April 2020 Bank Secrecy Act / Anti-Money…
With the constant growth and complexity of cybersecurity attacks as well as the introduction of Internet of Things (IoT) developments, implementing appropriate cybersecurity measures has become imminent.
High expectations are set from organizations, markets and regulators to protect their internal assets as well as their customers’ information. Companies are more and more looking at developing and optimizing their incident response capabilities in order to strengthen their incident response and preventative security postures towards a constantly evolving threat landscape, and to minimize the risk incurred.
The cyber incidents occurring throughout the current year have shown that companies need a robust and effective prevention and Cyber Incident Response capability. Moreover, in order to prevent cyber incidents, it is of utmost importance to ensure regular incident response capability is tested and reported efficiently.
Furthermore, we expect governments and regulators to further mandate organizations to organize Cyber Incident Response Exercises. Globally, SWIFT is asking all its users to test their Cyber Incident Plan on a yearly basis as part of the Customer Security Program. In the United States, NIST SP 800-53 requires federal agencies to test their system’s contingency plans at least annually, and a few states are asking companies to document a cybersecurity incident response plan (e.g. NYDFS Part 500). In Asia, institutions such as Certified Risk Management Professionals (CRMP) and ICAST are imposing on financial institutions and regulators (Monetary Authority of Singapore and Hong Kong Monetary Authority) to perform incident response exercises regularly. Also, specific regulations such as the Payment Card Industry Data Security Standard (PCI-DSS) require conducting incident response exercises on a frequent basis. At national level, several European countries and other countries such as USA, Canada and Qatar are conducting incident response exercises to test their incident response capabilities (i.e. Cyber Europe 2016: multi-event cyber exercise that involves more than 700 cyber-security professionals from 30 EU and EFTA countries and over 300 private and governmental organizations, and STAR 5 exercise in Qatar…).
In this article, we provide an overview of the different types of incident response exercises that can be organized as well as some insights into the key success factors and pitfalls for organizing these exercises.
Before delving into the specifics of an incident response exercise, it is useful to remind us of the need to establish a documented Cybersecurity Incident Response Plan. Responding to a cyber-incident can be quite challenging especially if not properly planned. The objective of this plan is to define the typical structure of the response, usually along the lines of the following phases:
The cyber incident response is a continual process where preliminary preparation is needed in terms of cybersecurity resources readiness. Whenever an event occurs, and once the presence of an intrusion is properly identified and classified as an incident, its impact is assessed and containment measures are deployed in order to temporarily reduce the incurred risk to an acceptable level. The incident is then eradicated, its root-causes are analyzed and the remediation actions are defined. After that, targeted and faulty systems or applications are recovered, remediated and restored into operation. Lastly, the details of the incident are reported to relevant parties, logged, and the incident is closed.
In that regard, a cyber incident response plan needs to be established and adequately tested and maintained, in order to ensure proper incident detection and prevention.
Incident response exercises enable organizations to test their incident response plan and their ability to properly react and respond to cyberattacks. Through emulation of cyberattacks, organized by an authorized group of people called the Red Team (RT), organization can prepare and coordinate their response. The objective of an Incident Response Exercise is to identify whether roles, responsibilities and protocols are fully understood by all stakeholders in a practical real-world manner, in addition to helping identify which threats are most relevant to the organization’s business.
If properly executed incident response exercises ensure the following:
Incident response exercises can vary in form and complexity, depending on the organization’s industry, size, type of business and maturity. In the event of conducting an incident response exercise, key stakeholders (i.e. information security team, incident response team…) are invited to sessions supported by an experienced trainer. Sessions are made dynamic using videos, laptops and communication as needed to fulfill the exercise. Incident response exercises can be categorized as follows:
Tabletop exercises are the simplest. They have a small training audience and a list of very well-defined objectives. In this type of setups, communication between different players is made easier and helps to establish the business processes associated with planning, executing, and training during an exercise. Injects are hypothetical, pre-coordinated, and written down. Many organizations use tabletop exercises to establish relationships and share information with other organizations, partners, or countries, to test the readiness of response capabilities and to raise awareness. Tabletop exercises are suitable for organizations that need to validate processes or train personnel. Injects can be either directed at the company (would need a preliminary of the company’s architecture and organization), or completely hypothetical (in this case the trainer would target it to a mock organization). It is important that tabletop exercise have a mixed audience with different company’s departments and/or functions (e.g., IT, Risk, Legal…).
Hybrid exercises include scripted and live events, in order to increase the realism of the scenario. In this type of exercises, the RT simulates real-time scenarios and the planners pre-coordinate real-life injects or scenarios to be executed during planned scenarios. This type of exercise can include multiple organizations and the coordination and planning of such exercise necessitates approximately 3 to 6 months. Hybrid exercises are most suitable for organizations familiar with inter- organization exercises and dotted with a clearly defined set of objectives.
Full live exercises are based on real events in order to increase the realism and training opportunities for the target audience. Exercise facilitation is made by the exercise planners along with a “Red Team” that executes real events against pre-determined targets. Injections can be made as the exercise progresses, creating a dynamic scenario, and simulating real-time attacks. The realism of exercise injects and of the training audience responses are key success factors to this type of exercises. Full live exercises are suitable for mature organizations that have previous experience in conducting such dynamic tests, and that wish to strengthen their incident response plan.
According to our experience, Incident Response Exercises are essential to test the real response capabilities of the organization. Below we list some of the key success factors & pitfalls.
Incident response exercises require preliminary preparation and planning. This involves the following phases:
In order to come up with an effective incident response exercise, planners must make sure to avoid the following:
“The Northstar Collective” is a fictional hacker collective, which utilizes zero-day exploits and tailored vectors of attacks. For this specific exercise, the collective has targeted a financial institution by a number of coordinated attacks including a DDoS on their Internet Banking Application, a DNS Hijack, a SWIFT fraud and an encryption attack (using WannaCry). Related to this scenario, there is a number of questions that companies may need to address:
In the context of the creation of new Oil & Gas Joint-Ventures, Sia Partners organized within a two week timeframe an incident response exercise, aiming to make all stakeholders familiar with the incident response plan that was freshly developed, to raise the required awareness around that plan and to facilitate communication between different stakeholders. Ready-made videos and quizzes were used in that regard, for facilitation purposes.
A major take away from this exercise was to have people sensitized about the impact of information security incidents in industrial environments. People are often too focused on their business-as-usual activities (oil spills, power outages…) and therefore fail to recognize the impact that can be caused by a cybersecurity breach.
As part of its CIO Advisory practice, Sia Partners assists private and public organizations in testing their incident response plan and capabilities.
Relying on a pool of highly qualified resources dotted with an international subject-matter expertise as well as a deep knowledge of latest best practices and regulatory requirements, Sia Partners offers incident simulation exercises adapted to each organization’s environment, in line with the latest threats landscape.