work programme (2017-2020) and augments them with reflections on the Fast Time Communications required to coordinate a multiagency cyber incident within the Wider Public Sector these approaches support ISO 27010, the standard for sharing information security advice and guidance, which is also supported by MISP[ 80].
A Cyber Incident, its planning, response and recovery can be treated and operated as an unplanned project, therefore we contend project planning methods and approaches can be applied to Cyber Incident Response, this covers complex large scale enterprise project planning, using PRINCE[77], through to the dynamic iterating approach of agile[78]. Likewise Emergency Planners gain a lot of their insight and thought processes from Military Planners, which explains why military Planning and doctrine isn’t just applicable in warfare, it also works in other situations such as Cyber incident Response [79] and as seen during the logistical planning of the Covid-19 pandemic.
Cyber Incidents are fast moving, dynamic and complex. Your often trying to resolve a situation without know what has actually happened and what it actually is. You find yourself responding to the symptoms, trying to stop the outbreak spreading, against a backdrop of continued operational service delivery. In short you want help, often peer support “Phone a friend”, through your WARP or similar. The NCSC will advise and assist, they have to focus on their “C3” and above type incidents, this means you need to put your own measures and coordination in place.
Systems Dynamics have been successfully used as an approach and methodology for mapping complex cyber attacks and to understand the evolving “Battle Space” of a Cyber incident. [9,10,11]. Cyber is referred to as the fifth battle domain of armed conflict, as far back as 2011, [13] even though most cyber attacks are against businesses, we mustn’t lose sight of the fact that nation states do now have cyber offensive capabilities [14].
Cyber attacks are fast moving dynamic and remotely orchestrated. The initiating actors, could be on the other side of the world and can instantly initiate a polymetric attack from multiple locations, this in itself can cause confusion and necessitate the need for a Common Operating Picture [15]. To build a common operating picture, requires all of the actors, operations, locations, techniques and processes to be quantified and documented. This approach allows for Situational Awareness to be developed, quantified, prioritised and communicated [16].
The heart of the collector-funnel model is the 2x2 grid that considers Slow time / Fast time communications coupled with Manual and Automated interventions. This we’ve called the Temporal Actions Matrix. This paper is focussing on the fast time aspects of communications, which can be thought of as dynamic and evolving. Slow time is often referred to a Busines As Usual “BAU”. Fast time operations and response are more dynamic, less predictable and may even mean that you can’t use your normal ICT channels as they are themselves affected.
Figure 1 © Author NLAWARP Information Flow Funnel showing the embedded Temporal Actions Matrix
Figure 2. The slow time / fast time event matrix
This work was started in the London Resilience team in 2003. The main point of this whole paper is to understand the two distinct modes of operation. That is business As Usual (BAU), which we refer to as slow time and when we “Flip the Switch or Push the Big RED Button”, which takes us into fast time response mode. It is also useful to think about planned and unplanned events and how those affect the response to a Cyber Incident. This is where Systems Dynamics can also help being able to produce causal maps to show interventions in Cyber Incident response and to be able to map out the causal variables and how they apply to systems, services, and processes [9]. Most business entities and organisations are accustomed in to dealing with ad hoc incidents. The Emergency Services (Often referred to as “Blue Light Services”, in the UK are accustomed to flipping constantly from BAU to Incident Response, every time they get an emergency call. IT departments are dealing with incidents on a daily basis. For the purposes of this paper, we are talking about larger tangible incidents, their response and mitigation. Fast Time Communications in the context of this paper are talking about groups of individuals and organisations outside of a single entity [29]. This phenomenon is looking at a “Trans Boundary Crisis” [29]. The response to a trans boundary crisis is often referred to as “Crisis Management” in businesses and “Major Incidents” in the Emergency Services. The Emergency Services have a standardised approach to a Major Incident, it is clearly defined [24];
“An event or situation with a range of serious consequences which requires special arrangements to be implemented by one or more emergency responder agency”.
Cyber Incidents do not have such a clear definition. The NCSC defines a cyber incident as [25];
“A breach of a system's security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems; in line with the Computer Misuse Act (1990).In general, types of activity that are commonly recognised as being breaches of a typical security policy are:
1. Attempts to gain unauthorised access to a system and/or to data.
2. The unauthorised use of systems for the processing or storing of data.
3. Changes to a systems firmware, software or hardware without the system owners consent.
4. Malicious disruption and/or denial of service.”
(It should be noted the Computer Misuse Act(1990), is under review as of June 2021 [26].
This is linked to the Integrated Review [27], which is a review of Defence, including Cyber, reviewing the Computer Misuse Act will be a key to the next Cyber Strategy for the UK [28], due in Autumn 2021, which must include further defence measures. The need for Fast time communications policy and guidance for Public Sector Organisations in the UK is therefore a requirement. This will include the development of Cyber Specific Guidance to support the Doctrine element of JESIP framework [28] to enable it to be used for Incident Response in support of the Emergency Services.
You cannot control every element of a cyber attack. However, having good asset registers and diagrams, understanding your environment and being able to quantify what you can deal with goes a long way.
For instance, if you lose access to a system or service through a communications network outage, then you may be wholly reliant on an external utility provider to be able to restore the service for you. If you were notified about planned maintenance a week in advance, it would be a planned slow time event, whilst the actual outage would still likely present some unforeseen issues to be resolved. Knowing who is critical in a process and who has to be informed, goes a long way towards lowering the impact of an incident. This is where the RACI matrix comes in useful. [17]
The acronym RACI stands for
Responsible - these people undertake the work. They complete the task or objective or make the decision.
Accountable - the “owner” of the work. They sign off or approve when the task, objective or decision is complete. They make sure that responsibilities are assigned in the matrix for all related activities. One person is accountable.
Consulted - the people who need to give input before the work can be done and signed-off on. These people are active participants.
Informed - these people need to be kept “in the picture.” They need updates on progress or decision, but they do not need to be formally consulted, nor do they contribute directly to the task or decision.
The RACI approach has been used successfully to develop Incident Play books, in a dynamic fast time environment. It is contended the RACI Matrix can improve fast time communications during an incident and the mitigation of threats [20]. Being able to triage ahead of time WHO needs to be told WHAT, WHEN, HOW and WHY will same precious time and encourage effective Crisis Management.
One of the first actions in responding to an incident is to establish the facts, at that time, understand the damage to date, and to mitigate further damage. Ahead of an incident happening we achieve this through careful planning and communication, especially through articulating and agreeing a shared understanding and acceptance of the Information risks. [17]
Next being able to analyse, quantify and record those information risks amongst the senior managers in the organisation. Next to articulate, brief and communicate the information risks, including the business impacts and the mitigations to all stakeholders [10]. This has to be done in slow time as part of the Education and Training regime with key stakeholders ahead of any cyber incident happening. This approach will put the Board and the whole organisation in a better place. The amount of resource, training and communication carried out is proportionate to the understanding, analysis, and articulation of the risk appetite [18][19]. Likewise, the better prepared an organisation is through training and exercising, the more effective and efficient the Crisis Management Response will be [29].
Organisational structures, need to be defined and understood, one way of to do this is through block diagrams, depicting formal and informal hierarchies and relationships. Design Science [30] and Systems Dynamics are particularly useful to enable this, these are a set of Variables to decide where you are in the equation [21]. Causal variables are used widely in Systems Dynamics and Grounded Theory [22]. We explored the use of variables to describe Information Assets in the authors Previous paper [23]. These aspects of planning contribute to the efficiency and effectiveness of fast time communication.
The approach is offered in the context of Cyber incident coordination and the need for Fast time secure information sharing, collaboration and coordination. The contents of this document could be useful for other applications but they are outside of the scope and detail of this report. Cyber Incidents are not permanent situations, they can therefore be thought of as fast time projects, with a start, middle and an end.
Incident scope and severity, who is affected, how many people need to be on the Incident call? Consider activating the Local Cyber Coordination Cell (LCCC), this is the internal team, which provides coordination and initial analysis for Cyber Incident Response team. We have adapted this in the CRASH Gate approach detailed later in the paper.
Source: Scope Patterns for Projects Modelled as Sociotechnical Systems Bryan R Moser (MIT) [8]
There are many software communications tools in use. Many of these software products are available in both desktop and portable mobile/tablet versions. Some are free and some are subscription / licence based and many have a “free tier”. The most common ones from our research through the Cyber Technical Advisory Group (CTAG) and from work conducted by the Local Government Association (LGA) are (in no particular order are;
SLACK/WhatsApp/Signal/Mobile text messaging/ Instant Messenger. Common video conferencing tools are also being used, Microsoft Teams, Zoom, Google hangouts, Cisco WebEx. Other products are by Adobe [35], Amazon Web Services [36] and Zello [37], which have some limited use. From our findings, the preference is for WhatsApp [38] and Teams [39]. However, there is a lot of unease about perceived security configuration issues with WhatsApp, with Signal [40] being app of choice for the savvier technical users.
C-TAG provides a SLACK feed through the NLAWARP and has a facilitated C-TAG node on the NCSC CISP platform. The NCSC provides a web form for reporting Cyber incidents;
Likewise if you’ve been a victim of Cyber Crime, you should report the incident to Action Fraud: https://www.actionfraud.police.uk/reporting-fraud-and-cyber-crime
If you’ve had or suspect a Data Breach, likewise inform the Information Commissioners Office: https://ico.org.uk/for-organisations/the-guide-to-nis/incident-reporting/
Microsoft Teams is their Walkie Talkie app [41], which is very much like Zello [37], to enable a push to talk broadcast capability, turning the mobile phone into a Push to Talk (PTT) radio handset using Wi-Fi/4G networks (it is consuming 4G data when being used). The PTT approach gives an always on capability, to listen and monitor an audio channel. There is specific Android type hand held radios [42], which we believe will proved very useful to Cyber Incident Responders. This enables mesh and point to point communication in a way that is more flexible than the use of mobile phones, giving the capability of hand held radios to non-technical users.
The use of mobile devices utilising the mobile phone and internet networks greatly extends the reach of these emergency communications. This means that Teams is readily available and is pervasive. As we have discussed there is a real issue that if the MS365 tenant is not available, there has to be an alternative, this would normally be regarded as “Shadow IT” [46] which is where an alternative toolset for emergency communications should be available.
We have found that the norm is in slow time to monitor a WhatsApp group then move to a more appropriate secure channel of communications such as Signal. There is a distinct need to have multiple comms which we describe as;
Instant unstructured messaging – ephemeral text in WhatsApp / Txt / Instant Messenger.
More structure text communications with email / Slack / Chat in Teams
Video / Voice Communications via Teams / Zoom
Decision recording templates in Teams using OneNote as a primary tool.
Decision logs maintained by structure reference numbers stored locally and a central permanent record which all key decisions comprising Data/timestamp/reference etc/.
Document repositories such as NCSC CISP [51] Resilience Direct [52], other private group collaboration platforms which include KHUB[53].
The overarching finding of the desk research and ad hoc enquiries through the Cyber Technical Advisory Group (CTAG) [54] has been that there are multiple platforms and repositories in existence managed and maintained by various groups and entities. We content this is fine, so long as there is a standard template approach for interoperability between templates, message structures and referencing.
The authors Cyber Golden Hour Guide [73] details the roles and responsibilities required to effectively coordinate a Cyber Incident within and organisation. This paper is focussing on the next level down, below the Governance and coordination or Crisis Management into the tactical tools and techniques that can be used by Incident Coordination Teams (Cyber Coordination Cell) or Fusion Cell.
Many organisations do not have staff trained to respond. In Wales, the Welsh Government Cyber Programme funded a serios of Cyber Exercises and tactical training workshops. The Lessons learned from live incidents, exercises and the tactical workshops clearly demonstrate that whilst exercising, training and awareness raising help, they do not completely solve the problem. Apart from responding to campaigns (common Cyber attacks at a given time, like WannaCry and the Microsoft Exchange attacks[71]), all other incidents are different depending on the infrastructure in place. Therefore the approach needs to be generic, supported by specific playbooks. [72]
1) What is the believed nature of the incident? 2) How many locations (Sites/Schools etc) do you believe are affected at this time. 3) Which of these locations are directly maintained and supported by internal ICT? 4) When was the incident first detected? 5) How was it detected? 6) What mitigations have been implemented already? 7) Do you believe the incident is contained? 8) Have you prepared press, media and PR lines? 9) What are your planned next actions 10) Have you established a timeline and decision log?
The NCSC have defined six categories of Cyber Incident [70].
Category 1 National cyber emergency
Category 2 Highly significant incident
Category 3 Significant incident
Category 4 Substantial incident
Category 5 Moderate incident
Category 6 Localised incident
The NCSC generally will only intervene at category three or above. Organisations will need to make their own support arrangements and work with partners for lower level attacks. The approaches in this paper would be useful for localised attacks from categories 6-4. Much effort goes into planning for very serious attacks, whereas lower level attacks at category 5/4 can still be debilitating for organisations.
The work to date has highlighted a the need for pre-agreed ”Trigger Points”, especially for the lower NCSC categories above covering categories 6/5/4. In the context of Cyber Incident Response and the need for Fast time Communications, many incidents are known as “Rising Tide Events” [63]. This means that the impact, severity and harm of the initial incident isn’t always obvious. Understanding Cyber Incidents in terms of Harm [64] [68] is a valuable way to gauge the possible final damage state of and incident. As further intelligence is received, through shared situational awareness, from differing sources, multiple organisations of through proliferation of a threat vector, (such as WannaCry in 2017) [61], the situation increases in seriousness, where it may not be immediately apparent locally. This is where, Filtered Warnings, Advice Brokering and Trusted Information Sharing [65] the key WARP (Warning, Advice & Reporting Point [66] services come into their own.
Trigger Points [32] can be thought of a pre-defined Consequence Relevance Acceleration Severity and Harm “CRASH” Gates. A gate in this context being a phase or stage where an incident escalates to the next level. The key being the baseline starting position that can be quickly and easily identified through honestly and objectively completed the CRASH index.
Ticking the Boxes on the CRASH Index Matrix gives an immediate baseline to help Situational Awareness, impending shifts in the threat profile and is especially useful in a Dynamic Rising Tide event scenario as described in the JESIP doctrine used by the Emergency Services[67].
One of the areas organisation struggle with in writing plans is the definition of trigger points and their articulation. They are discussed in medical and paramedic literature [74], however they are sparse in
Consequence Scaling
Locally contained within the Organisation at a Sub-Departmental / Directorate Level
Locally contained within the Organisation at Departmental / Directorate Level
Local contained within the Organisation
Affecting multiple Organisations Sub-Regionally
Affecting multiple Organisations Regionally
Affecting multiple Organisations Nationally
Resilience Scoring
We are fully prepared and have exercised in the last six months
We are fully prepared and have exercised in the last 12 months
We have some plans in place and have not exercised recently.
We have few plans in place some training no exercising.
We have few plans haven’t trained or exercised in over 12 months.
Applicability Scoring
We do not have this technology in our infrastructure
We have this technology, we are fully patched.
We have this technology, we are partially patched
We have this technology, we are not patched
We have this technology, we are compromised
Severity Scoring
Not affecting our infrastructure directly
Affecting some of our infrastructure
Affecting most of our infrastructure
Affecting all of our infrastructure
Our infrastructure is over run and non-functioning
HARM Levels
The organisation is unaffected
The organisation is affected, but fully operational
The organisation is affected, and is partially operational
The organisation is compromised essential services still functioning
The organisation is compromised essential services lost.
The “CRASH Gate” matrix model, provides a granular set of indicators that can be used like the 5x5 intelligence model [33] to instantly give a significance score to a situation.
C (1) Locally contained within the Organisation at a Sub-Departmental / Directorate Level
R (3) We have some plans in place and have not exercised recently.
A (4) We have this technology, we are not patched
S (2) Affecting some of our infrastructure
H (2) The organisation is affected, but fully operational
Looking at the example above you would write a plan or playbook with particular actions relating to the narrative in the CRASH Gate statements above. This remove ambiguity and allows for delegated actions, to be clearly documented and authorised. In the example above a change especially for (C1) to (C2) and H(2) to H(3) would both be of huge concern. Whilst action to move from A(4) to A(2) would greatly reduce the risk. As a tool for Situational Awareness sharing a CRASH Gate Status (CGS) string of: CGS1,3,4,2,2 transmitted or shared as: CGS13422 If this was prefixed with a Cyber Unique Organisation Reference Number (CUON)[34]
Example CCGS (CUON Crash Gate Status) 654/21/9874/13422
The above is a simple example but it means there is a definitive record for a shared CRASH Gate status for the current situation .The CUON being: 654 (The organisation ID) [21] Year of allocation [9874] the unique reference number for the CRASH Gate 13422 so if intercepted, the CRASH Gate status could be decoded but the organisation number could not be traced back and the validation code of 9874 would be updated during the acknowledgement. By
Parsing the CRASH Gate trigger status a search for those with A4/5 would be the organisations requiring priority support. This system of simple numeric reporting wholly relies on the honesty, truthfulness and transparency of participating organisations to be of use for information sharing. As an internal planning tool for baselining, it would be of value.
This standard provides guidance in relation to sharing information about information risks, security controls, issues and/or incidents that span the boundaries between industry sectors and/or nations, particularly those affecting “critical infrastructure”. ISO/IEC 27010 [81] provides guidance on information security interworking and communications between industries in the same sectors, in different industry sectors and with governments, either in times of crisis and to protect critical infrastructure or for mutual recognition under normal business circumstances to meet legal, regulatory and contractual obligations. Sometimes it is necessary to share confidential information regarding information-related threats, vulnerabilities and/or incidents between or within a community of organizations, for example when private companies, governments, law enforcement and CERT-type bodies are collaborating on the investigation, assessment and resolution of serious pan-organizational and often international or pan-jurisdictional cyberattacks.
Such information is often highly sensitive and it may need, for example, to be restricted to certain individuals within the recipient organizations. Information sources may need to be protected by remaining anonymous. Such information exchanges typically happen in a highly charged and stressful atmosphere under intense time pressures - hardly the most conducive environment for establishing trusted working relationships and agreeing on suitable information security controls. The standard should help by laying out common ground-rules for security.
The standard provides guidance on methods, models, processes, policies, controls, protocols and other mechanisms for the sharing of information securely with trusted counterparties on the understanding that important information security principles will be respected. ISO/IEC 27010 was first published in 2012 then minor editorial changes were made to align the standard with the 2013 editions of ISO/IEC 27001 and 27002. The current second edition was published in 2015. It was ratified by SC 27 in 2021 for a further 5 years.
[2]https://www.researchgate.net/publication/342804953_An_Overview_of_Local_Government_Cyber_Security_in_England_and_Wales_Emergent_Threats_and_Practic
[3]https://www.gartner.com/en/documents/3975373/market-guide-for-workstream-collaboration
[4] Incident Planner: https://cydea.tools/ir-plan/
[5] NCSC Incident Response Process: https://www.ncsc.gov.uk/collection/incident-management/cyber-incident-response-processes
[6] Noun Project Copywriting Icons: https://thenounproject.com/term/copywriting/
[8] Scope Ref: Concurrent Engineering in the 21st Century: Foundations, Developments and Challenges (pp.197-220)
[9]https://www.researchgate.net/publication/267972043_System_Dynamics_Based_Insider_Threats_Modelin
[10] Stakeholder mapping (Systems Dynamics Approach): https://resources.sei.cmu.edu/asset_files/WhitePaper/2005_019_001_53387.pdf
[11] 2014 6th International Conference on Cyber Conflict
P.Brangetto, M.Maybaum, J.Stinissen (Eds.) 2014 © NATO CCD COE Publications, Tallinn
https://core.ac.uk/download/pdf/29139555.pdf
[12] Sytems Dynamic Apporach to Cyber Conflict: http://www.fortoo.eu/m/page-media/4/A_System_Dynamics_Model_of_Cyber-conflict.pdf
[14] https://rusi.org/commentary/offensive-uk-new-cyber-force
[15] https://www.jesip.org.uk/common-operating-picture
[16] https://www.msema.org/wp-content/uploads/2018/10/05_sm_awarecop_dec2012.pdf
[18] https://www.rsa.com/content/dam/en/white-paper/cyber-risk-appetite.pdf
[19] https://www.theirm.org/media/4666/0926-irm-risk-appetite-12-10-17-v2.pdf
[20] https://www.ncsc.gov.uk/news/rusi-lecture
[21] https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6655636/
[22] https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4545354/pdf/hesr0050-1195.pdf
[23] Brett M 2021 [Information Assets paper from previous journal edition]
[24] https://www.jesip.org.uk/definitions
[25] https://www.ncsc.gov.uk/information/what-cyber-incident
[26] https://www.gov.uk/government/consultations/computer-misuse-act-1990-call-for-information
[28] https://www.jesip.org.uk/doctrine
[29] Backman 2020 (Wiley) https://doi.org/10.1111/1468-5973.12347
[30] DOI: https://doi.org/10.1017/dsj.2020.6
[31] Onwubiko, Cyril and Ouazzane, Karim (2019) SOTER Cyber Playbook http://repository.londonmet.ac.uk/5358/
[32] DOI: 10.13140/RG.2.2.19037.13282 https://www.researchgate.net/publication/352690198_Local_Authority_Cyber_Resilience_Planning_Guide?channel=doi&linkId=60d34d3b299bf1fe4698a680&showFulltext=true
[33] https://www.gov.uk/hmrc-internal-manuals/money-laundering-regulations-compliance/mlr3c14000
[34]https://www.researchgate.net/publication/349320224_Information_Asset_Registers_for_Cyber_Security
[35] https://www.adobe.com/uk/products/adobeconnect.html
[36] https://aws.amazon.com/chime/
[37] https://zello.com
[38] https://www.whatsapp.com/?lang=en
[39] https://www.microsoft.com/en-gb/microsoft-teams/group-chat-software
[41] https://docs.microsoft.com/en-us/microsoftteams/walkie-talkie
[42] https://zello.com/accessories/network-radios/
[43] https://secure.echolink.org
[45] http://cmolegionoffrontiersmen.info
[46] https://www.cio.com/article/3314738/shadow-it-the-cio-s-perspective.html
[47] https://www.redcross.org.uk/about-us/what-we-do/we-speak-up-for-change/people-power-in-emergencies
[48] https://sites.google.com/view/brccr/home?mc_cid=3b7e5aee98&mc_eid=4a05e96ee8
[49] https://cybervolunteers.wordpress.com/volunteering/
[50] https://istanduk.org/wp-content/uploads/2019/08/Cyber-Emergency-Response-BRT-002.pdf
[51] https://www.ncsc.gov.uk/section/keep-up-to-date/cisp
[52] https://www.gov.uk/guidance/resilient-communications
[53] https://khub.net
[55] https://www.actionfraud.police.uk
[56] https://www.anomali.com/resources/what-are-stix-taxii
[57] https://www.misp-project.org
[58] https://bestpractical.com/rtir
[64] https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2828646
[65] https://www.nlawarp.net/warp-services/
[66] https://www.ncsc.gov.uk/information/what-warp
[67] https://www.jesip.org.uk/uploads/media/pdf/Joint%20Doctrine/JESIP_Joint_Doctrine_Document.pdf
[68] https://academic.oup.com/cybersecurity/article/4/1/tyy006/5133288
[69] https://www.ncsc.gov.uk/news/new-cyber-attack-categorisation-system-improve-uk-response-incidents
[70] https://www.ncsc.gov.uk/news/new-cyber-attack-categorisation-system-improve-uk-response-incidents
[71] https://www.ncsc.gov.uk/news/security-updates-released-microsoft-exchange-server
[74] https://www.nap.edu/read/18338/chapter/4
[76] https://www.gov.uk/guidance/local-resilience-forums-contact-details
[77] https://www.prince2.com/uk/prince2-methodology
[78] https://www.agilealliance.org/agile101/
