1 / 21

CYBER INCIDENT TABLETOP EXERCISE

CYBER INCIDENT TABLETOP EXERCISE. Facilitated by: <insert name here>. FACILITATOR. Tell about yourself Credentials Experiences Knowledge Notable achievements Something interesting about you. EXERCISE OBJECTIVES.

kmccarty
Download Presentation

CYBER INCIDENT TABLETOP EXERCISE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CYBER INCIDENT TABLETOPEXERCISE Facilitated by: <insert name here>

  2. FACILITATOR • Tell about yourself • Credentials • Experiences • Knowledge • Notable achievements • Something interesting about you

  3. EXERCISE OBJECTIVES • Increase cybersecurity awareness to senior officials of cyber risk management, cyber related planning, and other issues related to cyber incident prevention, protection, response, and recovery of critical systems. • Assess cybersecurity integration into an organization’s all hazards preparedness. • Examine cybersecurity incident information sharing, escalation criteria, and related courses of action. • Examine cybersecurity incident management structures. • Review cyber resource request and management processes. • The primary goal is to identify gaps in cybersecurity.

  4. ASSUMPTIONS AND ARTIFICIALITIES • This exercise will be conducted in a no-fault environment and will evaluate the existing plans, policies, and procedure as if players were responding to a real-world emergency. • Earnest effort has been made to create a plausible and realistic scenario to evaluate and validate identified objectives. • The exercise is not to be viewed as a test of inspections of individual performance. • There is no hidden agenda and there are no trick questions. • The timeline here does not reflect actual times – ransomware is known to start extremely quickly as low as three seconds after the file has been executed. • Realistically once the IT department has been notified the majority of the data has already been encrypted.

  5. ANATOMY OF A RANSOMWARE ATTACK

  6. IOC 1: GONE PHISING • 11:00 AM – A <insert organization here> employee reports to the IT department that he received an email from HR directing all employees to update their timesheets in the Employee Timesheet Portal. The employee clicked a link in the email that opened what looked like the portal. However, after entering the user credentials, the employee received an unfamiliar error page.

  7. INCIDENT DISCUSSION QUESTIONS • Do employees know what constitutes suspicious cybersecurity activities or incidents? • Do they know what actions to take when one arises? • What established processes exist for employees to report cybersecurity incidents? • Would any additional reports or notifications be made? If so, are designated points of contact identified? • What incident severity level or tier is a suspicious email?

  8. ADDITIONAL QUESTIONS • What training do you provide in support of your cybersecurity incident response plan, business continuity plan, disaster recovery plan, emergency operations plan incident annex, or other related plans? • Does your organization provide basic cybersecurity and/or IT security awareness training to all IT users (including managers and senior executives)? • How often is training provided? • Does it cover: • General jurisdiction, department, and/or agency policy review • Roles and responsibilities • Password procedure • Whom to contact and how to report suspected or suspicious activities?

  9. …CONTINUED • What security-related training does your organization provide to, or contractually require of: • IT Managers • System and Network Admins • Vendors • Other IT personnel having access to system-level software • Discuss your organizations reporting mechanism. • Discuss your organization’s intrusion detection capabilities and analytics that alert you to a cyber incident.

  10. THINGS TO CONSIDER • User training – do users know what suspicious emails look like? Are you sure? • User reporting – do users know how to report an email? Are you sure? • Alerting and analysis – are there systems in place to notify IT of impending doom? • Know your network – do you know what is accessible from each device? • Inventory, heuristics • ADKAR – five tangible and concrete outcomes that people need to achieve for lasting change • AWARENESS of the need for change • DESIRE to support the change • KNOWLEDGE of how to change • ABILITY to demonstrate skills and behaviors • REINFORCEMENT to make the change stick

  11. IOC 2: NOTICABLE MASS MAILINGS • 3:00 PM – <insert organization here> IT Service Desk receives five reports of emails similar to the one reported earlier. Further investigation reveals that phishing emails were sent to 42 employees across all <insert organization here> departments over a two-day period. The emails directed users to a spoofed website designed to capture usernames, passwords, and deliver a payload.

  12. INCIDENT DISCUSSION QUESTIONS • What is the incident severity level or tier of this incident once multiple spoofed emails are reported? What would prompt a change in tiers? • What immediate remediation and protective actions would be taken at your organization? • Who is responsible for those actions? • Have these options been documented in plans? • How are they activated? • Would any additional reports or notifications be made? If so, are the primary, secondary, and tertiary points of contact identified?

  13. ADDITIONAL QUESTIONS • What are the requirements and/or processes to notify organization leadership of a cyber incident at each severity tier? • Are these criteria the same across the organization? • What resources and capabilities are available to analyze the intrusions? • Internally? • Externally through government partners? • Through the private sector?

  14. …CONTINUED • What is the role of cybersecurity in contracts with third-party support vendors and crucial suppliers. • Have you discussed these types of concerns and risks with them? • What mechanisms and products are used to share cyber threat information within your organization and external to your organization (e.g. distribution lists, information sharing portals, broadcast messaging)?

  15. THINGS TO CONSIDER • Does your IT team have an offline disaster recovery plan? • Do you have a cybersecurity strategic plan? • Cybersecurity policies • Do you conduct regular internal security meetings? • Do you conduct regular cybersecurity awareness trainings? • Do you have an incident response plan?

  16. IOC 3: USER COMPLAINTS • 3:25 PM – <insert organization here> IT Service Desk receives calls and emails that the file shares are not opening and the user is receiving an error when attempting to “Open a word doc I have always been able to open.”

  17. INCIDENT DISCUSSION QUESTIONS • What immediate remediation actions would be taken? • Who is responsible for those actions? • Are redundant systems in place if the impacted system is compromised? • What is the incident severity tier of this event?

  18. ADDITIONAL QUESTIONS • Do you have defined cybersecurity incident escalation criteria, notifications, activations, and/or courses of action? • If so, what actions would be taken at this point? By who? • Who would this incident be reported to? • Would any additional reports or notifications be made (e.g., to law enforcement for reasons related to public safety)? • Are points of contact identified? • Would leadership be notified? • Does the organization report cybersecurity incidents to outside organizations? If so, to whom? • What, if any, mandatory reporting requirements do you have? • Are these criteria the same across the organization?

  19. …CONTINUED • What immediate protection and mitigation actions would be taken? Who is responsible for those actions? • What, if any, mandatory reporting requirements do you have? Are additional reporting requirements in place for the loss of personally identifiable information (PII)? • At what point in the scenario would you contact law enforcement? • Law enforcement relationships • What are your expectations of state and federal government? • Are processes and resources in place for evidence preservation and collection?

  20. THINGS TO CONSIDER • Be prepared, an incident can happen at any time. • Test your backups • Test your response plan – being ready for the event know knowing the actions you need to take are key to restoration efforts • Do a simulation event • There are no surefire ways to defend, only ways of mitigation • Assess your vulnerabilities • Know your risks • Risks can be taken, have a plan for each risk you accept. • Business continuity plan • How will you sustain while systems are being restored? • What is your mean time to repair? • Identify CRITICAL systems

  21. HOT WASH REPORT • List the top three organizational strengths. • List the top three organizational items requiring improvement. • Set a plan to meet to discuss improvement strategies • Develop highest needs • Create a completable list of all improvements needed. • Assign tasks and set expectations, goals, and timelines. • Consider funding needed, funding sources • Hot wash remarks/comments.

More Related