Cyber Risk Management: Operations-Based Exercises (Part 3 of 3)

Today’s post concludes our mini-series within a series, as we complete the posts addressing he planning and conduct of exercises as part of our broader ongoing series on applying the Preparedness Cycle to Cyber Risk Management. The complete blog and series can be accessed via our friends at SurfWatch Labs and their blog (read parts one, two, three, four, and five a and five b here). Excerpts follow.

In our last post, we addressed some of the discussion-based exercises Johnny and the Acme team would be conducting. Moving on to more complex and realistic operation-based exercises, Johnny is ready to try some simple drills.

…Johnny conducts several short drills to validate that personnel understand and are able to execute roles, responsibilities, and procedures detailed in the Annex. With leadership approval, Johnny leads three unannounced drills over the course of a two-week period. One drill involves several individuals reporting a suspected ransomware infection on their device to different parts of Acme in order to test recipients’ ability to properly receive and understand the messages, as well as communicate the suspicious incident to the proper POCs within the time frame determined in the Annex. A second drill exercises the leadership decision making processes upon notification of a suspected ransomware incident. The third drill allowed participants the opportunity to practice reestablishing files from back-ups following a notional ransomware infection.

…Following the drills, and with opportunities to make some minor refinements to the Annex and some retraining on key tasks, Johnny is approved to plan a three-hour Functional Exercise (FE) that implements the procedures detailed in the Annex from initial identification of a suspected ransomware incident in real time. In a scheduled and announced exercise that includes all appropriate personnel, the Acme team wants to assess what they are successfully able to accomplish in a finite period of time and to gauge if they are able to properly follow procedures under the stress of an expanding outbreak…

A full-scale cybersecurity exercise could include using a simulated cyber range environment to replicate an organization’s network, allowing for testing of response activities to simulated attacks or incidents.” Gary Benedict, Section Chief of the DHS National Cyber Exercise & Planning Program

It is important to try and make exercises — particularly operational exercises — as realistic as possible, and following Gary’s advice here can help challenge participants in as realistic a manner as possible.

For this year Acme has determined they are going to keep the exercise internal, and not include external subject-matter expertise that would be employed in the event of an incident beyond their team’s ability to internally manage. Following the FE, and some other exercise events that are already planned for this year, Johnny is tasked with integrating a ransomware attack into a more complicated Full Scale Exercise (FSE) for next year that will include an additional scenario variable and the inclusion of external personnel in several areas.

…Whatever your organizations’ cyber risk focus, taking the time to plan and resource an effective, progressive exercise program can go a long way in supporting effective preparedness, and ensuring timely and successful response to incidents. The ability to properly respond to an incident can save an organization a lot of time and money — minimizing downtime and helping to minimize impacts, while supporting a quick return to normal operations.

To read the complete post, continue to SurfWatch Labs: “Preparedness & Cyber Risk Reduction Part Five C: Operations-Based Exercises“