In this week’s bulletin, Charlie discusses what is covered in basic and advanced cyber exercises and looks at why organisations should consider running more sophisticated exercises.

As cyber attacks continue apace – and having ran a sophisticated cyber exercise on Tuesday – I thought for this week’s bulletin, I would share some thoughts on ‘exercising beyond the basics’. As PlanB Consulting are a National Cyber Security Centre (NCSC) assured Cyber Incident Exercising provider, we run a lot of exercises and are running a lot of introductions for cyber incident management exercises. These mainly consist of a combination of the following:

1. Initial response and how an incident would be escalated within the organisation.
2. Discussion around containment and shutdown of systems.
3. Who would manage the incident and is this different for a ‘normal’ incident?
4. The first incident team meeting.
5. ‘Pay or no pay’ – a ransom demand.
6. Communications (internal and external).
7. Continuity of operations and delivery of products and services.
8. Longer-term issues and recovery.

We usually use a simple ransomware scenario, and the focus is on the impact of the ransomware rather than getting into technical details of how the attack occurred and the impact on different systems. As the scenario unfolds, we mention that senior managers have advised that PCs and work phones should not be used at all, making the point that a cyber attack could prevent you from using any of your systems. This simple scenario and going through points 1 to 8 give incident, crisis, or gold team, a really good understanding of the issues associated with a ransomware incident.

What we are now finding is that clients are coming back to us for their second or third exercises, and they are wanting to play in-depth and more testing scenarios. They also seek to practice decision-making by their senior team and develop communication response strategies.

So, a few thoughts on what advanced exercises look like. Firstly, they require more in-depth and detailed scenarios. I think they also require more nuanced scenarios that provide those responding with more information on which to base decision-making. Providing more information requires senior managers to have a greater understanding of their own IT. When called upon to make decisions, they need to be able to understand the consequences of their actions, knowing that there are often difficult decisions to be made when they have to choose between two bad solutions.

I believe scenarios have to go beyond the basic ‘everything locked out’ solution and consider different scenarios. The following scenarios may be used:

1. A data breach without any ransom demand.
2. Defacement of the organisation’s website (see further details here).
3. Detecting an attacker within your network and deciding how to respond.
4. Incident where you are targeted by a nation-state.
5. Supply chain attack like SolarWinds, where you do not know whether you have been breached but you know the vulnerability applies to your systems.
6. Partner or supplier breach and how the response would be jointly managed, along with coordinating communications.
7. SaaS provider breach.
8. Zero-Day Exploit Response, especially in the absence of vendor patches or known mitigation techniques.
9. Insider threat from a disgruntled employee, especially one who previously had privileged access to systems.
10. DDoS attack or threat of an attack with a ransom demand.
11. IoT or OT attack on the organisation’s infrastructure or production facilities.
12. Specific threat against your organisation, perhaps from a governmental security organisation, requiring enhancement of security and cyber monitoring at very short notice.
13. Recovery planning and understanding the time it would take to recover all systems back to normal.
14. Focusing an exercise, either with the incident team or the communications team, on communications associated with a cyber scenario.

The chosen scenario may depend on the impact you want to have on the organisations and the sophistication and experience of the team being exercised. The style of delivery of the exercise can be made more sophisticated. Many of the first exercises we carry out are a combination of training, understanding of cyber, and exercising. The next stage is to have a desktop exercise with an unfolding scenario and a series of questions and issues for the team to discuss. The final stage is a full SIMEX where the response is conducted in real-time, aiming to make it as close to real life as possible for the team responding. Once you are up and running a SIMEX, the exercise becomes as much about teamwork and leadership as it is about responding to the particular cyber scenario. I would always advise organisations to build up to being part of a SIMEX because if the focus of the exercise is on cyber response, it isn’t always the best format for carrying this out.

In conclusion, once you get beyond the first and basic cyber exercise then you need to start being more sophisticated and using more nuanced scenarios. These take time and preparation but if your incident team has experience at responding to a number of different scenarios, have been exercised using different formats of exercises, and practised responding and making decisions, then this will go a long way to ensuring they are ready to manage a cyber incident.