Consistent security training is crucial for organizations to reduce risk and ensure the security of data within the organization
As I have said for over 20 years now, security awareness training is the cheapest risk-reducing measure that an organization can take. Unfortunately, my mantra hasn’t seemed to stick, because organizations rarely enforce this type of training.
Since it is currently National Cyber Security Awareness Month, now is an excellent time to revisit this topic. One type of security training I would like to focus on is Incident Response Tabletop Exercises.
Sound familiar? Most organizations have very sound incident response programs (IRP), but there is a common theme across many large enterprises: they do not exercise them with a regular cadence.
Incident Response Programs and Tabletop Exercises
Who are you going to call if you are breached or suspect a breach? When do you involve local law enforcement or your public relations department? These are critical steps to take when considering security, but if these practices are not utilized when it matters most, you will fail.
Tabletop exercises are typically discussion-based exercises, where personnel meet in a classroom setting or in breakout groups to discuss their roles and responses during an emergency situation.
The goal of any tabletop exercise should be validating the content of the IT plan and its related policies and procedures, validating roles and responsibilities as documented in the plan and validating the interdependencies documented in the plan.
In addition, security tabletop exercises should have at least six of the following objectives:
- Assess capability of your organization’s ability to detect and properly react to hostile activity during the exercise.
- Evaluate the organization’s capability to determine operational impacts of cyber-attacks and implement proper recovery procedures for the exercise.
- Understand the implications of losing trust in IT systems and capture the workarounds for such losses.
- Expose and identify weaknesses in the organization’s IRP.
- Determine what enhancements or capabilities are needed to protect an information system and provide for operations in a hostile environment.
- Enhance cyber awareness, readiness and coordination.
In trying to keep the scenario realistic, the majority of your time will most likely be dedicated to research and development of the simulated cyber incidents; the objective is to provide reasonable scenarios relevant to your industry vertical in order to provide the most benefit.
Let’s looks at a couple of different tabletop scenarios you could use.
Fictional Sample Scenario 1: Distributed Denial of Service (DDoS) Attack
In this scenario, a distributed denial of service (DDoS) attack occurs against a corporate resource, battleship.fake.com (SQL Transportation Management). Technical resources will be required in order to respond to the attack. The corporation will also need to respond to third-party shipping partners who are aware of the issue.
Let’s add some symptoms to help bring context to the exercise.
A senior network administrator was fired from the company three months ago due to a code of conduct issue. When her termination was finalized, the individual left quietly but began berating the company on social media sites such as Twitter and Reddit. An online connection responded to one of her threads suggesting that she use her knowledge of the environment to get revenge. Having heard of Low Orbit Ion Cannon (LOIC) in relation to the hacktivist group Anonymous, she decided to test it out.
Using LOIC, the attacker was able to enlist the assistance of 1,250 “bots” to overload the carriers.acme.com web server with HTTP GET packets. She launches the attack from a coffee shop in downtown Big Town. Since the traffic originates from numerous bots spread throughout the world, it is impossible to track the source of the attack, which is what makes LOIC such a dangerous tool for novice attackers.
However, one weakness of the LOIC attack is that each HTTP GET packet is formatted the same way. A packet capture on the firewall or span port would allow a network administrator to determine this and craft a rule on the firewall or intrusion protection system to drop related traffic.
Here is how the hack was carried throughout the company:
- 16:00 – A third-party freight carrier responsible for transporting product notices that the SQL Transportation Management portal (battleship.fake.com) is running very slowly. Attempts to pull freight requests take a very long time to load. At times, the requests timeout and display a 503 Error. A call is placed to the corporate helpdesk.
- 17:00 – An automatic notification is received from your health-monitoring tool. The helpdesk technician forwards the message to IT Operations. The message reads: “Warning, primary web server at 90% maximum load.” IT Operations attempts to log in to the web server. Oddly enough, it takes 90 seconds to log in to the GUI.
- 18:00 – IT Operations confirms that the intrusion protection service (IPS) system has not generated any relevant alerts in the past 24 hours. Inbound traffic directed to the web server on TCP Port 80 can be seen. Traffic does not appear to come from the same/related public IPv4 subnets.
- 19:00 – IT Operations discovers that the Apache web logs show a massive number of HTTP GET requests. The Apache web service is restarted, and performance immediately improves. However, within five minutes, performance returns to a degraded state.
- 20:00 – An anonymous phone call is received by the corporate helpdesk claiming that a distributed denial of service attack is in progress. The caller appears angry toward the company and demonstrates some private knowledge about the corporate network. The attacker plans to continue the attack for as long as possible to make the organization “pay” for what they did. He abruptly hangs up the phone, terminating the call.
Once the complete scenario is presented, the team should discuss the parts of the plan that were successful, and which were not. They should then document these notes for reference later.
Fictional Sample Scenario 2: Mergers and Acquisitions
Let’s now look at a different scenario, one that is not often discussed: mergers and acquisitions. Below is a simple scenario to try out with your team. This scenario example will consist of five increments, with each increment building on the previous one, and providing additional information and context.
The example begins with a generic cybersecurity incident, where malicious software was discovered on several critical servers and executives’ laptops of a newly acquired company. Through analysis, the security team realizes the malware has existed on the newly acquired company networks for several months.
As the scenario escalates, each additional event is presented to test your leadership team:
- An external security blogger will be publishing a story on the incident.
- There has been notice from the FBI of an investigation involving Nation State hackers and insider involvement.
- There was an article published on CNBC.com about the incident.
- An SEC investigation is underway, followed by a subpoena.
Yikes – that pretty serious!
At each stage, new information would be provided to the team, followed by a 15-25-minute discussion where the team assesses the information, aligns the new information with previous information, determines courses of action and next steps, identifies dependencies and gaps and leverages existing processes to move forward.
How Security Awareness Training Works for Your Organization
While there may not be a fix for every possible scenario, I can assure you that awareness training can help bring cybersecurity to the forefront of your business strategy, strengthen your security posture and make everyone responsible for security of your organization.
As mentioned in previous security articles, the first step toward creating a successful cybersecurity awareness program is the recognition that the program will not have a defined timeline or an expected completion date.
Instead of having this timeline in mind, security awareness training should foster cybersecurity consciousness in the company’s core culture and throughout the entire organization. This requires constant education and vigilance, which is very necessary considering we cannot simply buy technology to solve our problems, and our security workforce in general is small.
According to the Information Systems Audit and Control Association (ISACA), a non-profit information security advocacy group, there will be a global shortage of two million cyber security professionals by next year. Now more than ever, it is imperative that your employees, partners and customers know the risks that inherently go along with the technology that they use every day.
Get started today by requesting our Security Tabletop Exercises Workshop or contact me directly to learn more about how to strengthen your organization’s security posture.