Cybersecurity Tabletop Exercises: Ensuring Tangible Success in a Virtual World
The following is the transcript from a live Cyber Insights webinar, broadcasted by Apptega on Tuesday, September 1, 2020.
Hello everyone and welcome to our broadcast, I’d like to thank you for joining us today for a timely discussion that will focus on ensuring tangible success with virtual cybersecurity tabletop exercises in our new virtual world.
We’ve got a great panel lined up, providing insights and recommendations:
- From a government perspective, we have Ben Gilbert, who is one of the Cyber Security Advisors with the Cyber Security and Infrastructure Security Agency
- Representing the private and commercial perspective, we have Mark Houpt, the Chief Information Security Officer for DataBank
- For the consultant perspective, we have Ronnie Munn, the Chief Information Security Officer for one of our MSSP partners, MCPc.
Good afternoon, everyone. As mentioned, my name is Ben Gilbert. I am a Cyber Security Advisor with the Department of Homeland Security’s Cyber Security and Infrastructure Security Agency. To those who are not familiar with us, we are the newest agency in the federal government. The president signed off on the Federal Information Systems Safeguards Act of 2018, which formed us as the newest federal agency under DHS. As a cybersecurity advisor, I am essentially the boots on the ground, face-to-face touch point with CISA. And I act as an advisory CISOs to many organizations, both within the public sector and private sector space. And I help them understand cybersecurity capability and capacity efforts within their organizations. As a program, we are currently at 24 cybersecurity advisors across the country.
And we’re set to double that number over the next year. Having said that, 24, isn’t a very large number, particularly when we’re talking about a national effort. And though we are a relatively small team, we have immense reach-back capability into many different cybersecurity services most of which are at no cost. And these services are offered to both the public and private sectors, in an effort to strengthen the cybersecurity capabilities of those organizations and ultimately that of our nation. So, we are defending our critical infrastructure against various threats that we face today while working with all levels of government, private sector and academia to help safeguard and secure our critical infrastructure against the threats of tomorrow. Our mission at CISA is simply to lead the national effort to understand and manage risk to our nation’s critical information infrastructure. This includes acts of terrorism, catastrophic accidents, extreme weather, pandemic, such as our current pandemic we’re in now, as well as risk of a cyber-attack. For this reason, we have coined our agency as the nation’s risk adviser, and as the nation’s risk advisor, we can do more to advance the national risk management agenda than any other single agency in the U. S. Government right now. When it comes to managing risk of cyber-attacks, one critical aspect to that is preparing for how to effectively respond to a cyber-attack and minimize disruption to operations. Particularly in the current environment we are in. And nothing speaks truth to this more than planning for response to a cyber incident and practicing what we plan through forums such as this forum that we’re in and running through cybersecurity tabletop exercises and having a dialogue on cyber-response efforts, particularly when it comes to how organizations respond to cyber incidents in remote working environments, which brings us to today’s panel.
Good afternoon, good evening and good morning, wherever you may be. My name is Mark Houpt. I am the Chief Information Security Officer at DataBank. DataBank is a large-scale data center provider that’s located in nine edge markets across the United States. We operate 20 different data centers within those markets. What DataBank likes to provide to our customers is what we call future-proof platforms, where we offer the opportunity for customers to have highly secure environments that will allow them to look into the future and plan for the future while DataBank works alongside of them to ensure that their IT needs are met so they can focus in on their primary business needs. We offer co-location services for those customers that are looking to move their enterprise environments into a world-class data center and still manage the platforms and hardware themselves. We offer infrastructure as a service for those that would like for an organization to not only move into a data center, but also take over some of the critical functions of hardware and network management. And then we also offer the traditional platform as a service cloud offering where DataBank monitors, maintains, and manages the infrastructure, as well as the operating systems that your applications sit on. We have over 1,500 customers across these data centers, and we are well capitalized and being financed by venture capitalists and other organizations like Colony Capital. So, DataBank is here for your needs. And I am here to advise you as a customer if you were to come on board with DataBank. And that is one of the pleasures of my job. Serving as someone who can advise our customers on proper security methodology and implementation.
Good day, everyone and thank you for having me. My name is Ronnie Munn and I’m the Internal CISO at MCPc, and I also run our digital forensics and incident response program for our clients. And I’ve been with my organization going on 10 years now. A quick elevator pitch about MCPC. We are a global data protection company that strives to improve the security and wellbeing of our clients. And we have one simple goal and that’s to protect your data. In order to do that, we help manage the complexity and sustainability of technology, employee performance and ultimately reduce business risk. Whether we do it through MSSP services, advisory services, hardening, or something like incident response, we’re here to help. As part of our preparation practices for our customers, my team conducts many proactive exercises, and these typically include regular tabletop exercises, execution of runbooks workflows and even red team / blue team exercises with full integration into your incident response programs. And my goal specifically in breach prevention as opposed to breach response. I don’t prefer the response side, even though I do quite a bit of it. I often wear that Grim Reaper hat, and you definitely want to take advantage of scenarios like this to put yourself in that breach prevention category. So very happy to be here today. And I hope that my experiences can provide some insight and guidance that everyone can adopt within their organization.
So, as we get into the discussion here, we’d like to start out by asking all the attendees to participate in a quick poll question, and you should see it on your screen now. So, this says, Which best describes cybersecurity tabletop exercises in your organization? And we’ll ask you to select all that might apply. So, select A, if you regularly conduct cybersecurity exercises, such as annually. B, if you conduct cybersecurity exercises, but on an ad hoc basis. C, if you’ve not conducted a cybersecurity tabletop exercise before. D, if you’re planning to conduct one on a virtual basis or E is doesn’t apply, or you’re not sure.
Download your Cybersecurity Tabletop Exercise Template
Topic 1: Preparing to Lead an Effective Virtual Cybersecurity Tabletop Exercise
I hope everybody understands the importance of this topic. We’ll have a couple of different sessions throughout this webinar that explain the importance of it for your organization. But it’s about understanding what those protocols are and talking through these scenarios ahead of time because the last thing you want to be doing as an organization is trying to make very critical business decisions around cyber incidents or breaches that are being made in the height of a crisis or a high stress – high tension situation. And during the pandemic, in conducting these virtually, a couple of things that become clear to me that are both positive, as well as negative. On the positive side, these exercises are much more realistic in nature compared to gathering everyone in a war room or situation room to be able to just talk about it. When an incident occurs or when most incidents occur, they’re often run remotely as executives and key players are rarely available at the same time and in the same place. And conducting these virtually kind of emulates that real-world scenario much more than the group gathering and having everybody in one spot together face to face. Communicating with key resources operating remotely is one of the most common scenarios that I deal with regularly. Next preparation of the video meeting in terms of logistics and coordination, sending out appointments is much simpler and more cost effective than traditional meetings. Especially when you have team members that are required to travel and come on-site participate. And you also don’t really get too much pushback because everyone’s kind of working from home and their schedules are easily aligned. The final positive is that the recording of the session is this simple by pushing a button and it can be played back for people who are unable to attend.
However, on the negative side of things, it’s a lot harder holding people’s attention. It’s easier for them to multitask and have personal distractions and not be fully present. And we must adjust our approach to accommodate this. There’s a popular saying that I use at the start of my cybersecurity tabletop exercises – loose lips sink ships, and tight lips sink meetings. And based on this, we now need to conduct our sessions in a different manner, preferably with one instructor and one moderator. Our instructor will tell the story, set the stage, try to keep everyone’s attention with a narrative, inserting plot twists, and interject to keep them thinking and really test their practices with unexpected scenarios that really do happen. And these interjections, as an example, are real scenarios that our team has lived through during previous incidents that we’ve run. And that takes me to my next point, that these things are best taught by the people who live them and breath them every single day, as opposed to trying to follow in some special publication.
Next the moderator will call on people very strategically, especially if they feel that they’re losing someone’s attention. We’ve also run into some challenges, gathering people’s feedback or edits for runbooks and workloads, things of that nature. Previously, we would have had the participants fill out a red, yellow, or white card, depending on the identified risk or suggestion, and even make edits directly for the runbooks. We would then gather the cards physically and draft out our edits and reports. But leveraging them virtually is a little tougher though, but doable. We’ve tackled this by creating, Kanban boards that capture the cards as they’re discussed, as well as electronic surveys afterwards for the participants’ feedback. And then lastly, we’ve developed a scorecard that we use to summarize the exercise. It contains things like ratings for participation levels, results of the survey, summary of all of the risks gaps with suggestions identified in the exercise, and this helps encourage participation feedback to continuously improve those exercises and tailor them for each client.
I’m going to echo a lot of what Ronnie said in the sense that you really do need to be prepared and part of being prepared is looking for those things that might be the landmines. Doing an exercise like this in a virtual type of situation, like Ronnie said, is probably about the most realistic way that you could conduct an exercise like this. But one of the things that we need to do is we need to take a look and make sure that our teams have all the tools necessary to do that. So, you see right here on the screen that there’s a download for your Seed Test. That’s one of the important things to consider whenever walking into a virtual tabletop type situation. Do your teams have the software tools that are capable of allowing them to connect? Do they have the bandwidth that allows them to connect? And more importantly, do they have alternate means of connection? Even right here on this virtual tabletop webinar, as I am a speaker or a panelist, I have my alternate setup ready to go right now. And we need to always be thinking about that alternative capability, that alternate set up. In fact, I would even inject into the virtual exercise, a situation where a failure of the primary means of communication occurs. For example, maybe you inject into that virtual exercise and cause or play as though the internet has become unavailable and everybody has to switch over to their phones. Or if you’re doing your cybersecurity tabletop exercise on Zoom, maybe zoom has been impacted by the event that is causing your own outage. And now you have to move to a different type of mechanism like Microsoft teams or even doing a simple conference call.
So, preparing to lead an effective virtual exercise also means not forgetting to envision what problems could occur during the real exercise. Lots of times, those of us that are leaders in this space simply sit down and plan, but do not plan for the failure. And we need to be planning for that failure. So, consider that as part of your processes moving forward. Even so far as to considering a possibility that individuals will either become completely unavailable or not available during the exercise. And you have to bring someone else in, for example, if your CISO is not available or your CISO gest harmed or injured in the role-play during the event. Or maybe your network team lead, who is trying to restore the network systems accidentally causes a situation where her or she is harmed and out of action. How do you replace that person? So again, preparing to lead an effective virtual exercise means making sure that your mindset is actually in the mindset of a situation going on. That could actually cause the virtual situation to occur.
Emphasizing the importance of preparing to have an effective virtual exercise. I wanted to add just a quick short story here in that sense. Just recently we conducted a nationwide election cybersecurity tabletop exercise with our state local elections office. Well, we’ve offered this in the past years to state and local elections offices. We typically offered it in more of a hybrid form and by hybrid, I mean, both in person and in virtual environment – in person within the state and conducted virtually as the host of the exercises across the country. And this year, we actually conducted it fully virtual for the first time. This was little complicated – we actually had to use two different platforms. We had an Adobe Connect session running as well as a WebEx session running at the same time. One was used to host the plenary portion of the exercise and the other was used for breakout sessions. While it worked pretty well, I would say there’s definitely some lessons learned that came out of this. And again, just really foot stumping, the importance of being prepared. Some of those lessons learned were for instance, ensuring your end user workstations are actually able to run both of the web conferencing applications. There are obviously the bandwidth considerations too, whether you’re going to include a video or just doing this through audio only, we actually did a combination of both audio and video, which is kind of interesting. And seemed to work for both parts, but there were some hiccups we ran into. And lastly training the end users on those platforms, especially if you’re talking with folks that are not technical, and they’re not familiar with a lot of these technologies. There can be a learning curve to these technologies. So, it’s important to provide a user guide or some sort of form of training, especially when you’re preparing for a virtual cybersecurity tabletop exercise.
Download your Cybersecurity Tabletop Exercise Template
Topic 2: Promoting Engagement of Participants During the Cybersecurity Tabletop Exercise
I’ll just point back to the experience we had with the tabletop exercise we had held this past summer. I was one of the facilitators or, I should say, moderators of a portion of the tabletop. And there were some lessons learned that I definitely got out of it, especially when you’re working in an environment with staff that are nontechnical in nature. They often tend to not want to comment or provide feedback, so it’s really important for the facilitator of those exercises to be as inclusive as they possibly can be. Encouraging for that participation, especially if there’s no video. When you’re holding cybersecurity tabletop exercises in an in person setting, you have the ability to read the room. And you tend to lose that capability, especially if you don’t have any video of the end users in a virtual setting. It’s really difficult to read the room and determine if folks are understanding different concepts and so forth. So, in order to counteract that you want to try to be as inclusive and as interactive as you possibly can call on participants to garner that participation especially with those who are either being quiet or reserved. Try to get their insights and what they think and what their thoughts are on specific topics.
I’ve run quite a few of these during the pandemic, and I can’t over-emphasize Ben’s point about the video and reading the room. And it’s extremely hard to get people to pay attention in any meeting, but when they aren’t in the same room, it’s especially difficult. And it’s very concerning when you’re walking through an extremely detailed or technical process, and the moderator asks an individual how they would approach this situation and they get a response back like “I’m not sure I follow you”. And what I really hear is, “I was looking at this new meme and wasn’t paying attention”. So, we implemented a no dead air policy that will keep the conversation rolling and on point on our end. We’ve also encouraged at the start of the exercise a safe zone, so that nobody feels there’ll be punished or humiliated for speaking up with ideas or questions or concerns because a lot of the times when you conduct these, you’re putting senior leadership in the same room with some of the technical resources, and there’s some reluctance on their end to participate fully because they’re afraid of what it could mean from a, disciplinary standpoint or something to that effect. So, we do this by creating an experience of shared responsibility early in our presentations. And that everyone’s perspective and feedback is absolutely critical for the success of the whole. When we start to recognize a couple individuals that seem to be distracted, or may have stage fright, our moderator will immediately start asking them some very basic questions and assign very simple paths that pertain to the scenario to begin to tease participation out of them. Once that they realize that there’s nowhere to hide and we will have their attention moving forward, it’s kind of that Hawthorne effect.
I use this all the time where things show immediate improvement. It’s simply because people realize that you’re watching them. So, calling them out to Ben’s point is extremely important. Keeping them engaged and active in the conversations is important to make sure that we’re flushing out all of those gaps and risks and really taking advantage of this exercise. And at the end of the day, the exercises have proven so much value virtually from my perspective, as a consultant, that we’re going to continue to have the remote option available to them even after the pandemic.
So instead of just parroting what the other gentlemen have expertly and absolutely correctly said, I’m going to give you a couple of different suggestions for you as the cybersecurity tabletop exercise leader and the one that’s actually bringing the tabletop exercise to the environment. So first of all, is I would do a lot of planning in advance and I would set clearly the expectations with not only the people that are participating, but the managers of those people that are participating. During this period of time, you’re going to create a bubble if you will, where these people that are part of the virtual tabletop exercise are only allowed to be bothered, are only allowed to be conferred with and distracted by a proper process of interaction. If there’s a corporate emergency or an outage that needs to be addressed, and I would create that path for escalation, allowing the managers of the people that are involved to be able to come to a single point inside of your team, where they can raise those flags and say, I need so and so, or, I’ve got this type of event going on and we need these people to come outside of the virtual tabletop and do so.
So, create that protective bubble around your virtual tabletop and prepare for that weeks in advance, not days or even moments in advance. Doing so will allow these managers to properly address workloads and be able to identify the people that would be best inside of the virtual cybersecurity tabletop exercise. Another suggestion for the leaders is to actually do some homework and some of the practices themselves. They can do this in a couple of different ways. One of them is going out and looking at education sites. And I do mean academic education sites. Perhaps even a reviewing or even taking a course on how to teach virtually or how to teach an online course, how to create the syllabus as well as deliver the content. This is something that the academic environment has been trying to learn and master all the way up and down the pipe, everyone from low level schools to the higher education academic environment is learning how to deliver things and grasp people’s attention over the virtual medium for 10 or 15 years now.
So, there’s a lot of resources within the academic environment within universities that will teach people how to communicate and how to effectively hold attention spans. Next going down the list is I would ask you to have people actually set aside and turn off their communication mediums that are not necessary such as the instant messaging tools or even email. And possibly even put their cell phones on mute or something, and actually take deliberate breaks during the process for people to go and check their email for people go to check their Slack or instant messaging communications. Communicate with the entire organization that the tabletop is happening, so they don’t feel like leaving someone out. And so, they can also be respectful just like the managers are. They can be respectful of the people that are inside the virtual tabletop and set the stage for how important this is for the entire organization.
I think right now, with COVID and the election, coming up with all the turmoil that’s going on this year that nobody expected to happen, that we have people’s attention. And we have the opportunity to tell people within our organizations that we have an absolute need to do this. This is an important thing for our organization to sustain our employment, to sustain our business, to sustain our activities and people will listen right now as a result. So, take that opportunity, engage it, learn how to use it and embrace it.
Download your Cybersecurity Tabletop Exercise Template
Topic 3: Internal Exercises, Hybrid Exercises and External (Client Paid) Exercises
I’m going to take the internal and the hybrid exercises, and I think Ronnie is our subject matter expert on the external client paid exercises, although I will mention it slightly. So, every single organization, regardless of how big or how small you are, I don’t care if you have two people or you have 2,000 or even 20,000 people, you need to conduct an internal virtual cybersecurity tabletop exercise, as well as other events. And why is that the case? Well, all we need to do is look at the last eight months and we understand why. We need to understand how to respond rather than react to a pandemic for example. We need to understand how to respond rather than react to a cybersecurity event, like a DDoS type of event that could happen against us as a result of the pandemic. And so, these internal exercises are entirely our own people on the inside. We would take people from various departments and various teams who would fill the roles that are defined within your business continuity plans or operations plans, your disaster recovery plans, or your information security contingency plans, depending on what types of plans you have or how many of those you have. You would take people from each of those teams to role play what would happen within your organization. And when you do that, you need to bring these people in. Sometimes you’re going to be bringing in rather low-level people who might be afraid to engage or might be afraid to step out for fear that they don’t know what’s going on, or that their position would prevent them from stepping out. But the very first thing that you need to do on an internal exercise is make it clear that there are no titles per se, and that there are no boundaries per se, within this internal exercise conversation. We are here to succeed at having a tabletop exercise that will result in the organization being able to move forward in the future.
So, people need to have the clarity and understanding that they can step out of their traditional titles and potentially have a junior security engineer fill the role of the Chief Information Security Officer and making decisions. So, he or she knows what that feels like and what they may have to do in the event that the CISO and other Security Engineers are not available when a real event occurs.
Hybrid exercises on the other hand are significantly an internal type of event, but that’s when you start bringing in other organizations, other parties. For example, if you have a SAS product that you utilize, that’s a critical function within your organization, that you can’t run your business without, you may ask that provider to be a part of all or a portion of your exercise. So, for example, I work at DataBank, we are a data center provider. As I identified many times, we have our customers invite us and ask us to be a part of their virtual cybersecurity tabletop exercises to ensure that they are in a smooth operational state when it comes to interacting with DataBank to restore services, or to ensure that we have an understanding of their plan in the event that something happens in their facilities. So, this hybrid exercise may cost you some money because many providers are going to ask you to pay for their time and effort for participation.
So in planning a hybrid exercise, what I recommend a lot of people is to do their internal exercise and spend two hours of a three hour segment doing the internal exercise and then shift to a one hour or a 30 minute segment that is a hybrid exercise. So, you can maximize your dollars, but at the same time, minimize the cost and time of the individuals from the outside organization that’s supporting you. So, when you bring in that outside organization you would sit down and say, okay, we’ve done all these things up to this point. Now here’s a quick brief and here’s how we would like to see the provider interacting with us during these scenarios. A quick example… Just the other day, we conducted a DDoS incident response virtual tabletop exercise. It was 30 minutes in length to prepare for what may occur over the next two months as we lead up to the election. If you’re not familiar, there is a very real threat over the next two months in the United States for cybersecurity attacks in particular DDoS type of events trying to interrupt things that are going on within the United States. So, we sat down and we prepared for that. And we brought in a couple of key customers and had that conversation with them focusing on how we would interact with them, how we would re-route their traffic, what type of protections we have in place that would prevent us from having to re-route their traffic and so on and so forth.
I want to focus more specifically on a hybrid approach including your external partners. And this is particularly important when you’re focusing on one of the top threats out there – ransomware. When it comes to ransomware attacks that old adage ounce of prevention equals a pound of cure, that can’t be stated, strongly enough here. And in particular with events such as ransomware, it’s almost inevitable. As an organization, you’re going to have to include external partners, whether that’s your third-party cyber insurance providers, or law enforcement – federal or state law enforcement, or your outside vendors. Or maybe you’re a subsidiary of a parent company and you’ll need to need to involve them at some point when you’re dealing with a significant cyber incident such as ransomware. So, it’s really important to be able to build that into your planning efforts for cybersecurity tabletop exercises. Mark brings up a great point. Often when you’re including your partners, there is an added cost associated with them. And those expense can be cost-prohibited. So maybe an area to consider is, rather than bringing in your external partners, maybe turn that portion of the tabletop exercise into a more informal workshop session where you can just simply have a dialogue with those external partners focused on understanding their capabilities. This is very important, especially if you are in an environment where there is an operational technology or industrial control systems involved. Oftentimes we have seen that folks will rely on their third-party vendors, or maybe their cyber insurance provider to bring in a third-party team to respond to an incident and that third-party team may or may not be well-versed in your infrastructure. They may not have a full understanding of the operational technology or proprietary, on-site technology. So it’s very important to bring them in, let them understand what your true operating environment looks like, so they are prepared to help you effectively respond.
From the consultant’s point of view if I can write memoirs, I probably would make quite a bit of money on them. The farmers insurance slogan of “We know a lot, because we’ve seen a lot” couldn’t be more applicable to my team. 95% of everything we deal with was 100% preventable when it comes to a full-blown incident or an actual breach. And that’s what the purpose of these exercises are intended to do. When we run these exercise the scenarios are in the mindset that we’re trying to flush out the risks and the gaps to the organization, and really look for those “gotchas”. Mark couldn’t have articulated it any better than he did and he made one very important point that I’d like to emphasize – an ounce of prevention is worth that pound of cure based on the number of scenarios that I’ve been a part of from an incident response perspective. And the ability to avoid the situation altogether is mind boggling, right? And these scenarios, as we conduct these exercises, are designed to help expose the key decisions. Understand where those gaps and risks are coming from. And one of the biggest challenges that I get as a consultant, especially from the technical audience; they always want to challenge the narrative. In order to have a cybersecurity incident, you have to assume a failure of a control of some kind, whether it be a process, meaning somebody forgot to enable MFA on an email account or via tactical control. Hey, the CDR that we have in place was compromised from a vendor management perspective, and then all our agents, because of a cloud service, were disabled on our end points. But the technical folks always want to challenge the narrative. They think because they’ve got firewalls, they’ve got this tool or that technical control in place that their organization is Fort Knox. It just couldn’t happen. It’s not plausible. I don’t believe it. And if and incident did happen, I have this safeguard that’s going to kick in. Well, the reality is that there are a lot of bigger organizations, a lot more capable and mature organizations that are getting breached on a regular basis and controls are failing for them all the time. The bad guys are better at working from home than we are. And the reality is that you’re going to see even more during this election season. From my conversations with the FBI, they’re expecting a 400% increase in the next two months. You guys should have conversations around the what ifs and how can I avoid those. And then as it pertains to tying into your third parties, when do we hit the big red button?
Is it covered under our SLA? To Ben’s point and Mark’s point, are there any additional costs associated with participation? Do we need to get approval from somebody to hit that red button? Where do they sit in our management plan? And how are they going to execute it, which responsibilities are clearly assigned? So, I think of it from a digital forensics’ perspective. Can we capture those forensic copies to be able to do that analysis ahead of time to understand how they got in what else they took? Was there exfiltration? Do we have an obligation from a regulatory perspective for any type of disclosure? And with the identification of the gaps, during these exercises, are we going to buy that kind of risk-transfer or mitigation, or are we going to try to build it internally? And maybe there’s an approach in which we can leverage somebody to cover those gaps while we start conversations around building internally. But at the end of the day, we’re thinking about it. We’re talking about these scenarios ahead of time, and we’re not going to get caught with our pants down when these things happen. So, I can’t stress this enough – during your cybersecurity tabletop exercises force the concept of not challenging the narrative or premise of the incident. A control of some kind must fail. And we don’t assume that your controls are invincible. That’s the most important point that I can make during this conversation today.
So, folks, as we transition over to talking about plan activations, we’re going to ask everyone to participate in another polling question. You should see it on your screen now, and it says which best describes your cyber incident plan activation status? And again, please select all that apply to your organization. So, A, if you have activated a plan or plans prior to shifting to working from home. B, if you’ve activated a plan since shifting to working from home. C if you’ve not activated a cyber incident response plan at all. And D if this doesn’t apply or you’re not sure.
Download your Cybersecurity Tabletop Exercise Template
Topic 4: Plan Activation – Relying on Muscle Memory and Documentation
I think what you’ll see is Mark and I have a very different approaches to this particular topic, Mark coming from the military side perspective, and then me coming from more of the consulting perspective. I absolutely agree that the right answer is probably a blend of the two approaches, but my personal opinion is all around muscle memory. When we’re talking about incident response, we’re talking about your organization’s capability in two areas. The time to detect a threat and the time to contain it. So, these exercises are meant to build the muscle memory so we can detect and contain very, very quickly. And my reluctance to rely on documentation is from one perspective. I usually get called in when things have already gone sideways and people have missed the cues, or they didn’t follow the instructions. And if they’re pulling out a document and they’re trying to paint by numbers or follow step by step by step instructions, that becomes slow and inefficient. In a ransomware scenario, we need immediate action, right? We can’t have somebody trying to find documentation, pull it out and try to follow it verbatim like an SOP of some kind. And in terms of actually keeping track of those documents, I have just an example that we dealt with recently.
I had a ransomware incident and it was a response call from a manufacturing organization. And often the very first thing that I ask for from our clients is a copy of their cyber insurance policy. And in this particular case, the client was a subsidiary of a parent company and the insurance was held through the parent. We needed to know what their coverage was, and if there was anything that would prevent them from leveraging our services, or if they had to use a specific provider or if there was a breach coach of some kind could call on. We need to know who’s going to do containment, who’s going to do eradication and who’s going to do recovery? So, I didn’t want to engage right away for several reasons. And it has implications on the insurance claims getting paid if, as they move forward with us and then their cyber insurance company says, Hey, we always go to these IR providers. So, we didn’t want to just engage right away, even though wasting time as an obvious problem – a ransomware outbreak can affect 10 servers in a matter of minutes. And if you wait an hour or two, you could have thousands that have been infected with ransomware. So, we asked that this organization to call their parent company to find out who the insurance provider was and get the coverage, limitations and exceptions from their cyber insurance policy. About 40 minutes later they came back in the room with very pale faces and said, Hey, I can’t give you that information. We let them know we’re going to need that in order to move forward, or you’re going to have to make a business decision to take the risk on working with us.
We’re here. We can get started. We can help you right away, but you might have a paperwork or a claim problem down the road. They requested that we get started without the insurance information. And I said, if you don’t mind me asking, why can’t you provide this information? And they said, because the cyber insurance provider is ransomwared at the same time. They can’t access the information either. There was no way to get that detail over to the IR team. And then at the end of the day, they had to move forward with a level of risk. Fortunately, it all worked out for the organization – we were already covered. But at the end of the day, it was definitely an interesting scenario highlighting the importance of protecting documentation and making sure that if there are gap, people know where to find it.
Way back when, when I first joined the military, I had a superior tell me, I don’t need you to memorize where everything is. And all I need you to know is where the manual is and where you can pull it out to get me the answers that I need. And at first, I thought I had to memorize everything. And the reason for them telling me that is simply because they were using standard psychology. And they said inside of a situation, when adrenaline is pumping, when fear exists, when there are challenges in front of you or even physical challenges in front of you and emotional things are getting in the way, your memory will fail, that is a human piece. So, I very much rely upon documentation to guide me on who to call, when to call and so on and so forth, or other security technology and tools that are available. So, I have printed copies of my DR/BC plans available to me in my home. I have people that have them similarly in their homes, and we have alternate copies in which we secure outside of our environment inside a cloud environment that ensure resiliency if needed. So, I think Ronnie’s right without going into too much more detail – there’s probably a good, happy, medium somewhere in there. But having that documentation and knowing where to find the answers and being familiar enough with the documentation so that you can pull up appendix D for example, to find where a call tree is, is absolutely important. And I can go no further than looking at politics in Washington when public affairs officers get up and do briefs, and they’re having to deal with so many topics, they bring in huge three ring binder notebooks with tabs on the sides of them, so that they can flip to those sections and those topics as the questions are being asked and be able to smoothly and appropriately answer the question. And that’s the kind of expectation that I have for my teams with their notebooks. They know where to find the information and they can quickly go to it.
Questions and Answers:
One of the questions that came in during the discussion was about resources. Specifically asking about things like templates and other documents that might be used to support cybersecurity tabletop exercises. Here at Apptega we actually have a template that we provide to anybody that would like it. We’ll get that out to all the attendees, but Ben, I know you’ve got a slide coming up here in a moment that indicates where some of your free CISA resources are found. And I’m going to jump ahead to that very quickly and put you on the spot. Can you tell us about the CISA resources that might aid people in putting together and facilitating their tabletops?
Yeah. Great question. The short answer is yes, we have a team and their whole job and role is to conduct all sorts of cybersecurity tabletop exercises. From very large-scale exercises, national level exercises, such as what we call the Cyber Storm Series. All the way down to smaller individual tabletop exercises, with individual organizations. And they also provide scenarios, playbooks and planning templates. They can also help facilitate cybersecurity tabletop exercises. They also provide templates for conducting exercises in addition to various scenarios and so forth.
This screen shows a multitude of different resources. What I would encourage folks to do is visit us at our website. The website is www.cisa.gov. You can learn all about different resources that are available for free. And if there’s one item in particular that folks are looking for, you can certainly reach out to me directly at my email address [email protected]
Great. Ben, thank you very much for allowing me to put you on the spot. So, in the spirit of time, we’ve got a number of really good questions that have come in. I would like to see if we can squeeze in one of these. Hopefully this can be quick and give the other panelists an opportunity to weigh in. And the question is, What recommendations do you have for determining if your virtual tabletop exercise was effective after it’s said and done? And Mark, if you don’t mind, turn to you first.
Sure. So, a couple of ways you can determine whether it’s effective or not is unfortunately in a real-world scenario, how smooth was it? But you really have to think about that and understand how you can determine how effective it is. Another way to determine how effective it is using a polling tool or a security awareness tool that will test people’s knowledge. We actually give people a set of test questions and see how they respond. And then there’s always the intangible pieces. Are people talking about it around the water cooler? Are they talking about how wonderful of an opportunity it was to learn how other people inside the organization operate their pieces? Are you hearing negative responses as a result? Oh, that was too long. It was boring. We just sat there and did nothing the whole time. Those are the types of things you use as feedback to determine how successful or unsuccessful it was. And then frankly you could send out, questionnaires or that type of thing to the participants and also to their managers as well. See what the input was privately during one on one sessions behind those closed doors, see what the managers thought of it. Was it a good use of the individual’s time? Did the individual come back and report to their manager that there’s so much that they learned or I sat around, I could have gotten 15 emails done instead. Those are indicators to determine how effective your cybersecurity tabletop exercise was.
Mark’s spot on. I couldn’t agree more with understanding the feedback perspective, running those surveys, getting the anonymous feedback from the participants, and the manager’s perspective to find out if they believe that it’s a good use of time. Here at MCPc we actually create a scorecard from the consultant’s point of view and we’ve put our professional spin on it. Those are all great tools, but for me, there’s only one real way to determine the efficacy of a test… And that’s the run it again. So, if we run the exercise and we flush out risks and gaps, we come away with a bunch of suggestions. We go back, we incorporate all of that data and feedback into the plans and procedures. And then within a scheduled period of time, we execute that exact same tabletop again. Maybe throw in a couple of different injects or a couple of different scenarios, but the same premise based on the same type of attack. They’re following the same run books and the same workflows. Then the final indicator of a successful cybersecurity tabletop exercise is Mark’s first suggestion – through actual event, which I agree with completely. However, I don’t think we want to find out that way, right? Its much better to run the test again and find out if we’re able to identify any more risks. If we’re not able to find any more gaps, then we continue to mature that by building the muscle memory we discussed earlier. I think those are some of the key indicators of whether or not the organization has truly matured their posture in a particular area.
Excellent. Thank you all very much. We’ve run over, so we’ll go ahead and wind down now and on behalf of Apptega, I would like to thank our panelists, Ronnie, Mark, and Ben. Thank you very much for taking the time to contribute to this. Great, great insights offered by everybody. And on behalf of all of us as the sponsors, I’d like to thank all the attendees for joining us today. We hope this Cyber Insights webinar has provided some valuable insights and recommendations. We also hope everyone has a great afternoon and stays safe and well-protected as we head into the election season here. Thanks again everybody.
Download your Cybersecurity Tabletop Exercise Template
Watch Now: 4 Reasons Your Next Cybersecurity Tabletop Exercise Will Flop
*** This is a Security Bloggers Network syndicated blog from Apptega Blog authored by Cyber Insights Team. Read the original post at: https://www.apptega.com/blog/cybersecurity-tabletop-exercises-ensuring-tangible-success-in-a-virtual-world