Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Simulate a Crisis, Avoid a Catastrophe

Trite old sayings aside, practice works.

Sports teams and the armed forces understand that ensuring everyone knows their role and has practiced it until they can do the job in the dark with their eyes closed is the only way to guarantee the proper reaction when it’s time to go to work.

The same should hold true for an organization preparing for any type of emergency, ranging from a power outage, natural disaster, or cyberattack. For those who scoff at the danger, Microsoft and Western intelligence allies recently reported that Chinese nation-state-sponsored hackers have been burrowing into U.S. critical infrastructure facilities, ranging from telecommunications to transportation networks, in a widespread espionage campaign.

In a recent blog, Microsoft noted that Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering, was launching attacks. Microsoft assessed with moderate confidence that this Volt Typhoon campaign is pursuing the development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.

The fact that threat actors are improving and moving forward with their ability to launch such attacks means organizations must also prepare, not only in terms of IT recovery and cyber resilience, but also for the wider impacts which can follow. The best way to do so is by conducting crisis simulation exercises.

A crisis simulation exercise is not easy for the average organization to prepare for or conduct. It must be well thought out, detailed, and be led by a team that has a specific goal in mind, and one that can teach the attendees how to react.

Crisis Simulation Objectives

A crisis simulation is not conducted in a vacuum but is structured around an agreed-upon set of objectives. While these may vary and should include goals specific to the organization, in general, the exercise should be designed to:

  • Reduce the impact and likelihood of a cyber incident
  • Determine the effectiveness of existing practices
  • Maintain availability of systems and services
  • Identify key personnel and resources
  • Manage potential reputational and legal implications arising from a cyber incident
  • Plan for effective internal and external communication during and post-incident
  • Execute time-critical decisions
  • Identify areas for potential refinement or improvement.

Once these objectives are decided upon and built into the training curriculum, the desired outcomes should also be discussed. These will be specific to the exercise, but overall, they should be based on industry best practices for incident response, escalating scenarios from a technical issue through to a publicly exposed major data breach, using multi-media injects, and are designed to imitate a real-life crisis involving IT staff through to the C-suite. The simulation team should map the responses to the organization’s chosen security framework. Finally, insights and discussion points are captured and fed back to build a complete picture of your ability to respond.

Crisis Simulations Are Not Just About Technology

An actual cyberattack quickly spins out from being just a technical problem to solve. At first glance, this might seem counterintuitive; after all, a cyber incident likely directly impacted the organization’s system, but this is only the first domino to fall.

Within minutes of an attack, there will be legal, regulatory, financial, operational, personnel, and public relations matters to take into consideration.

Legal – Cyberattacks can expose companies to civil or criminal penalties and are likely to involve local law enforcement.

Regulatory – The attack may expose the fact that the organization was not in compliance with local regulatory requirements, or an organization might have to show the opposite that it was complying.

Finance – Dealing with the impact the attack might have on revenue or determining how much, if any, of the damage inflicted is covered by cyber insurance.

Operations – An organization must determine what aspects of its business are no longer functioning and either create a workaround or determine how long it will be offline.

Personnel – IT and security teams need to train workers on the procedures and guidelines to follow in case of an attack and ensure that these are followed as the crisis unfolds.

Public Relations – A cyberattack can damage an organization’s image and credibility with the public and clients. Therefore, a public affairs team needs to stand ready to answer media questions and assure others that the situation is being handled properly.

The heads of each of these departments must be involved in all planning and in the crisis simulation itself. The attendees for simulations are commonly only IT and Security-focused individuals. However, a real crisis requires a multidisciplinary team comprised of Legal, Finance, PR, Communications, Marketing, Risk, IT, Security, and HR.

One must bring a holistic perspective to an actual incident, so make sure you have key representatives from each discipline on the crisis team and in your simulations so you can practice working together.

How Trustwave Builds a Crisis Simulation

Trustwave Consulting and Professional Services (CPS) recommend using the NIST incident response framework, which is mapped to the incident response process. The framework sets the stage by covering triage, investigation, act, and post-incident.

The team creates a scenario on which to base an attack. For example, it can be a third-party incident in which an attacker hits a supplier or commercial partner with a cyberattack, compromising both organizations. Or a ransomware attack that impacts your system, knocking it offline and stopping orders from coming in and being processed. Every scenario is matched to your own business operations and infrastructure to ensure maximum realism.

During these events, the Trustwave team will inject additional problems for the crisis team. These can include news media headlines, additional phishing emails, website defacement, having to notify customers and legal issues arising. The speed at which these escalate can be agreed in advance in line with your objectives.

For example, Trustwave’s CPS team is in the process of conducting crisis response workshops with the UK Ministry of Defense (MoD). Each workshop consisted of half-day events conducted by representatives from Trustwave’s CPS division.

Attendees from across the British Army and other areas of the MoD began by focusing on NIST’s background and the development and implementation of the Cybersecurity Framework. Putting this into practice, the attending MoD personnel worked through a scenario centered on a cyberattack on a corporate system supporting the army, augmented with attack artifacts, social media posts, breaking news videos, and official government communications.

The purpose was to show the attack’s impact and how the MoD could use the NIST Cybersecurity Framework throughout a cyber incident’s defense, response, and recovery phases.

The end result of a crisis simulation should be a more resilient organization, with better cybersecurity awareness and education, and an improved chance of defending itself or, in a worst-case scenario, properly reacting to a cyberattack.


Trustwave’s Consulting and Professional Services Helps the UK Ministry of Defense Prepare to Defend Against a Cyberattack

The United Kingdom’s Ministry of Defense (MOD) wanted to adopt the National Institute of Standards and Technology (NIST) Cybersecurity Framework but wanted to deliver the training in a refreshing and innovative way so they reached out to Trustwave to develop and deliver a specialized Crisis Simulation to fit its specific need.

Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More