Simulate a Crisis, Avoid a Catastrophe
Trite old sayings aside, practice works.
Sports teams and the armed forces understand that ensuring everyone knows their role and has practiced it until they can do the job in the dark with their eyes closed is the only way to guarantee the proper reaction when it’s time to go to work.
The same should hold true for an organization preparing for any type of emergency, ranging from a power outage, natural disaster, or cyberattack. For those who scoff at the danger, Microsoft and Western intelligence allies recently reported that Chinese nation-state-sponsored hackers have been burrowing into U.S. critical infrastructure facilities, ranging from telecommunications to transportation networks, in a widespread espionage campaign.
In a recent blog, Microsoft noted that Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering, was launching attacks. Microsoft assessed with moderate confidence that this Volt Typhoon campaign is pursuing the development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.
The fact that threat actors are improving and moving forward with their ability to launch such attacks means organizations must also prepare, not only in terms of IT recovery and cyber resilience, but also for the wider impacts which can follow. The best way to do so is by conducting crisis simulation exercises.
A crisis simulation exercise is not easy for the average organization to prepare for or conduct. It must be well thought out, detailed, and be led by a team that has a specific goal in mind, and one that can teach the attendees how to react.
Crisis Simulation Objectives
A crisis simulation is not conducted in a vacuum but is structured around an agreed-upon set of objectives. While these may vary and should include goals specific to the organization, in general, the exercise should be designed to:
- Reduce the impact and likelihood of a cyber incident
- Determine the effectiveness of existing practices
- Maintain availability of systems and services
- Identify key personnel and resources
- Manage potential reputational and legal implications arising from a cyber incident
- Plan for effective internal and external communication during and post-incident
- Execute time-critical decisions
- Identify areas for potential refinement or improvement.
Once these objectives are decided upon and built into the training curriculum, the desired outcomes should also be discussed. These will be specific to the exercise, but overall, they should be based on industry best practices for incident response, escalating scenarios from a technical issue through to a publicly exposed major data breach, using multi-media injects, and are designed to imitate a real-life crisis involving IT staff through to the C-suite. The simulation team should map the responses to the organization’s chosen security framework. Finally, insights and discussion points are captured and fed back to build a complete picture of your ability to respond.
Crisis Simulations Are Not Just About Technology
An actual cyberattack quickly spins out from being just a technical problem to solve. At first glance, this might seem counterintuitive; after all, a cyber incident likely directly impacted the organization’s system, but this is only the first domino to fall.
Within minutes of an attack, there will be legal, regulatory, financial, operational, personnel, and public relations matters to take into consideration.
Legal – Cyberattacks can expose companies to civil or criminal penalties and are likely to involve local law enforcement.
Regulatory – The attack may expose the fact that the organization was not in compliance with local regulatory requirements, or an organization might have to show the opposite that it was complying.
Finance – Dealing with the impact the attack might have on revenue or determining how much, if any, of the damage inflicted is covered by cyber insurance.
Operations – An organization must determine what aspects of its business are no longer functioning and either create a workaround or determine how long it will be offline.
Personnel – IT and security teams need to train workers on the procedures and guidelines to follow in case of an attack and ensure that these are followed as the crisis unfolds.
Public Relations – A cyberattack can damage an organization’s image and credibility with the public and clients. Therefore, a public affairs team needs to stand ready to answer media questions and assure others that the situation is being handled properly.
The heads of each of these departments must be involved in all planning and in the crisis simulation itself. The attendees for simulations are commonly only IT and Security-focused individuals. However, a real crisis requires a multidisciplinary team comprised of Legal, Finance, PR, Communications, Marketing, Risk, IT, Security, and HR.
One must bring a holistic perspective to an actual incident, so make sure you have key representatives from each discipline on the crisis team and in your simulations so you can practice working together.
How Trustwave Builds a Crisis Simulation
Trustwave Consulting and Professional Services (CPS) recommend using the NIST incident response framework, which is mapped to the incident response process. The framework sets the stage by covering triage, investigation, act, and post-incident.
The team creates a scenario on which to base an attack. For example, it can be a third-party incident in which an attacker hits a supplier or commercial partner with a cyberattack, compromising both organizations. Or a ransomware attack that impacts your system, knocking it offline and stopping orders from coming in and being processed. Every scenario is matched to your own business operations and infrastructure to ensure maximum realism.
During these events, the Trustwave team will inject additional problems for the crisis team. These can include news media headlines, additional phishing emails, website defacement, having to notify customers and legal issues arising. The speed at which these escalate can be agreed in advance in line with your objectives.
For example, Trustwave’s CPS team is in the process of conducting crisis response workshops with the UK Ministry of Defense (MoD). Each workshop consisted of half-day events conducted by representatives from Trustwave’s CPS division.
Attendees from across the British Army and other areas of the MoD began by focusing on NIST’s background and the development and implementation of the Cybersecurity Framework. Putting this into practice, the attending MoD personnel worked through a scenario centered on a cyberattack on a corporate system supporting the army, augmented with attack artifacts, social media posts, breaking news videos, and official government communications.
The purpose was to show the attack’s impact and how the MoD could use the NIST Cybersecurity Framework throughout a cyber incident’s defense, response, and recovery phases.
The end result of a crisis simulation should be a more resilient organization, with better cybersecurity awareness and education, and an improved chance of defending itself or, in a worst-case scenario, properly reacting to a cyberattack.
Trustwave’s Consulting and Professional Services Helps the UK Ministry of Defense Prepare to Defend Against a Cyberattack
The United Kingdom’s Ministry of Defense (MOD) wanted to adopt the National Institute of Standards and Technology (NIST) Cybersecurity Framework but wanted to deliver the training in a refreshing and innovative way so they reached out to Trustwave to develop and deliver a specialized Crisis Simulation to fit its specific need.