Question

Cybersecurity Crisis Training: Stakeholder Press Conference Exercise (Neutrality)

Purpose: This exercise is designed to give you practical experience in handling real-life events for their organization. Through this exercise, you will better understand how the types of regulations described in class are applied, take a shot at forming policy solutions, and sharpen communication.

Deliverables: Prepare a sample press packet.  This press packet should include the following items:

Short technical background sheet (1-2 pages)

•               This section should describe in more detail the technical issues of the problem at hand.

•               It may also include pictures and diagrams.

Answer 1

Organizations that have a robust response capability in place, and one that is regularly tested, are at a significant advantage when it comes to reducing the impact of a cybersecurity breach. A proven way to refresh your capability to sense and react to cyber attacks is to proactively prepare via cybersecurity incident simulation exercises. This helps identify whether roles, responsibilities and protocols are fully understood by all parties in a practical real-world manner, in addition to helping identify which threats are most relevant to your business. Some key characteristics are: • Exposure to cyber threat actor motivations • Reacting in a timely manner to fast-paced events • Awareness of the impact on customers • Engaging with third parties that may be the cause of, or impacted by, a cybersecurity incident • Internal and external communications strategies • Some technical aspects of a cyber attack • Pressurized decision-making based on incomplete information • Availability and effectiveness of external support (technical/ forensic specialist) and mitigations (cyber insurance) Every incident is unique and so is every organization. Significant effort is required in tailoring each scenario to reflect the latest threats our clients face at the time of the exercise, in addition to providing a robust challenge in a client-specific environment. We typically provide cybersecurity incident simulation exercises designed to challenge audiences at various levels. A sample of the exercise types is outlined here, however, more often than not, we produce tailored exercises involving a mixture of elements from multiple exercise types. We frequently work with our clients to develop a multiyear plan that involves a variety of exercise types at different levels to really stress test the full response capability, from boardroom decision-making through to technical investigations teams. Industry-wide exercises are something that require familiarity. Rather than wait for regulators to come knocking, we are seeing more and more industry associations take the lead and organize multi-stakeholder exercises, specifically designed to challenge systemic risks in complex supply chains

• Exercise description — This highly engaging, interactive and immersive exercise typically lasts a half day and is focused on the unique executive-level decision-making and communication strategies that are critical to any crisis response. In a safe environment, participants are able to truly experience what it is like to respond to a sophisticated cyber attack, increasing their level of awareness and gauging their readiness to manage a cybersecurity incident. Participants typically discuss the actions they would take without necessarily implementing them. • This highly customizable exercise typically presents the participants with a number of initial pieces of information related to the potential cybersecurity breach. In the preparation of the exercise, organization-specific scenarios are typically created based on current threat intelligence. Throughout the session, the situation further unfolds, driven by the actions of the participants, as well as inputs from traditional and social media alike. • Options — A range of options can be selected and combined in order to tailor the exercise to organizational objectives. We can conduct the exercise as a formal test through selecting predefined scenarios and providing guided reflection and facilitated discussion throughout. The exercise can also be played as a highly dynamic game, drawing on gaming elements, such as action cards, custom-built applications (including live media feeds) and actors providing real-time feedback in the role of media and stakeholders. • Primary objectives — This exercise has proven to be an effective catalyst to trigger cyber risk conversations at board level as participants experience first-hand how to assess, decide, engage and communicate during a cybersecurity crisis. The exercise may aim to increase awareness, or to have more formal objectives to provide evidence of cyber resilience to regulators. This can include testing the ability of executive management to make decisions during a crisis, in addition to incident coordination at a high-level. • Target audience — C-suite (CEO, COO, CRO, CFO, CTO, CIO, CISO), board members, general counsel, PR/communications, HR, business units, cyber threat intelligence, business continuity management, and incident coordinator (however not the full incident coordination team).

Incident coordination simulation exercise

• Exercise description — This exercise typically lasts a half day and focuses on challenging the incident coordinator and their team as they execute their response plan. Participants perform all, or the majority of, the processes documented in the plan. (Participants may discuss the actions they would take without necessarily implementing them.) The exercise is customized to the organization and their incident management plans and typically involves providing participants with a series of customized injects that challenge their ability to coordinate their response at both the strategic and tactical levels. • Options — The exercise can be customized to include testing technical elements in a desktop-based manner. Elements of gamification can also be added. • Primary objectives — To test the ability of the incident coordination team to manage the incident through to its conclusion, including interacting with the executive-level team. • Target audience — CTO, CIO, CISO, incident coordinator, incident response lead, investigations lead, cyber threat intelligence, business continuity management and technical professionals.

Response team simulation exercise

Exercise description — This exercise can last from 1-2 days to 6-8 weeks and really gets hands-on from a technical perspective, challenging an organization’s ability to sense and react to sophisticated attackers. Following detailed planning and establishing rules of engagement, Team conducts active attacks against the organization that should be detected and responded to by security monitoring and response teams. Participants undertake the technical actions they would do to defend and eradicate the threat. The exercise typically involves a series of social engineering/ external penetration activities to gain a foothold, followed by internal lateral movement and escalation of privileges in order to access trophies — all while avoiding detection. • Options — There are three typical approaches we take to these dynamic exercises: • Technology-enabled simulation — A scenario is agreed in advance and leverages prepositioned internal and external systems to execute scripts that emulate attack scenarios. • Purple Team exercise — Predefined scenarios are jointly developed by Team and the client’s Team and executed together, allowing live collaboration, which drives communication and coordination. • Live war game —Team develops and executes predefined scenarios without detailed collaboration with the client (basic rules of engagement and target trophies are agreed), allowing the client’s Team to react in real time – all the time observed • Primary objectives — Test the security monitoring and incident response capabilities of the organization’s security operations center (SOC). • Target audience — CISO, incident coordinator, incident response lead, investigations lead, technical professionals, cyber threat intelligence, and security operations (this may be extended to include the full incident coordination team, depending on objectives)

Technical Issues

Cyber risk is different than traditional IT risks and presents a unique set of challenges: • Cybersecurity incidents are high-speed, unstructured and diverse — crisis management for these cases is intense and demanding • Unlike one-off incidents, motivated attackers mount persistent dynamic campaigns, with the scale and complexity of threats continuously expanding • The impact in terms of both cost and reputational damage can be severe • Every organization has a broad range of entry points, including third parties and internal staff • Traditional business continuity management (BCM) typically focuses on availability of systems and data — this may be ineffective, for example when data integrity issues are replicated automatically across disaster recovery (DR) systems • Keeping current and well-versed across people, process and technology response capabilities, and across technical, project management and executive management teams can be difficult in the face of competing priorities • Obtaining executive buy-in and participation in incident response planning and exercises can be difficult if the risks are not well understood • Shortage of skills and internal capability to respond to an increasing number of complex attacks can leave organizations exposed • Organizations frequently learn of a cybersecurity breach from outside sources, such as law enforcement, a regulator or a client, and struggle to keep control of the incident • Managing the media when the news of a security breach has already gone viral and is being discussed by your customers on social media and other channels outside of your control • Assuring customers, regulators, investors and other interested parties that the breach is under control • Engaging with regulators to demonstrate proactive incident management capability (e.g., minimizing financial impact and ensuring the protection of customer information)