Cyber security exercises have become more prevalent in recent years. Despite this, many people are not familiar with them. In today's blog on why cyber security exercises work, we'll give you three real world examples you can learn from and possibly apply to your situation.
Exercises are used to prepare and test a person or group to respond to a specific set of circumstances, like a fire drill for a building or a monetary stress test for a bank. These types of exercises have been around for years. When we consider cyber security, there are generally two types of exercises: discussion-based or tabletop exercises, and operational or functional exercises.
What Are Tabletop Exercises?
Tabletop exercises are good for talking through the who, what, when, where, and how of a situation. Typically during these exercises, a group of people gather in a conference room and work through what might happen in a potential incident. A moderator is used to “set the stage” or describe the scenario. For example, if the primary and backup website servers were to go down, the moderator would ask specific questions about how certain people or groups within the organization would respond to the situation.
Tabletops can be used at any level (management through the individual contributor level) and test what the people know about processes and procedures. This type of exercise can also be good for reviewing documented procedures to see if they work and if there are any documentation gaps.
What Are Functional Exercises?
Functional exercises are used to see how well processes work by testing the people who are supposed to perform them. They test actions as well as equipment, hardware, and/or software. A fire drill is a good example. When the alarm is pulled, the sound should go through the speakers and the lights should blink. People should actually get up and leave the building, and the automatic fire doors should close properly. If people are supposed to gather in the parking lot away from the building, a manager can see if there is a safe area to meet in case of the real thing. A drill will show all of these things.
A functional exercise has differing levels of realism. When less realism is required, certain actions can be simulated (like pulling the fire alarm). Other times, more realism is called for and something like a small fire is lit in a controlled environment to have the fire department actually put out a fire.
Functional exercises in the cyber security realm are similar: they test people, processes, and equipment where they normally work (like at a desk or a cubicle, as opposed to a conference room). This type of exercise takes more time and effort, and is more disruptive to normal business operations. However, this is a better test of how things would actually happen during an actual crisis.
What Are Some Real World Examples?
Now that you know a little bit about cyber security exercises, let’s take a look at some examples of how they have helped actual organizations deal with real-life situations.
Example #1: Oil & Gas Company
A large oil and gas company performed a cyber security functional exercise that also tested continuity of operations during a cyber incident. In the exercise, a simulated storm destroyed the building where the security operations center (SOC) was housed. From this exercise, the international team manager learned that the personnel work schedule needed for a temporary transfer of operations to his team was not adequate, and made appropriate adjustments.
One year later, a major category 5 hurricane forced the U.S.-based team to evacuate the primary SOC for a few days. The lessons learned from the functional exercise made it far easier and smoother to successfully transfer temporary operations to the overseas team. Practicing real world possibilities and working out the "devil in the details" really helps an organization prepare for the worst.
Example #2: CIRT
An international Computer Incident Response Team (CIRT) rehearsed and provided cyber exercises for its customers. These organizations, a mix of government and commercial entities, increased their cyber security knowledge and abilities. They then reached out to partner organizations to spread the word about the effectiveness of cyber exercises. The group sharing of this newly-acquired information increased the overall cyber security level of all the companies and government agencies involved. As a side note, the cyber exercise was specifically designed and performed in a way that minimized ‘embarrassment’ for an Asian country where not bringing shame to your organization is a very important consideration. This shows that cyber exercises can be designed for specific audiences with particular cultural or organizational factors in mind.
Example #3: Fortune 500 Company
A Fortune 500 company performed a cyber exercise in which one of their main enterprise resource planning (ERP) systems was compromised by a malicious hacker who threatened ransomware. Part of the exercise also brought the integrity of their email system into question. During the after-exercise lessons learned session, the finance department participant stated that he was not aware of just how intertwined one particular server of the ERP system was with all of their operations. The public affairs participant also determined that they didn't really have a plan for how to send out communications when email integrity was in question. This illustrates that since cyber exercises can and should be performed with groups outside IT security, many unforeseen circumstances and unintended consequences can be brought to light.
What Are The Next Steps Should You Take?
If you think a cyber security exercise could benefit your organization, here are some next steps to take:
- Talk to your counterparts from similar companies that have done cyber exercises. Ask their opinion. Was it worth the time and effort? Would they recommend an exercise for your company?
- Ask about who created, organized, and led the cyber exercise for them. Then reach out and ask questions. How much does it cost? How much time and effort will the exercise team need from your company? Will subject matter experts be needed to explain IT and security processes and procedures? How many participants should be involved in the exercise? How long will the exercise take?
- Figure out which type of exercise is right for your company.
- Get your cyber security exercise scheduled for a time that works for you and all the relevant stakeholders at your company. Keep in mind that what works for the security team might not be a good time for other teams and plan accordingly
So, here's a recap of why cyber security exercises work, and why you should use them. Although there are other types of exercises, tabletop and functional exercises are the most commonly used today. Cyber security exercises take these and apply them to the cyber world. Instead of talking about the server going down because of equipment failure, the group would discuss how to respond to a hacked server, or a ransomware break out. A functional cyber exercise might have the incident response team actually go through the process of discovering what happened by looking at fake log data with evidence of a hacker’s actions.