Hear from four of our Officers from Triage, Incident Coordination & Tasking (TICAT), part of the National Cyber Crime Unit (NCCU):
'James'
Hello I’m one of the Senior Officers in TICAT, having been in the NCCU since 2021 and TICAT since mid-2023. There are three parts to my role: Supervising the inbox and co-ordinating the incident response to cybercrimes; line managing two members of staff, and; acting as the Training SPoC for the Team, to ensure we get the best training available.
Along with another G4, we alternate weeks supervising the inbox, managing a G5 and triaging and responding to the many emails which come into the TICAT box. TICAT are the gateway to the NCCU to the requests we deal with are numerous and varied. It could be deconflicting threat actors on behalf of International Law Enforcement Partners, or it could be engaging with Senior Executives of large corporations following a ransomware attack. The variety of the breadth of incidents TICAT is involved in is what makes the job the most interesting!
As a line manager I look after two of the G5s in the NWHub. They are both relatively new to the NCCU, coming from another part of the business and are undertaking their IPP. My G5s happily take up a lot of my time, whether that be supporting them with their IPP accreditation or sending them off to various events – such as the AI Conference last year, which is great exposure for TICAT and the wider NCCU. In addition to their welfare and day-to-day work, we spend a long time ensuring that their IPP Portfolio is developing as I am very keen that my team are IPP trained. Not only because it leads to a pay increase and increase job opportunities for them, but also highlights the skills of TICAT and the wider NCCU.
My enthusiasm and passion for training is why my Manager asked me to take on the responsibility as TICAT Training SPoC not long after I joined the team. A great thing about the NCCU is that we are afforded ten CPD days each year (compared to five for the rest of the Agency) and I am very keen to seen that all of the team make full use of them. Along with the NCCU’s own Cyber Skills and Development Team I have just finalised a training pathway for TICAT for three-to-four years of industry recognised qualifications. This is soon to be signed off by my Senior Manager. Outside of the Agency this training would cost an individual tens of thousands of pounds, but all completely free to us, to ensure we can do the best job available!
If anyone is keen to learn more about my role and TICAT, drop us an email. We’re a friendly bunch and would love to hear from you!
'Laura'
Usually I’m in the office for around 8am but as we work a hybrid model and flexi hours this can vary. I get my equipment set up and grab a well-needed coffee.
First job – emails! Especially if I’m the duty inbox cover G5. I check if anything has happened overnight that the on call team have dealt with, as this means follow up actions for the team. I’ll then check if any other intelligence has been received out of hours that we need to act on.
If it has, I will task it out to one of my colleagues to pick up outstanding actions. It might be that we need to ring the victim to ascertain more information, or liaise with a ROCU to ask them to carry an investigation forward, after preparing all the information they’ll need. It could be a simple “Protect” notification which provides warning of an incident along with help and assistance for the company if they’ve been a victim of ransomware. It could be a more complex incident for which we need to work with colleagues from other teams, and it could involve Teams calls with the victim companies or their legal/IT suppliers.
Sometimes, we get the opportunity to stop ransomware before it can be deployed onto a network.
Whoever the duty G4 officer is, you become joined at the hip for the day as you both navigate the incoming requests and intelligence. TICAT is the “front door” to the NCCU; nothing gets into the unit without coming through us first so it’s important we triage incidents correctly.
We work closely with the NCCU and NFIB and we have a great relationship with international law enforcement partners.
If it’s a… peaceful day (we don’t use the “Q” word round here…) we get the opportunity to catch up on previous logs and make sure the admin is up to date. We also get the chance to upskill by using learning tools such as Immersive Labs. This is an interactive learning tool where you can undertake short courses at varying levels of difficulty, it’s very engaging and fun to use.
We might also get the opportunity to attend conferences and events, such as the world’s first AI Safety Summit at Bletchley Park, which we attended and supported last year.
So, in short, there’s no “typical” day in TICAT, just as there’s no typical day for cybercrime. We are a fast-paced team ready to respond to incidents as and when they happen. It’s a great team and the learning and development opportunities (including 10 CPD days) really ensure you get a solid grasp of what cybercrime is about so you can make that big difference to the victims and disrupt the criminals.
'Sara'
I work as an officer in TICAT, who deal with the triage, incident management, and tasking of cyber incidents.
TICAT act as the single point of entry for assessing new information and intelligence relating to serious cybercrime within NCCU and wider ROCU network. In practice, this translates to reviewing incidents to assess the risk, threat, and harm, in order to appropriately allocate resources as required by level of severity.
I work with various partners on a daily basis, ranging from international partners to private sectors. TICAT receives information from multiple internal and external sources, so acting as the single point of entry is important as it streamlines the movement of information.
A large part of my role is the need to deconflict intelligence against agency and partner systems. Additionally, I conduct initial enquiries on open source and closed source systems to further understand the intelligence received. Completing these intel and deconfliction checks are prominent and necessary tasks, as it allows me to accurately categorise and prioritise incidents according to the National Cyber Incident Categorisation Matrix.
The team takes a leading role in the management of high profile, sensitive and critical live time Cyber incidents as well as coordinating the response to multiple lower level incidents. This is done by engaging with the victim to fully understand all aspects of the incident and liaising with correct partners to manage an effective response.
TICAT are inherently a reactive team, and therefore my days are incredibly varied. The team itself has a rota for the inbox, so depending on the schedule your responsibilities can also differ.
There is therefore no typical day for me, as it depends entirely on what lands into the inbox – by Sod’s law, the days you hope are quiet will be all guns blazing and vice versa.
'Harrison'
I am a Senior Officer in the TICAT team within the National Cyber Crime Unit. My day to day will consist of leading on the coordination of the most serious cyber crime incidents impacting the UK. Each incident varies and there is a combination of victim engagement, risk strategy and coordinating across government partners to assess the threat, harm and risk to the victim and the UK more widely.
When leading on an incident I will be managing a number of conflicting priorities, including briefing into senior leadership, developing intelligence and seeking to task the incident into a formal investigation to an Operations team, led by either the NCCU or the Regional Organised Cyber Crime Units.
No day is the same in the team which is what makes it such a great environment to work in as the threat is constantly evolving. Working in the team allows you to be at the forefront of the latest incidents impacting the UK, giving you a great understanding of the Cyber crime landscape.
