PreprintPDF Available

Cyber Incident Approach Framework for Local Government - Cyber Incident Approach Framework for Local Government

Authors:
Preprints and early-stage research may not have been peer reviewed yet.

Abstract

A approach to cyber security incident response for local government security managers.
Cyber Incident Approach Framework for Local Government -
© Mark Brett October 2019
1
Cyber Incident Approach Framework for Local Government
© Mark Brett Research Director St Georges International Institute
Mark.brett@cybershare.net
October 2019
Background
This document provides and overview and Executive Summary to the Cyber Incident Approach Framework (CIAF) and the supporting
materials, it is a start here guide. The CIAF can be adapted to different types of organisations. It does contain information relating to
specific public sector / UK Government aspects relating to the Civil Contingencies act and Local Resilience Forums, again these aspects
can be adapted for organisations not covered by those legal and regulatory requirements. All UK organisations are covered by the
National Cyber Security Centre (NCSC) remit, however their intervention outside of the government / Public sector would only be in
time of national emergency. Other cyber incidents and cyber crime being covered by action fraud and local policing supported by the
Regional Organised and Cyber Crime Units (ROCCU).
Context
This framework and resources, offers an adaptable set of resources that can be customised to your needs. We will explain the philosophy
and approach, providing supporting methods, tools and templates for each component. There are external references to extant materials
and other useful websites and materials.
Cyber Incidents are effectively the loss of an IT or communications service. The term cyber generally is taken to refer to systems and
services that use the internet as part of the delivery. Increasingly today. Services and systems are hybrid approaches, which can straddle
the divide of being part of an organisations local network and have cloud computing components linked to it.
The starting point for any incident response approach has to be a deep and clear understanding of the business. Incident response is
always a compromise. There are never enough resources to do everything. The business itself, not the IT service must decide on the
priorities.
To be able to respond to an incident, it is also critical to have really good detailed documentation about the systems, services and
especially the network. Many Cyber attacks will be against the network. When your responding to an incident, it will likely be because
something has broken or something extraordinary is being observed. You will then want to trace back to where the problem started and
what resources have been affected. An understanding of the network will be a great help here.
The overall response will then be determined by a pre-set plan or playbook. Actions during the first hour are crucial as we dill discuss.
An incident is regarded as something that has cause a physical impact, for instance a service is down, a communications link has been
broken or a machine has malware present and active. Things which get detected and fixed automatically are called events. Most
organisations regardless of size will have multiple events every days from dozens to millions depending on the size and complexity of the
organisation.
The phases of an incident cover the incident, the make safe and the recovery phase. This can also be thought of as detection, mitigation
and recovery. Understand the recovery is to get the service or system back to the state it was in just before the incident occurred, it is not
about improvement after the event, that is a separate thing.
Certain types of organisation are referred to as being par of the CNI (Critical National Infrastructure) think of utilities, transport,
government functions (central and local), the emergency services. Health and food, there are some others like financial services. These
organisations have a statutory obligation under the Civil Contingencies act, to prepare for and respond to emergencies and to keep
functioning.
Each geographic area of the UK, has a Local Resilience Forum (LRF). These forums meet and plan to respond to challenges and
emergencies covered by the act and work together to respond to incidents and emergencies of a certain magnitude, which could cause a
loss of life. Think floods, large fires. Bombings and pandemics. After the WannaCry attack on the NHS in 2017, cyber has also been
factored in to the planning. In LRF terms, Cyber equates to a technology, likely telecommunications issues. LRFs are now starting to plan
for cyber and related incidents.
Cyber Incident Approach Framework for Local Government -
© Mark Brett October 2019
2
If a cyber incident is large enough, serious enough or could affect multiple organisations within its area, then a Strategic Coordinating
Group (SCG) could be stood up with a Recovery Coordination Group (RCG), supported by a STAC (Scientific and Technical Advisory
Cell). In England the STAC function is lead by Health for dealing with pandemics etc. So there could instead be a C-TAC (Cyber
Technical Advisory Cell). The SCG is normally chaired by the Police acting as a GOLD Command for the incident. The
GOLD/SILVER/BRONZE framework can be found under the JESIC (Joint Emergency Services Incident Coordination) links below.
The Golden Hour
As with most things, the golden hour is important. Many plans will be made against scenarios, we call those contingency plans, there are
also business continuity plans, for dealing with service losses, due to power cuts, fire and flooding. With Cyber having a Golden Hour
Guide (GHG), which is generic, will help you plan for who needs to be where to do what when and how.
Even if you do not have a specific response planned for the incident that occurs, the GHG will be a very useful resource and should be
the core of your training. There are several considerations;
Where will you meet?
Who will lead the resource?
What information will you need / have available?
What facilities will you need / have?
We suggest a best to worst approach, the best being you’ve access to dedicated working space, with your latest documents on a
collaboration space and all comms are available with documentation up to date and recently exercised. Worst being, no electricity,
systems unavailable and no place to meet, so paper plans and resources that are months out of date and your working by torch light. The
likelihood is something in the middle. Therefore you need to populate your Golden Hour Guide to have agreed first actions, the chain of
command and accountability agreed ahead of time and to practice the scenarios. Plan and exercise hard, to have an easier time in
responding.
Exercising
An exercise is a rehearsal. Where a scenario is designed and agreed, then your put through your paces against it. A drill is a smaller
regular thing, so practice say the call out and response, a cascade calling exercise run every few months, will test your call out.
The most basic exercise is a discussion, useful when writing or amending plans.
A Desk Top exercise is to drill and test a plan. A live play exercise is disruptive, but tests your actual response to an incident under live
conditions, for instance pulling the main building network cable for half a day.
Most of the time discussion exercises are fine, in a fast-changing environment, or where the players
Are from different organisations and its about role-based training, rather than actual organisational response against an existing agreed
plan that needs to be exercised, to validate it. Plan validation is essential. When a plan ha been written and agreed, it must be tested, only
then can the plan be validated. Validation in this context is a plan audit, that it is fit for purpose.
Risks / Threats / Vulnerability / Exploits
One of the key issues in shaping any response plan, is to know and understand the risks facing the business that become threats, with
vulnerabilities that can be exploited. This process is called a Risk Assessment, which is then supported by a threat assessment and a
vulnerability assessment.
This multistage process is invaluable to help focus where your actual resources and effort needs to be placed....
Risks
Much has already been written about risk management, there should be a corporate risk register. There will certainly be a community
risk register under the Civil Contingencies act. We can also think about risks as hazards, fire, flood, electrical failure, severe weather. The
Cyber Incident Approach Framework for Local Government -
© Mark Brett October 2019
3
Cyber Incident planning cycle should start by looking at the risks that have already been defined to understand which ones have the
potential to become serious cyber incidents if they happened.
You should also hold a cyber risk management workshop, where the key cyber risks are identified and discussed. So in wondering about
cyber risks, think about cyber hazards. A large data loss, a malware attack that infects multiple machines, encrypting their disks, a
malware attack that accesses servers and encrypts their storage volumes.
Threats
Having discussed the risks (hazards) , they form the headline topics for further discussion that will identify the threats.
Threats should be able to be mapped back to risks (start thinking of a hierarchy, Risks (Hazards) > Threats> Vulnerabilities >
Exploits > Incident……
A threat comes from an Adversary, with Intent and Capability, giving the target priority. So a threat could come from a highly capable
hacker, with the determination and priority to attack an organisation. We measure the threat and the likelihood (priority) of it
happening.
Vulnerabilities
A vulnerability is a flaw in a sys team or service, which is identified usually technical, could be personnel (Insider threat) or physical
(broken window into an office, non-working fire alarm etc.)
There is a CVE (Common Vulnerability and Exploit) database, these lists thousands of technical vulnerabilities.
See: https://cve.mitre.org (Accessed 10/10/2019)
Exploit
An identified vulnerability can be theoretical (not practically implemented), however sometimes researchers develop methods that get
reported at conferences or intelligence services develop exploits, these can then get used against a live target or acquired by criminals or
disclosed say on wiki leaks, this then becomes a real issue, we hear the term zero day attack, where an exploit is used against a live target
to attack them.
Playbook / Guide
Traditional plans tend to be fixed, static and stable. The world of Cyber by it’s very nature isn’t. In the old days information systems in
government were accredited, this process was very rigorous and attempted to remove many if not all other identified threats. This as
mentioned had to be in line with the risk appetite and he risk profile. The world of agile, continuous integration and cloud computing
has changed all of this. Systems are now dynamic and so are the risks. We therefore need an approach to incident management and
response that reflects this situation.
Tools
There are a number of tools used for different purposes. The NLAWARP has published an Open Source tools white paper that covers
many of the useful things to know about.
https://www.researchgate.net/publication/336390789_A_framework_to_understand_Local_Government_network_environments_from_a
_cyber_security_perspective_Developing_an_open_source_tool_kit_for_Local_Government (Accessed 10/10/2019)
Cyber Incident Approach Framework for Local Government -
© Mark Brett October 2019
4
Appendix A
Incident Response the Golden Hour Guide
Version 0.11
Background
As with most incidents, attacks and emergencies, the first hour is critical to the success of the outcome, to mitigate damage and in some
cases save lives. The real necessity is to understand what has happened and to prioritise the response using the best information and
planning assumptions.
First Actions
Declare an incident. This is also known as the “trigger event”.
Convene at the pre-agreed place.
Receive reports relating to the incident
Establish communications with key contacts and organisations as agreed.
Your starting point
The objective of any incident response is to get the disrupted service or systems back to the state they were in before the incident
occurred. Remember we are dealing with consequences, incident response can also be thought of as a consequence management.
What still works?
What is broken, unavailable or destroyed?
Do you have the necessary resources to resolve the incident? (People, funds, technical resources, infrastructure). If not who needs to
authorise them? You can’t fix a problem without the resources to do so. Dependencies are there external dependencies? Are they out of
your control?
If you have the available resources, can the problem be fixed?
Decision priorities
The priority always has to be the preservation of life and limb, that is above else to save peoples lives first. Depending on what’s
happened, your incident / emergency may not be the most pressing issue, having said that if the system or service is critical to life saving
activities, then yes it is important the service is restored, to improve efficiency of operations.
The military and emergency services are trained to deal with these matters, civilian organisations and businesses are not, so careful well
documented planning and exercising do pay off.
Does your organization have to interface in any way with emergency services? If so you need to understand their decision making
process (JESIP). They will often use a GOLD / SILVER / BRONZE command and control structure.
Rapporteur (Loggist)
Cyber Incident Approach Framework for Local Government -
© Mark Brett October 2019
5
It is critical from the start that all key decisions are recorded on a timeline and in detail. There must be a designated person, who’s role it
is to manage and maintain a decision log. This becomes important for several reasons, not least of which evidential, for insurance
companies, corporate governance and to ensure arbitrary decisions can be reversed and things do not get forgotten. You might create a
paper process for something, the information and data may need to be re-integrated into a system or service, so having that fact logged
will ensure valuable information doesn’t get lost.
Authority to incur expenditure, in the heat of the moment “Yes, yes, just do it” needs to be recorded, even a signature or internal audit
approval is normal processes are broken. Costs added to personal credit cards that need reimbursement etc. In the heat of response,
quick fixes can be questioned afterwards so ensure your covered.
Immediate Operational Actions
Your thought process should always be guided by some principles:
Will the effect of this decision or action make the situation better, worse or the same?
Does this have to be done now or at a different point in time?
Are there dependencies?
Am I authorised to act?
Can this decision or action be defended later?
Nothing here says not to take action, however the action needs to be within a decision framework that is agreed as part of the planning
process.
After Action Reporting
It is necessary to produce a summary report after the initial response is concluded and definitely when the transition to recovery from
response happens.
From Response to recovery
A point comes in any incident when you’ve got control back and are now starting to recover, “things have stopped getting worse” Your
still managing consequences, but the urgency, pace and priority can change. How long will the recovery phase last?
Who will coordinate it? What structures and longer-term resources are needed? This is not part of the golden hour.
Cyber Incident Approach Framework for Local Government -
© Mark Brett October 2019
6
References
LESLEP Manual (accessed 10/10/2019) https://www.london.gov.uk/about-us/organisations-we-work/london-prepared/planning-
emergencies-capital#acc-i-43125
JESIP website (accessed 10/10/2019) https://jesip.org.uk/home
NCSC Guidance (accessed 10/10/2019) https://www.ncsc.gov.uk/blog-post/cyber-resilience-nothing-sneeze
CPNI Guidance (accessed 10/10/2019) https://www.cpni.gov.uk/cyber
CCS Incident standard (accessed 10/10/2019)
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/786206/20190215_PublicSummaryOfS
ectorSecurityAndResiliencePlans2018.pdf
Barker W Local Government Cyber Security Programme (accessed 10/10/2019)
https://www.local.gov.uk/sites/default/files/documents/Building%20resilience%20together%20-
%20William%20Barker%2C%20MHCLG.pdf
Brett MD (2016) 10A’s of Cyber Security (Accessed 10/10/2019)
https://www.researchgate.net/publication/303881932_10_A%27s_of_Cyber_Security
Cyber & Resilience St Georges House Windsor (Accessed 10/10/2019) http://www.stgeorgeshouse.org/wp-
content/uploads/2016/10/Cyber-and-resilience.pdf
St Georges House Windsor (2016) Cyber Report (accessed 10/10/2019) http://www.stgeorgeshouse.org/wp-
content/uploads/2016/04/Local-Leadership-in-Cyber-Society-Report.pdf
St Georges House Windsor Follow up Report (2019) Cyber Report (accessed 10/10/2019) https://www.stgeorgeshouse.org/wp-
content/uploads/2019/08/Local-Leadership-in-a-Cyber-Society-3-2019.pdf
https://cve.mitre.org (Accessed 10/10/2019)
Bibliography:
Other articles by the author can be found at: https://www.researchgate.net/profile/Mark_Brett/publications
Cyber Incident Approach Framework for Local Government -
© Mark Brett October 2019
7
Appendix B
Example Incident Response Role Description
Role: Cyber Response Coordinator
Purpose:
To coordinate the cyber incident response team once activated. To act as liaison officer to the Team Leader.
To lead coordinate the Organisations internal Incident Handling and Response Capability to ensure the team is able to collect the
required information, carry out the required liaison with external partners to ensure information is flowing in and out of the team.
Ensure the best possible outcome for the organisation in responding to a cyber related incident, emergency or attack.
Key Tasks
To coordinate the response team.
Collating and preparing regular update reports for the team leader.
Acting as a point of contact for the response team.
Agreeing activities and work for the rapporteur and analysts.
To ensure that pre-agreed plans, processes and playbooks are enacted.
To mitigate the incident, attack or emergency in a timely and professional manner.
To assist the team leader ensuring resources are deployed within agreed response framework.
Ensuring the team is trained and exercised to an appropriate level of readiness and effectiveness.
To learn and if necessary cover with the other roles within the team.
To use best professional practice in coordinating the team.
Key Activities
To ensure the situation is reported, understood as it evolves.
To ensure regular communications and updates are produced.
To convene regular team updates and onward communications.
To ensure all decisions made get recorded, tasking the rapporteur and analysts.
To keep thorough and detailed notes of all activities undertaken.
To ensure all relevant information generated or discovered is thoroughly documented, reported
and actioned with expediency.
Responsible to: Team Leader
Responsible for: Rapporteur / Incident Analysts
ResearchGate has not been able to resolve any citations for this publication.
Working Paper
Full-text available