Tabletop Exercises (TTXs) take various forms, ranging from internal self-assessments to external, paid engagements. These exercises offer eye-opening insights for technical teams, managers, leaders, and board members. To ensure effectiveness, TTXs must feature customized and realistic scenarios tailored to your organization, requiring preparation and commitment from all participants. Scenarios should build up to engage both technical and non-technical parties, particularly communications and legal teams. Common scenarios include malware leading to ransomware, loss of backups and credentials, main communication failures requiring out-of-band communication, and obligations to third parties, particularly customers/consumers. Additionally, technical simulations may involve log reviews and device outage scenarios. Gamification can be incorporated to allow participants to assume different roles within the organization, enhancing their understanding of responsibilities outside their own job descriptions.
Security Adversaries and Breach Problems
Threat actors emerge and disappear rapidly with each breach. Adversaries fall into three main categories:
- Hacktivists and Terrorists: Motivated by ethics and political biases, these actors generally have lower skill levels and focus on disrupting information disclosure.
- Criminals: Driven by financial gains, this category includes actors with a wide range of skill levels, from low to highly skilled, engaging in ransomware and extortion.
- State-Sponsored Actors: Motivated by geopolitical and financial gains, these actors possess moderate to high skill levels, focusing on data theft, espionage, and disruption.
Organizations must adopt simulation approaches tailored to their specific needs. A risk-based approach targeting key systems and driving overall operational impact is essential. Insider threats must be considered, as disgruntled employees may have access to data and environments, and knowledge to circumvent protections. The interconnectivity of the Internet can also enable threat actors to exploit connected systems.
Skilling and Resource Allocation for Threat Intelligence and Vulnerability Management
The first step in awareness is receiving alerts and notifications from credible industry and government agencies regarding threats, vulnerabilities, and other cyber events. Trusted sources like CISA (www.cisa.gov) and (www.ic3.gov) for filing complaints provide valuable information and resources. Allocating skilled resources for effectively receiving and processing vulnerabilities is crucial. Organizations with in-house or managed services Security Operations Centers (SOC) gain an advantage by efficiently triaging numerous alerts, ensuring vulnerabilities are promptly addressed by appropriately skilled personnel.
Business Email Compromise
Phishing remains a primary threat and source of compromise. An effective phishing strategy is an essential component of an organization's education program. Customizing phishing simulations to target organizational dependencies, known weaknesses, and varying tactics enhances effectiveness. Providing immediate feedback and training upon clicking a phishing test link strengthens educational value and overall resilience. Utilizing platforms and services to benchmark organizational click rates and trends, as well as report rates, provides insights into employee behavior towards potential phishing emails.
Communication During Outages
During major outages, out-of-band communication is crucial. Ensuring offline or basic communication methods, including mobile devices and printed materials, are updated and readily available is vital for maintaining operations and ensuring continuity. Trust and transparency are essential, so pre-established communication protocols, timely and accurate updates, and multi-channel communication involving organizational stakeholders must be maintained. Coordinated efforts leveraging emails, social media, hotlines, and other approved messaging channels are essential.
Organizations should adhere to their specific cyber Incident Response Plan (IRP) to ensure alignment with internal procedures, communication protocols, and legal, regulatory, and contractual requirements. Unified communication across member relations, public relations, and public affairs teams is also crucial. Additionally, risk management, insurers, Internal Audit, and forensics teams (or retainers) play significant roles from identification through triage and recovery.
Threat Actor General Philosophy
Leave communication and negotiations with threat actors to experts. Each organization should have specific rules of engagement, including external services that act on its behalf. Internal communication must keep employees informed, provide additional instructions, and establish clear expectations. It is vital to set expectations and explain that information can change quickly during a security incident. While communication cadence should be established, anticipate on-the-fly updates due to significant changes.
During triage and post-incident phases, disconnection from parts of the organization, including business partners and vendors, may be necessary. Decisions on when to reconnect should be based on resolution assurance, normal-state restoration, and verification by a Letter of Containment.
Benefits and Common Practices
Similar to Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) simulations, which have been in place for many decades, tabletop exercises identify gaps and provide improvements and efficiencies in current processes. They familiarize participants, from technicians to executive leadership, with common challenges, reaffirm roles, and address top organizational risks. Additionally, organizations should consider who to contact in conjunction with their IRP, including law enforcement and relevant authorities.
No comments:
Post a Comment