How fake cybersecurity incidents can improve real preparedness

A shift in mindset

Accepting today’s reality is the first step:

• There are only two types of organizations: those that have been hacked and those that will be.
• It is a real challenge when organizations do not realize they have been breached, and fail to react in a planned and coordinated manner.

Organizations typically overlook the importance of rehearsing the time-pressured technical, process and business decision making that is a critical component of being prepared to respond to a cyber-attack.

Those who fail to prepare will struggle to contain an attack and will feel the impact to a far greater extent. Having a cybersecurity incident response process that manages an incident from identification through investigation, containment, remediation and follow up is the first step. Being fluent in how to use it is vital. Simulated events are an excellent way to achieve this fluency, which is a key part of any resilience program.

Testing all aspects of the cybersecurity incident response can be complex, requiring the right level of challenge to the different capabilities involved in an effective response. The composition of an organization’s incident response team varies greatly, with some smaller organizations having a single team, and others having separate teams to address technical detection and response, managing the incident response process, and executive decision-making. The different skillsets, internal and external dependencies, and the organization’s approach to incident management, further emphasize the need to explore cybersecurity incident response before responding to a live incident.

Cyber risk is different than traditional IT risks and presents a unique set of challenges:

• Cybersecurity incidents are high-speed, unstructured and diverse — crisis management for these cases is intense and demanding
• Unlike one-off incidents, motivated attackers mount persistent dynamic campaigns, with the scale and complexity of threats continuously expanding
• The impact in terms of both cost and reputational damage can be severe
• Every organization has a broad range of entry points, including third parties and internal staff
• Traditional business continuity management (BCM) typically focuses on availability of systems and data — this may be ineffective, for example when data integrity issues are replicated automatically across disaster recovery (DR) systems
• Keeping current and well-versed across people, process and technology response capabilities, and across technical, project management and executive management teams can be difficult in the face of competing priorities
• Obtaining executive buy-in and participation in incident response planning and exercises can be difficult if the risks are not well understood
• Shortage of skills and internal capability to respond to an increasing number of complex attacks can leave organizations exposed
• Organizations frequently learn of a cybersecurity breach from outside sources, such as law enforcement, a regulator or a client, and struggle to keep control of the incident
• Managing the media when the news of a security breach has already gone viral and is being discussed by your customers on social media and other channels outside of your control
• Assuring customers, regulators, investors and other interested parties that the breach is under control
• Engaging with regulators to demonstrate proactive incident management capability (e.g., minimizing financial impact and ensuring the protection of customer information)

An effective response

Every attack is different, and so is every organization. The typical response process, based on leading practice, is outlined here — however, to be effective, an organization must have a response plan that is tailored to it.

Areas specific to an organization include: its critical assets, the threats most likely to be realized, its identification and detection processes, decision-making criteria and reporting lines, in addition to team members and underlying technologies. Identifying and engaging with third parties (both those involved in regular business with the organization and those, such as law enforcement and specialist lawyers, who are required in the event of a breach) is of vital importance.

Advanced organizations leverage cyber threat modeling to not only identify the top threats, but also prepare responses and countermeasures (“play books”) to these.

While every incident is different, a typical response plan follows a structured approach. This starts with detailed planning and preparation, which includes testing capability through simulation exercises. Once an incident is identified, it is triaged (categorized and classified) and initial steps are taken to contain the impact. An investigation into root cause is commenced and, once possible, steps are taken to remediate the issue and bring the organization back to a stable state. A key step that is often skipped is following up after the incident with lessons learned to enable long-term improvements in both the response process and the organization’s ability to sense, resist and react in future.

The capability to react rapidly to a cyber-attack helps to minimize the possibility of long-term material impacts. Organizations that develop superior, integrated and automated response capabilities can activate non-routine leadership, crisis management and coordination of enterprise-wide resources quickly.

Type 1: Executive cybersecurity incident simulation exercise

• Exercise description — This highly engaging, interactive and immersive exercise typically lasts a half day and is focused on the unique executive-level decision-making and communication strategies that are critical to any crisis response. In a safe environment, participants are able to truly experience what it is like to respond to a sophisticated cyber attack, increasing their level of awareness and gauging their readiness to manage a cybersecurity incident. Participants typically discuss the actions they would take without necessarily implementing them.
• This highly customizable exercise typically presents the participants with a number of initial pieces of information related to the potential cybersecurity breach. In the preparation of the exercise, organization-specific scenarios are typically created based on current threat intelligence. Throughout the session, the situation further unfolds, driven by the actions of the participants, as well as inputs from traditional and social media alike.
• Options — A range of options can be selected and combined in order to tailor the exercise to organizational objectives. We can conduct the exercise as a formal test through selecting predefined scenarios and providing guided reflection and facilitated discussion throughout. The exercise can also be played as a highly dynamic game, drawing on gaming elements, such as action cards, custom-built applications (including live media feeds) and actors providing real-time feedback in the role of media and stakeholders.
• Primary objectives — This exercise has proven to be an effective catalyst to trigger cyber risk conversations at board level as participants experience first-hand how to assess, decide, engage and communicate during a cybersecurity crisis. The exercise may aim to increase awareness, or to have more formal objectives to provide evidence of cyber resilience to regulators. This can include testing the ability of executive management to make decisions during a crisis, in addition to incident coordination at a high-level.
• Target audience — C-suite (CEO, COO, CRO, CFO, CTO, CIO, CISO), board members, general counsel, PR/communications, HR, business units, cyber threat intelligence, business continuity management, and incident coordinator (however not the full incident coordination team).

Type 2: Incident coordination simulation exercise

• Exercise description — This exercise typically lasts a half day and focuses on challenging the incident coordinator and their team as they execute their response plan. Participants perform all, or the majority of, the processes documented in the plan. (Participants may discuss the actions they would take without necessarily implementing them.) The exercise is customized to the organization and their incident management plans and typically involves providing participants with a series of customized injects that challenge their ability to coordinate their response at both the strategic and tactical levels.
• Options — The exercise can be customized to include testing technical elements in a desktop-based manner. Elements of gamification can also be added.
• Primary objectives — To test the ability of the incident coordination team to manage the incident through to its conclusion, including interacting with the executive-level team.
• Target audience — CTO, CIO, CISO, incident coordinator, incident response lead, investigations lead, cyber threat intelligence, business continuity management and technical professionals.

Type 3: Response team simulation exercise

• Exercise description — This exercise can last from 1-2 days to 6-8 weeks and really gets hands-on from a technical perspective, challenging an organization’s ability to sense and react to sophisticated attackers. Following detailed planning and establishing rules of engagement, EY’s Red Team conducts active attacks against the organization that should be detected and responded to by security monitoring and response teams. Participants undertake the technical actions they would do to defend and eradicate the threat. The exercise typically involves a series of social engineering/ external penetration activities to gain a foothold, followed by internal lateral movement and escalation of privileges in order to access trophies — all while avoiding detection.
• Options — There are three typical approaches we take to these dynamic exercises:

1. Technology-enabled simulation — A scenario is agreed in advance and leverages prepositioned internal and external systems to execute scripts that emulate attack scenarios.
2. Purple Team exercise — Predefined scenarios are jointly developed by EY’s Red Team and the client’s Blue Team and executed together, allowing live collaboration, which drives communication and coordination.
3. Live war game — EY’s Red Team develops and executes predefined scenarios without detailed collaboration with the client (basic rules of engagement and target trophies are agreed), allowing the client’s Blue Team to react in real time – all the time observed EY.

• Primary objectives — Test the security monitoring and incident response capabilities of the organization’s security operations center (SOC).
• Target audience — CISO, incident coordinator, incident response lead, investigations lead, technical professionals, cyber threat intelligence, and security operations (this may be extended to include the full incident coordination team, depending on objectives).