CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Mastering Cybersecurity Challenges: How Crisis Simulations Empower Organizations to Defend Against Cyber Threats

Cyberattacks are a constant and evolving threat across all sectors with 2023 seeing a resurgence in data breaches and ransomware attacks with popular variants like Clop, LockBit, and ALPHV, among others, terrorizing businesses and exploiting system vulnerabilities.

 

The 2021–2022 financial year saw an increase in cybercrime, with over 76,000 reports made to the Australian Cyber Security Centre (ACSC), with no signs of slowing down. This trend has forced organizations to take a deeper look at their cyber preparedness and responses to reduce the damaging impact of an attack.

 

Organizations need to shift their focus beyond merely investing in enhanced security tools and technologies, emphasizing the importance of the human element in cybersecurity. A well-informed workforce, equipped to recognize and respond to common threats, coupled with robust protocols for handling cyberattacks, is essential for averting disastrous consequences.

 

Having such a team in place becomes particularly significant in a security landscape marked by the rapid evolution of threats, where attackers increasingly exploit unprepared employees through tactics such as phishing and ransomware.

 

Conducting crisis simulations stands out as one of the most effective methods for fortifying human cyber resilience. These simulations stress-test both teams and processes, creating real-world, hands-on scenarios that prepare and train staff for potential breaches. These scenarios should mirror an organization's current most prevalent or critical risks.

 

However, several recurring challenges tend to surface across various organizations during the practice scenarios. The most common issues are:

 

  1. Lack of Defined Delegation Chains and Unclear Accountability

Most delegation chains go one person deep. So, if the first point of call isn't available, the decision goes to the next person. However, this system fails when that person is also unreachable. This highlights the importance of a broader and more dependable fallback plan; ideally, one that's not reliant on a specific individual but rather tied to a role, like the incident lead. Furthermore, it's important to define the decision-making capabilities for each role clearly.

 

Too often, an incident lead theoretically has the power to shut down systems; however, in reality, they can't do this without the CEO's approval, ultimately rendering the delegation chain ineffective. If an organization gives an employee the authority, are they prepared to exercise it? If the answer is no, the business must ensure the decision-making process is properly documented. Most of the time, the decision-making processes laid out in playbooks are theoretical and not practical in a real-world setting. Organizations should focus on creating comprehensive, pragmatic delegation chains that function effectively in any circumstance.

 

At the end of the day, who is responsible for making these decisions? And, to what level can they make that decision? Organizations need to be explicit in the playbook or response documentation around the threshold to which decisions can be made. 

Who can make which decisions and who assumes responsibility for each action should be clearly defined. For example, an incident responder may have the authority to deactivate infrastructure items A, B, and F; however, another individual can only decide C and D.

 

This responsibility could be determined based on the level of impact on the customer or even the financial implications. There need to be clear guidelines that empower individuals to make critical decisions, such as shutting down systems, without hesitation or uncertainty about their authority. For the most part, the stumbling block often lies not in an individual's unwillingness to make decisions but in their uncertainty about whether it falls within their jurisdiction. This lack of clarity often leads to unproductive finger-pointing.

 

  1. Overanalyzing 

Quick decision-making, even without the benefit of a complete information set, is critical in crisis management. Often, the instinctive response is to await further data or delve deeper into the problem for analysis. While this can sometimes lead to better-informed decisions, it can also act as an avoidance tactic, delaying necessary action. Indecision or passivity can, in many cases, be worse than making the wrong decision.

 

During a malware campaign, damage is actively happening, and every moment spent digging or asking further questions will only worsen the situation. In such high-stakes situations, executives must be comfortable making decisions under pressure, even when they don't necessarily have all the answers right before them. The reality is that many decisions, particularly in a crisis, fall between bad and slightly less bad options. The goal is not always to select the best option but to choose the least bad one.

 

  1. Communication is Key

In crisis simulations, a robust communication strategy is crucial, yet it's an area where organizations often need to invest more resources. Having a predefined communications plan isn't just a requirement; it's an absolute necessity for smooth crisis response and ensuring all relevant information reaches the right people at the right time, minimizing confusion as much as possible. This plan should be comprehensive, targeting all stakeholders, not just the customers.

 

It should also detail what needs to be communicated to the staff and at what frequency. This is important because employees need to be well-informed and guided, and they are often the first line of contact for customers. Senior executives, too, require frequent updates, given their roles in decision-making and overall management of the crisis. In addition, customers need to be kept in the loop with consistent, clear, and accurate information to maintain their trust in the organization during the crisis.

 

Putting Humans at the Center of Cybersecurity

 

Businesses need more than robust cyber security measures through technical solutions. The human element is still a major factor in breaches, which means it's time to close the gap. One way to do this is through cyber security crisis simulations, which offer unique and essential real-life training experiences that every organization should prioritize.

 

Consider a situation where an employee's laptop, repaired by an external IT technician, leads to a data leak. The challenge lies in deciding whether to track down the technician or mitigate the online data spread. Such complex situations require quick, informed decisions, a skill that can be honed through crisis simulations.

 

These simulations go beyond typical training exercises, immersing personnel and processes in simulated emergencies before they face the real deal. By highlighting areas for improvement and fostering collaboration among team members, crisis simulations let organizations develop battle-tested approaches for crisis management. Ultimately, the more prepared an organization's employees are for the real thing, the better they will do when, not if, a genuine attack occurs.

 

A version of this blog originally appeared on Cyberdaily.com.

Latest Trustwave Blogs

Law Enforcement Must Keep up the Pressure on Cybergangs

The (apparent) takedown of major ransomware players like Blackcat/ALPHV and LockBit and the threat groups’ (apparent) revival is a prime example of the Whack-a-Mole nature of combating ransomware...

Read More

Effective Cybersecurity Incident Response: What to Expect from Your MDR Provider

Companies engage with a managed detection and response (MDR) provider to help ensure they detect cyber threats before they do any damage. The "response" part of the MDR moniker is key to that effort,...

Read More

The Power of Red and Purple Team Drills in Enhancing Offensive Security Programs

Despite investing in costly security solutions, keeping up with patches, and educating employees about suspicious emails, breaches still occur, leaving many organizations to wonder why they are...

Read More