NCSC unveils new cyber attack classification system

The framework categorises everything from individual hacks up to national cyber emergencies

Hacking

The UK's national cyber security body has announced a new categorisation system to classify cyber attacks, in an effort to help intelligence operatives and law enforcement prioritise their response to hacks.

As part of its inaugural CYBERUK security conference, the National Cyber Security Centre (NCSC) yesterday launched the new framework, which comprises six levels of severity, from a minor individual attack all the way up to a catastrophic attack on the UK's national infrastructure.

Upon identifying an attack, the NCSC's incident response teams will use the new framework to classify the attack and allocate the appropriate resources to deal with it based on the severity of the incident.

"This new joint approach, developed in partnership with UK law enforcement, will strengthen the UK's ability to respond to the significant, growing and diverse cyber threats we face," said NCSC director of operations, Paul Chichester. "The new system will offer an improved framework for dealing with incidents, especially as GDPR and the NIS Directive come into force shortly."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Attack categories range from one to six based on impact and severity, with a category six attack defined as a "localised incident" such as an individual being hacked. This level of attack, according to the NCSC, will typically only warrant a direct response from local police, acting in a support capacity.

Responses to more severe attacks - such as a category three "significant incident" - will be led by the NCSC directly, who will be on-hand to provide remote analysis, as well as on-site support.

The highest level of threat is the category one "national cyber emergency". This type of threat - which NCSC head Ciaran Martin has warned the UK will inevitably face sooner or later - is one which attacks critical infrastructure like power grids, utilities or hospitals and leads to "severe economic or social consequences or to loss of life".

In the event of a category one attack, a "coordinated cross-government response" will be spearheaded by COBRA, with NCSC and law enforcement working closely with relevant government departments to offer mitigation and analysis.

Category definitionWho responds?What do they do?
Category 1

National cyber emergency

A cyber attack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life.Immediate, rapid and coordinated cross-government response. Strategic leadership from Ministers / Cabinet Office (COBR), tactical cross-government coordination by NCSC, working closely with Law Enforcement.Coordinated on-site presence for evidence gathering, forensic acquisition and support. Collocation of NCSC, Law Enforcement, Lead Government Departments and others where possible for enhanced response.
Category 2

Highly significant incident

A cyber attack which has a serious impact on central government, UK essential services, a large proportion of the UK population, or the UK economy.Response typically led by NCSC (escalated to COBR if necessary), working closely with Law Enforcement (typically NCA) as required. Cross-government response coordinated by NCSC.NCSC will often provide on-site response, investigation and analysis, aligned with Law Enforcement criminal investigation activities.
Category 3

Significant incident

A cyber attack which has a serious impact on a large organisation or on wider / local government, or which poses a considerable risk to central government or UK essential services.Response typically led by NCSC, working with Law Enforcement (typically NCA) as required.NCSC will provide remote support and analysis, standard guidance; on-site NCSC or NCA support may be provided.
Category 4

Substantial incident

A cyber attack which has a serious impact on a medium-sized organisation, or which poses a considerable risk to a large organisation or wider / local government.Response led either by NCSC or by Law Enforcement (NCA or ROCU), dependent on the incident.NCSC or Law Enforcement will provide remote support and standard guidance, or on-site support by exception.
Category 5

Moderate incident

A cyber attack on a small organisation, or which poses a considerable risk to a medium-sized organisation, or preliminary indications of cyber activity against a large organisation or the government.Response led by Law Enforcement (likely ROCU or local Police Force), with NCA input as required.Law Enforcement will provide remote support and standard guidance, with on-site response by exception.
Category 6

Localised incident

A cyber attack on an individual, or preliminary indications of cyber activity against a small or medium-sized organisation.Automated Protect advice or local response led by Law Enforcement (likely local Police Force).Remote support and provision of standard advice. On-site response by exception.

The announcement has been welcomed by top law enforcement officials.

National Police Chiefs' council lead for cybercrime, chief constable Peter Goodman, said: "This is a hugely important step forward in joint working between law enforcement and the intelligence agencies.

Advertisement - Article continues below

"Sharing a common lexicon enables a collaborative understanding of risk and severity that will ensure that we provide an effective, joined-up response. This is good news for the safety of our communities, business and individuals."

The new category framework will replace the existing three-tiered structure, and will go into effect immediately.

Picture: Bigstock

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/microsoft-windows/354526/memes-and-viking-funerals-the-internet-reacts-to-the
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020
Visit/network-internet/broadband/354530/openreach-offers-free-full-fibre-installation-for-thousands-of
broadband

Openreach offers free full-fibre installation for thousands of homes

14 Jan 2020