This document discusses Virgin Australia's implementation of an Incident Command System (ICS) for cyber incident response. The ICS draws from FEMA's National Incident Management System and the UK's Gold-Silver-Bronze Command Structure to provide a flexible framework that integrates with existing incident response plans. Key roles in the ICS include the CIO as Gold Commander for strategic coordination, the Head of Infosec as Silver Commander for operational command and control, and the Cyber Security Operations Leader as Bronze Commander for tactical response execution. Tabletop exercises revealed lessons like not exposing the ICS terminology externally and rigorously testing integration before full implementation.

1. Decentralised, multi-stakeholder and non-linear
incident response
with the Incident Command System
Jonathan Topham and Pukhraj Singh, Virgin Australia
AusCERT 2023 Conference, Gold Coast
12th May 2023

2. Introductions
• Jonathan Topham
• Head of Information Security at VA
• Formerly worked with the British Intelligence Community, Europol, and UK Revenues &
Customs
• Background in DFIR, cyber threat intelligence, crisis management and counter-terrorism
• Interdisciplinary degrees from University College Dublin, University of Aberdeen and King’s
College London
• Pukhraj Singh
• Cyber Security Operations Leader at VA
• Formerly worked with the Indian Intelligence Community under the Prime Minister’s Office
• Interdisciplinary background in cyber threat intelligence, detection engineering, security
operations and geostrategy
• Master’s student of geopolitics at UNSW Canberra, at the Australian Defence Force
Academy
• Written for the Australian Defence College, Australian Strategic Policy Institute and US
Military Academy, etc.

3. The views expressed in this presentation are personal and do
not reflect the opinions and beliefs of Virgin Australia.

4. Cyber incident response is decentralised
• The dissolution of the perimeter has led to the decentralisation of IR
• The operational tier of IR may still retain the initiative to some degree, but the
tactical and strategic tiers do not
• How is your third-party breach playbook coping with Containment, Eradication and
Recovery?
“The perimeter is not the boundary of your network, but the boundary of your telemetry” - The Grugq
“Control and ownership of [IT] assets necessarily do not overlap” – Halvar Flake AKA Thomas Dullien

5. Cyber incident response is multistakeholder
A typical large organisation in Australia is running overlapping IR functions
during a cybersecurity incident: IT, Data Breach, Legal, Crisis Management
and Public Affairs
• A rigid command hierarchy has become counterproductive
• At the heart of it, even the strategic elements of IR need guidance from
technical/operational IR
• With the amendments to the SoCI and Privacy Acts, you are looking at
potential escalation from whole-of-org to whole-of-sector or whole-of-
nation IR in a matter of hours

6. Cyber incident response is non-linear
• The crisis management team operates in binaries: it is either activated or not
• There is a subtle tension between the non-linearity of technical IR and linearity
expected by the crisis management teams
• The adversary is running a counter-information operation against your public
messaging
• Non-alignment between the strategic, tactical and operational tiers can cause
irreparable reputational damage (e.g., the last the big three Aussie data
breaches)

7. VA’s Incident Command System
Inspired by the federal emergency management framework of the US and UK
• FEMA’s National Incident Management System
• The UK’s Gold-Silver-Bronze Command Structure

8. VA’s Incident Command System
FEMA’s National Incident Management System
• Principles
1. Flexibility
2. Standardisation
3. Unity of Effort
• Some characteristics
1. Modular Organisation
2. Management by Objectives
3. Integrated Communications
4. Establishment and Transfer of Command

9. VA’s Incident Command System
The UK’s Gold-Silver-Bronze Command Structure
• Gold, Silver and Bronze Command Tiers
• Role, not rank specific
• Flexible application
• Some procedures
• Function of command
• Command interoperability
• Initial command of spontaneous incidents
• Transfer of command

10. VA’s Incident Command System
The first few things that we wanted to solve
• Integration with the data breach response plan, critical IT incident
management plan and crisis management plan
• Complying with the regulatory obligations under the Privacy Act and
Security of Critical Infrastructure Act
• Not disrupt the existing IR plans at any cost by introducing new stuff – make
our model invisible to them

11. VA’s Incident Command System
Gold
What we
intend to do
Silver
How we intend to do it
Bronze
Doing it
CIO - Gold Commander
Head of Infosec – Silver Commander
Cyber Security Operations
Leader – Bronze Commander
Strategic - coordination and communication
• Liaison with the IAT of the Crisis Management Team
• Liaison Data Breach Response Team
• Liaison with external stakeholders (i.e., Law enforcement)
• Liaison with other internal stakeholders (e.g., Legal and
Public Affairs, etc.)
Operational – command and control
•Command and control of the response
•C2 for the execution of IR playbooks
•C2 for the IR process
•Liaison with the Privacy Officer and Head of IT
Tactical – response actions
•Execution of IR playbooks
•Execution of IR process
•Coordination with technical stakeholders (system owners/ IT
operations)
Data Breach, Crisis Management and Critical IT
IR Plans
Cyber IR Plan
Playbooks

12. VA’s Incident Command System
Lessons learnt – Tabletop exercises
• Do not expose the Gold-Silver-Bronze terminology to other IR plans
• Rigorously test the instantiation of the ICS first – do not aim for the moon
• Do not change the roles and responsibilities of participants within other IR
plans

13. VA’s Incident Command System
Lessons learnt – Tabletop exercises
• Merge the ICS into other IR structures where appropriate
• Do not be too hung up over who gets Gold-Silver-Bronze

14. Questions?