monsitj - Fotolia

UK cyber defenders set to build on existing capability

UK national cyber attack response and investigation is a well-defined and rehearsed process, but the responsible agencies say they are building more capability and closing the gaps

The UK’s National Crime Agency (NCA), National Police Chiefs’ Council (NPCC) and National Cyber Security Centre (NCSC) are tasked with responding to different aspects of cyber attacks.

“Of course these areas overlap, but that is why we work so closely together on a formal basis and daily through our investigators working together and talking to each other,” said Oliver Gower, deputy director of the NCA and head of the NCA’s National Cyber Crime Unit (NCCU).

The NCA investigates the most serious and complex attacks hitting the UK, and coordinates and supports the entire UK policing response and provide specialist high-end technical support to that response, at a national or a regional level.

The NCSC, which is part of GCHQ, protects critical services from cyber attacks, steps in to help victims mitigate the effect of attacks and manage major cyber incidents, and improves UK internet security.

Police regional organised crime units (ROCUs) lead investigations into multi-jurisdictional cyber crime, and have dedicated roles to prevent cyber crime and to increase the overall level of resilience in their region. They are resourced by local police forces, but operate as standalone teams at a regional level.

At the local level, policing leads the response to cyber crime, investigating cases referred by the National Fraud Intelligence Bureau (NFIB), distributing advice to victims and the vulnerable, and feeding the national intelligence picture.

“When it comes to cyber incidents that affect critical infrastructure, the economy or significant members of the public, the response follows a very well-rehearsed process, with central coordination of reporting and tasking,” said Gower.

Action Fraud, which is part of the City of London Police and sits alongside the NFIB, is the national reporting portal for both industry and the public, and operates an around-the-clock helpline for businesses, charity and organisations that are under attack.

“Action Fraud triages reports and refers serious cyber incidents to the NCA, although in some cases reporting comes directly to the NCA from the NCSC or industry, but no matter what door a victim uses, they enter the same ‘hallway’ because our organisations and agencies are so well connected,” said Gower.

In the NCA’s NCCU, there is a triage, incident and co-ordination unit (Ticat), which sits at the centre of the network of ROCUs and decides whether investigations should be led by the NCA or a ROCU investigation team, while keeping the NCSC informed so it can advise on mitigation and protection.

“So we don’t have people going out at a local or regional level who do not understand the bigger picture and don’t understand the nature of what they are dealing with because all of that is joined up, and, at the same time, the ROCUs provide feedback to the NCSC to inform the overall picture of threats facing the UK,” said Gower.

The central tasking processes, he said, are reviewed by the NCA and the NPCC on a monthly basis to ensure the right resources are focused on the right priorities.

Working together on WannaCry

According to Gower, this model was well-tested during the WannaCry attack in which the NCA led the criminal investigation, while the NCSC developed advice on limiting damage, protecting uninfected computers, and establishing the scale of the incident. “We had very clear roles and responsibilities in working together on WannaCry,” he added.

Under the NCA coordination of law enforcement in response to WannaCry, ROCU and NCA teams were deployed to NHS sites to engage with victims, taking advice from the NCSC about how best to help. “While the emphasis was on mitigation, there were also opportunities to gather evidence,” said Gower.

City of London Police focused on issuing advice on how to protect computers to the public and to businesses, especially small to medium-sized enterprises (SMEs). “There was also a focus on keeping their reporting function up and running with the right level of resources to meet a high level of demand,” said Gower.

The National Police Operations Centre worked very closely with the NCA, briefing police chiefs on behalf of the NCA, and was also on standby to mobilise forces if the situation deteriorated, he said.

“By coordinating our response in that way, we are able to effectively and efficiently deal with cyber threats and live cyber incidents. We have a model that works in dealing with 21st volume and internet-enabled crime, where the infrastructure, victims and criminals are all in different places, and there is no point in investigating events in isolation,” said Gower.

“That’s why the NCA has officers in the US Secret Service, the FBI, Europol and Interpol, helping to join up not just the national or domestic response, but to link that internationally, which is very important when it comes to things like WannaCry and NotPetya,” he said.

Hub and spoke model ‘effective’ against cyber crime

Talking of the nature of the threat, Gower said traditional crime has become cyber-enabled, attackers and victims no longer need to be in the same place, that the lines are blurring between state and criminal activity, and that criminals are increasingly looking to exploit vulnerabilities in legacy systems and third parties in the supply chain of target organisations.

“There is a tendency to think of cyber crime as some abstract, far-away thing, but hacking, data theft, ransomware, DDoS [distributed denial of service attacks] are just modern equivalents of traditional crimes like burglary, theft and extortion, except they are lot limited by the physical limits of real world geography and are available as services to non-technical criminals for as little as £30.

“It is common sense that, with innovative cyber criminal capability available to the highest bidder, it is inevitable that hostile states will explore its possibilities, and conversely, that entrepreneurial cyber criminals may steal data to sell to states.

“We believe state actors have tried, and will try again to target the UK by employing cyber criminals to launch attacks, and in response we are combining traditional and non-traditional tactics to raise the risks to these hard-to-reach actors by disrupting their networks and disrupt them when they travel,” he said.

Gower said it is incorrect to think that these hard-to-reach actors are impossible to reach, adding that collaborative efforts by “Team Cyber UK”, alongside partners, led to the arrest of more than 200 cyber criminals in 2016.

“We have been most successful when working as one team with international reach through our partners. Cyber demands that because it is data rich and ignores geographical boundaries, but team work is also the most efficient way,” said Gower.

“We have built specialist capability at the centre in the NCA, such as bitcoin tracking, malware lab analysis and data analysis tools that are networked into this system for all policing.

“The NCA’s priority is building more of that capability, including engineers, coders, analysts and industry liaison because we know that coordinated national approach works, tightly linked into overseas partners.

“A hub and spoke model provides an effective and efficient response to cyber crime and modern internet organised crime,” he said.

Read more about cyber crime

Read more on Hackers and cybercrime prevention

Data Center
Data Management