GCHQ Launches Twin-Track Approach to Cyber Incident Response Scheme

Although the best defense will always be to prevent an attack from succeeding, in announcing the new initiatives Chloë Smith, the minister for cyber security said, “we also have to recognize that there will be times when attacks do penetrate our systems and organizations want to know who they can reliably turn to for help.” It is for these occasions that the new separate but related schemes have been established, so that any organization that is the victim of a cyber attack can immediately source the appropriate level of assistance.

The first is a broad-based scheme led by CREST (the council of registered ethical security testers) and endorsed by GCHQ and CPNI (the center for the protection of the national infrastructure). This scheme focuses on appropriate standards for incident response aligned to demand from all sectors of industry, the wider public sector and academia. “It is necessary,” Ian Glover, the president of CREST told Infosecurity, “because the number of incidents is increasing and as a result the requirements for organizations to have somewhere to go to for help are also increasing.” But the problem, he adds, “is that the skills required to investigate and enact recovery are very specialist.” The purpose of the CREST-led scheme is to ensure that the ‘buying community’ (that is, organizations that have suffered a cyber incident and need help) can have confidence in a known pool of resources able to deliver that help.

The second scheme, announced GCHQ, is “a small and focused Government run Cyber Incident Response scheme certified by GCHQ and CPNI responding to sophisticated, targeted attacks against networks of national significance.” This is for those sophisticated attacks against systems and services that are critical to the nation; where says GCHQ, “only a small number of industry providers are likely to achieve the necessary expertise and quality standards to successfully tackle the threats and techniques employed by highly skilled threat actors.”

For the latter, the pilot scheme originally selected four major companies with that existing level of expertise: BAE Systems Detica, Context Information Systems, Cassidian and Mandiant. David Garfield, the managing director of cyber security at BAE Systems Detica, explained to Infosecurity that “Detica is one of four companies who have been working in partnership with GCHQ and CPNI since November on the Cyber Incident Response pilot scheme – and we have already seen the benefits of the scheme in providing companies with rapid incident response. Our team uses specialist tools and knowledge of attackers' methods to uncover and investigate advanced attacks, providing a unique blend of business and forensic skills and a response in hours, rather than days.”

Incident response companies accredited to the former scheme will be able to apply to CESG to become accredited to the latter scheme.

“When a successful attack does occur it’s encouraging to see a framework in place to equip organizations with the tools to respond and remedy the aftermath,” commented Jarno Limnell, director of cyber security for Stonesoft

“This allows UK companies to have increased confidence in their cyber security, and those offering such services. Society is now digital, the economy is now digital, and this scheme is crucial to increasing digital security,” said Adrian Culley, global technical consultant with Damballa.

But, added Limnell, “cyber crime doesn’t adhere to national boundaries. Other nations should look to the UK as an example of best practice for governmental-business cooperation, and this is the perfect opportunity for the UK to take the lead among European nations in building defense capabilities.”

What’s hot on Infosecurity Magazine?