Cyber Risk Management: Conducting Exercises (Part 2 of 3)

Today’s post continues the fifth part of our ongoing series on applying the Preparedness Cycle to Cyber Risk Management. This installment is the second of a three part mini-series within the series, addressing the planning and conduct of exercises. The complete blog and series can be accessed via our friends at SurfWatch Labs and their blog (read parts onetwothreefour, and five a here). Excerpts follow.

…this installment and the next build on our introduction, and in the section that follows we’ll look at different types of discussion-based exercises as we consider some of the ways our fictional character, Johnny, (introduced in our previous post on training) and his colleagues at Acme Innovations can approach progressive exercise design as they look to decrease the risks associated with the threat of ransomware…

… Johnny wants to ensure his colleagues understand ransomware and some of the examples of incidents and best practices that he can share. After talking with some of his coworkers, contacts at other companies, and local government partners through the state fusion center, he develops a half-day seminar event. The Ransomware Seminar includes a mix of panels and presentations. The agenda covers what ransomware is, and a short presentation by the Acme security team on other types of cyber extortion. Two guest speakers discussed case studies from real ransomware attacks they endured. Government partners (coordinated via the fusion center) and the Acme security team shared government and industry best practices. In closing, the Acme CISO shared final thoughts to help encourage ideas in preparation of the next exercise event.

… Shortly after the Ransomware Seminar, Johnny conducts an Acme Ransomware Response Planning Workshop. The event includes selected members from Acme’s security team, several executives and line managers, legal representatives, members from IT support, business continuity, incident response teams, and other selected personnel.

“During the planning of any type of cyber-focused exercise, an organization should strive for inclusion of a wide variety of personnel from various departments such as these to properly develop a realistic, focused exercise that addresses cross-cutting organizational issues.” – Gary Benedict, Section Chief of the DHS National Cyber Exercise & Planning Program

The group reviews highlights from the seminar with the purposes of establishing clear planning guidance and an outline of how Acme wants to respond to a ransomware incident. The actual procedures will be developed after the workshop, but informed by decisions made at the exercise.

“Whether its conducted with external partners or just with internal staff, a TTX environment encourages open discussion and often networking of key personnel, ensuring understanding of roles and responsibilities and preventing the notion of ‘exchanging business cards during a disaster.’” – Gary Benedict, Section Chief of the DHS National Cyber Exercise & Planning Program

After completing the “Acme Ransomware Response Annex” to the Acme Incident Response Plan, Johnny develops a TTX based on a real-world ransomware outbreak and a fictional incident at Acme. The TTX includes many of the same personnel involved in the workshop, with a few additional players. This time, rather than exploring how they may want to respond, the participants exercise the Annex to gain familiarity with now-defined expected roles and responsibilities, and to validate that the Annex properly and effectively addresses the incident. Following the TTX, Johnny develops and After Action Report and… wait (!), we’ll cover that in the next installment of this series!

… Based on time and resources, and his assessment of utility for this threat, Johnny will not conduct a ransomware game. While he’d like to see the entire exercise series progression, he determines that after the TTX, Acme will move into some short, focused drills. Drills, and other operations-based exercises, will be addressed in our next installment, as we continue our discussion on exercise types and wrap-up this mini-series on exercises.

To read the complete post, continue to SurfWatch Labs: “Preparedness & Cyber Risk Reduction Part Five B: Discussion-Based Exercises

This series is being written by Andy Jabbour, Gate 15’s Co-Founder and Managing Director. Andy leads Gate 15’s risk management and critical infrastructure operations with focus on Information Sharing, Threat Analysis, Operational Support & Preparedness Activities (Planning, Training & Exercise). Andy has years of experience working with partners across the critical infrastructure and homeland security enterprise to support national security and client business needs.