Organising a cyber crisis exercise is not an easy task. From the preparation to the D-Day, a lot of unforeseen events can occur and the organising team needs to remain a step ahead of the players. This article breaks down the steps to a successful cyber crisis exercise in a large company.
There are many reasons to organise a Cyber crisis exercise: evaluating the integration of Cyber security in the crisis management system; improving interactions between the different teams; and testing the capacity of the security division to make itself understood by top management.
From a simple table-top process test to SOC/CERT training to a large-scale exercise involving dozens of crisis teams and months of preparation, the resources allocated to a crisis simulation vary greatly. This article focuses on the last category.
What's a typical crisis exercise?
Looking at the figures, some of the largest crisis exercises in France have consisted of one day of activity, 150 people mobilised, 10-12 crisis teams in several countries, 30 facilitators, 20 observers and more than 300 stimuli. Being able to make a success of such an event requires both a high level of preparation and a very solid hosting team on the D-day.
One of the key issues found in these types of exercises is that there is only one take. It is therefore essential that all the actors take part in the game, and that the scenario involves all the participants. Preparation and facilitation are key in such exercises to make sure the time spent on the simulation is worthwhile.
Six months to prepare
The first months of work are always devoted to the attack scenario. Ransomware, targeted fraud, attacking suppliers… the choice of weapons is large. In ambitious exercises, it is not rare to combine several attacks in only one crisis: smoke screen launched by the attackers, identification of a second group during the investigation, etc. Whatever the scenario chosen, the key is to be as precise as possible:
- What are the attackers’ motives?
- What path of attack did they take?
- When was the first intrusion?
The exercise is long and preparation beforehand is needed, especially when 150 players investigate an attack for several hours. Spear-phishing, water holing, code compromise, privilege escalation: the vulnerabilities used by the fictitious attacker are not real, but they must be plausible and “validated” by technical accomplices throughout the preparation. Similarly, for business impacts, they should be reviewed with business specialists: the level of fraud at which the situation becomes critical, critical activities to be targeted as a priority, most sensitive customers, etc. The choice and involvement of accomplices are essential and they should be integrated into the coordination team on D-day.
The script consists in defining minute by minute the information that will be communicated to the players. The calibration of the exercise rhythm is a complex point. The temptation to impose a strict rhythm is great to “master” the scenario but attention needs to be given to leave enough space for reflection.
The start of the exercise is another complex point: should the scenario start directly in a crisis situation or on an alert that will test the general mobilization process? Most often than not, the second option is chosen. That way, the technical teams (CERT, SOC, IT…) can be mobilised for the entire duration of the exercise. ExCom members should have their diary freed up during that day as well.
Technical reports, fake tweets, messages from worried customers: these are all useful stimuli for the players.
Videos are often used to captivate. Indeed, nothing is more striking than a fake BBC report relaying the current attack (logo, board, etc. the more realistic the better). For more realism, videos of people “known” in the company (message from the CEO, interview of a factory boss, etc) can be used.
The same goes for the technical side: the duration of the exercises often does not allow the players to carry out the technical investigations themselves, but they will ask a lot of the facilitators. Everything must be ready to avoid panic: Malware analysis reports, application log extracts, IP address lists, etc.
As mentioned in the introduction, the most ambitious exercises may require the creation of 300 stimuli to get through the day and remain credible – it represents a lot of work.
What should you do on D-Day?
On D-Day, early morning, a meeting is organised with all the facilitation team and observers for the final adjustments. A few hours later, the observers will go to their crisis cells and start the players’ briefing.
For many players, this may be their first exercise. The briefing is therefore essential to avoid confusion between fictional and real-life events:
- Players call the police in the middle of the exercise
- The players contact a mailing list of 400 people without specifying that it is an exercise
- Real customers be called to be reassured
- A production site is neutralized “by prevention”
To avoid such situations, it is essential to iron out the rules of the game during the briefing: the players must communicate with each other, but they must go through the facilitation unit to contact external stakeholders. Throughout the day, the facilitators and accomplices in each team find themselves in the shoes of a client, a technical expert, a CEO, or a regulator, according to the players’ requests.
The sequence of events depends on the efficiency of the facilitation cell. A successful exercise includes a lot of improvisation on the day. Stimuli may have to be readjusted according to the reactions of the players, the score is never fixed and the facilitation cell will be put to the test on the day of the exercise. The largest crisis exercises have particularly professional crisis management teams, including the head of the facilitators, PMO, technical manager, business manager, call management centre, etc.
We suggest not to take any risks on D-Day and to recreate teams that are used to working together and know each other. Doing so is the best way to gain time that will prevent the organisation team from going into crisis itself.