Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Tabletop Exercises & Lessons Learned

Similar presentations

Presentation on theme: "Cyber Tabletop Exercises & Lessons Learned"— Presentation transcript:

1 Cyber Tabletop Exercises & Lessons Learned
David Dumas, CISSP, CISM ISSA New England Chapter Board Member ISSA Distinguished Fellow February 18, 2014 1

2 Overview & Scope This presentation provides a security overview
Why run a cyber tabletop exercise How to plan, design and write a cyber tabletop exercise Sample materials are provided Lessons learned are weaved in throughout the talk The views expressed herein are my own and do not necessarily reflect the views of my employer. ISSA Presentation 2/18/2014 2 2

3 Why Run Cyber Tabletops
Cyber risk falls into a hybrid category We know it exits and we must prepare, but we don’t fully understand it’s consequences to the business Drill like you fight It may be in your policies It’s good for marketing and for cyber insurance annual reviews It is a good practice in some standards; may be in regulations NIST SP for Federal agencies to conduct exercises or tests for their systems’ contingency plans at least annually ISSA Presentation 2/18/2014

4 Help & Ideas to Consider
NIST SP800-84 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities Vendors that do tabletops The exercises can be games Cyber Flag exercises sharpen DoD cyber operations and defense Connecticut ISSA Chapter holding a national game soon My suggested process to learn how to do these exercises Participate in one, help write and run one, then run your own exercise ISSA Presentation 2/18/2014 4 4

5 Pre-Planning and Design for Your Exercise
Initial guidelines based on my experience Type of Exercise Length of Exercise Number of Participants Number of Injects or scenarios Needed Months to Plan the Exercise Staff meeting 1 hour 20 3-4 1 Mini 2 hours 30-50 6-8 2-3 Full 4 hours 9-14 4-6 ISSA Presentation 2/18/2014

6 Design Your Cyber Tabletop Exercise
From NIST SP800-84 Determine the exercise topic based on the focus of the plan/issues being exercised Determine the exercise scope based on the target audience Identify the objectives of the exercise Identify the individuals that should participate in the exercise and invite them to the event Identify the writing staff for the exercise Coordinate the logistics for the exercise event ISSA Presentation 2/18/2014

7 Objectives for Your Cyber Tabletop Exercise
The tabletop exercise should be designed to meet the following objectives*: Provide feedback Clarify responsibilities Identify roles Enhance skills Assess capabilities Evaluate performance Measure and deploy resources Motivate employees * Security Executive Council white paper on “The Value of Tabletop Exercises”. ISSA Presentation 2/18/2014

8 Pre-Planning and Design for Your Exercise
Pick something that needs fixing or help in funding…not things that are already working well Use credible scenarios - things that could really happen Understand the politics and that groups don’t like to be singled out for findings and gaps Determine writer subject matter experts (SME) (3/group) Moderator, Scribe, Attendee coordinator Find the best of the best in your company ISSA Presentation 2/18/2014

9 Pre-Planning and Design for Your Exercise (2)
Research the ghosts in the closet – examples Research good, credible ideas – continue to listen inside and outside your company for ideas…Last ISSA meeting helped with an initial infection idea Train-the-trainer approach works well – find the best SMEs and get them onboard by asking their manager and showing career growth for them Pick the groups to work with and focus on (developers, IT , PR/media relations, legal, privacy, security, customer infrastructure, etc.) Write up questions for each inject that gets to the heart of the issues and brings out the ghosts in the closet Ask the tough questions and find single points of failure ISSA Presentation 2/18/2014

10 Sample Summary of Logistics List
From NIST SP800-84 Select a date for exercise conduct Reserve a conference room that will accommodate all participants Determine the need for audio/visual equipment Reserve audio/visual equipment, if applicable Identify the writing team Identify participants Invite participants Coordinate the development of the facilitator guide and participant guides Arrange for the printing of name tents Ensure conference room is available in sufficient time before the exercise to perform setup Arrange for refreshments, if appropriate Copy all files as a backup onto a CD-ROM, USB flash drive, or other removable media ISSA Presentation 2/18/2014

11 Exercise Logistics Planning
My list Pick a date far in advance – people are busy Decide if this will be in person or remote or a hybrid Determine the number of phone bridges to use, international, size, should be moderated, one for the writers as a back channel too. Instant Messaging sessions needed for the writers as a back channel – discuss issues, pace of the exercise, Q/A and save the chat sessions to review later for feedback on the event flow Data files, videos, etc. can be used for details and forensics distribution lists are necessary for keeping track of the attendees and one is needed for the control group to discuss issues as an alternate back channel Determine the participant list ISSA Presentation 2/18/2014

12 Exercise Logistics Planning (2)
invitees to hold the calendar date in advance, ensure that the critical attendees can make that date Location logistics need to be done in advance Number of rooms Intranet connections Power for laptops Phone lines Speaker phone in each room Projector to display the injects/scenarios Lunch/snacks, water, restrooms near by Hotels nearby Travel information Management expense approvals to do this face-to-face Unique internal distribution lists and phone bridges ISSA Presentation 2/18/2014

13 Documents to Write Design and write the following documents per NIST SP800-84 Facilitator Guide The purpose for conducting the exercise The exercise’s scope and objectives The exercise’s scenario, which is a sequential, narrative account of a hypothetical incident that provides the catalyst for the exercise and is intended to introduce situations that will inspire responses and thus allow demonstration of the exercise objectives A list of questions regarding the scenario that address the exercise objectives Participant Guide The participant guide includes the same information as the facilitator guide without the list of questions. After Action Report Built from the findings and gaps and survey results ISSA Presentation 2/18/2014

14 Exercise Planning My list
Run the exercise by your manager to make sure it hits the mark and is not too severe. You will not be aware of all the politics so you need a sounding board Post exercise survey – make it short and ask for any final comments and suggestions along with any findings or gaps (40% return rate is good) Prepare an executive presentation on the top findings and gaps Document next steps and work towards their closure with the responsible business where the findings and gaps reside. ISSA Presentation 2/18/2014

15 Things To Do and Remember
Drill yearly on something People and roles change a lot – continue to build contacts The latest threats need to be analyzed for business impact – example: malware If you don’t have a lot of time, do small tabletops Dress rehearsal is necessary for the writers, scribes and attendee coordinators Turn on IM, , bridges and test one inject all the way through so that everyone knows what they will be doing Politics can determine if people will speak up or stay quiet Some groups are coached to not expose bad news so that the group does not look bad The key to unlocking this is a good writing team that knows where the ghosts are and spins this into the injects and questions to answer ISSA Presentation 2/18/2014

16 Things To Do and Remember (2)
Keep the exercise content secret to be effective but let everyone know that there will be an exercise during the specific date/time Make data files for full/regular exercise to dig into the details more and engage the technical staff Stay current on hacking trends and exploits and weave these into the exercise Botnets, DDoS, APT, destructive malware, Phishing, application vulnerabilities, encryption exploits, social engineering, Web servers, data breaches in the news, etc. Also mention that this is an exercise verbally and on each sent out Have fun so they will play again ISSA Presentation 2/18/2014

17 Other Options to Consider
Weave in competitions to capture high-value assets in your company as an option Recall low-tech items like the card in the wallet and car glove box for key numbers, s and bridges Use moderated bridges so unannounced attendees are kicked off and tracked If you are in person, use the close proximity to your advantage Stop in as the Press and ask questions Determine that and phones are out and force them to walk to the other conference rooms to work together ISSA Presentation 2/18/2014

18 Ideas To Run Tabletops On
Privacy Breach in the US and Internationally Large malware infection APT with loss of intellectual property Denial of Service outage Natural weather related disaster Man-made disaster Use of backup and alternate work sites Loss of power for an extended time-frame Loss of critical internal infrastructure Workplace violence BYOD data privacy incident Loss of cloud services Supply chain disruptions and inability to meet customer demand Blended exercise with physical and man-made incidents ISSA Presentation 2/18/2014

19 Tabletop Roles to Assign for Each Group
Exercise Coordinator – the leader of the exercise, they help where necessary and communicate on the timing of the next injects and resolve any issues that come up, they can act as the Press for questions too Moderator – part of the writing team, they read the injects, and run the Q/A Scribe/Proctor – part of the writing team, they take notes and help as new participants are brought to the remote bridges Attendee Coordinator –part of the writing team, the record the new attendee’s name and so they can receive the future exercise injects. Spokesperson – a volunteer from the participants to present on the findings and gaps from their group Note: You need 3 staff from the writing team for each group that you have in the exercise. ISSA Presentation 2/18/2014

20 Dress Rehearsal Checklist
Go through the tools Facilitator Guide and scripts Data files Spreadsheet of attendees Go through the process for the exercise Open bridges early The leader sets up IM chat for the writers Someone needs to test the distribution lists (pre-populate the internal exercise lists) Join the call 10 minutes early on the main bridge The leader does the introduction Start the exercise with everyone on the full bridge The main distribution list can be used to send the final questions to everyone Closing by the leader Thank everyone ISSA Presentation 2/18/2014

21 Dress Rehearsal Checklist (2)
Opening remarks: Roll call This is only an exercise! A cyber drill. Discuss how the bridges will be used. You may invite in others as needed to the exercise. Participants are free to make decisions as they see fit. As the scenario is played out, participants will be prompted with questions to help guide where the events go. There are no right or wrong answers or decisions. While we encourage participants to think through decisions to best remediate problems, this exercise allows for “off the wall” responses or directions to discover how it will impact the Enterprise. s will be sent to you to read and we will discuss the questions for each inject on your team. We will wrap up the exercise and leave time at the end for closing questions and comments so stay around for the entire time. Any questions before we begin? The leader sends out the first inject to the distribution list ISSA Presentation 2/18/2014

22 Dress Rehearsal Checklist (3)
Closing remarks: The leader will provide a survey at a later date and you can add in more information at that time if we don’t have time for all of your feedback now…or if you think of something later on Review the objectives for the exercise Wrap-up questions and lessons learned documented by all on the bridge. We are trying to summarize the key things learned from this experience highlighting what worked and any gaps or things missing. We plan to roll all this up for a future security executive meeting so please be frank and open about the experience and the findings. The leader reads the questions and we all listen and take notes Wrap-up and thank everyone for their participation and the writers/planners The leader will send out a survey to the participants to collect their feedback on the exercise. ISSA Presentation 2/18/2014

23 Sample Layout for Your Conference Rooms
ISSA Presentation 2/18/2014

24 Sample Amenities For Your Conference Rooms
Start End Capacity Amenities C4001 7:00 AM 7:00 PM 10 Analog Line, Speakerphone C4002 18 Analog Line, Speakerphone, TV, VCR, Overhead Projector, Whiteboard C4003 6:00 PM Analog Line, Speakerphone, Whiteboard B4002 16 B4007 20 Analog Line, Speakerphone, Overhead Projector, VGA, Whiteboard B4008 ISSA Presentation 2/18/2014

25 Sample Attendee List ISSA Presentation 2/18/2014 Participant Name
Address Office Phone Cell Phone Org. Leadership Biz Unit Attended David Dumas 781-xxx-xxxx John Doe Network Security  Yes ISSA Presentation 2/18/2014

26 Sample Participant Overview and Introduction
Divide participants among the tables representing each of the groups Moderator will introduce themselves Go around tables and have participants introduce themselves Select an in-person Spokesperson for the summary/conclusions at the end of the day Participants will read the company and situation background. Moderators will discuss how the events of the scenario will unfold and how questions will be presented to help guide the story The leader will send out a series of “events” via at pre-determined intervals for the participants to respond to. The s will contain questions for the participants to answer within a specific amount of time. ISSA Presentation 2/18/2014

27 Sample Inject/Scenario
This is only an exercise - Inject 8 (7 minutes to read and discuss) Date: December 24, 4 PM The US Government is calling to see what is going on and how they can help. Major customers are calling for information and the help desks are overloaded.  DHS, FBI, NSA and CIA are all calling your company contacts to ask what is going on and how can they help. Questions: What can we share with DHS, FBI, NSA, and CIA? Can we talk with all Gov’t branches, or should communication be limited? Should we have a spokesperson for government communications? This is only an exercise ISSA Presentation 2/18/2014

28 Sample Build of the Injects/Scenarios
Timeline Story Media Spin Questions Moderator Notes 13 Event 2:30 PM (Sent to all) Date is now: March 16, 2014 The security staffs have been working 24X7 for 4 weeks with little rest and no relief in sight. (Ask all) Where can you find alternative help? How will you deal with limited resources to get this incident under control? Is this OK to outsource for more staff? Who in the company can be cross-trained quickly to help with the incidents? Mandatory 13-sq.txt 13-bg.txt 13-data.txt ISSA Presentation 2/18/2014

29 Sample Final Q&A at the End of the Exercise
What did you learn from this exercise that worked well? What did you learn from this exercise that was broken? Is there a need to update an incident response plan from this exercise? Did you have all the tools, procedures, contacts, etc. necessary to battle these incidents at the office and at home? Did you assign an incident commander and find all the necessary personnel? What tools and hardware/software are you missing? What are you lacking for secure communications? What security staff training is missing? What type of training is needed for regular employees? Any suggestions for your existing processes and procedures? Do you have single points of failures? ISSA Presentation 2/18/2014

30 Sample Post Exercise Survey
Was it acceptable to be remote on bridges for the exercise (Y/N)? Was the exercise too short (Y/N)? Did the participants figure out the correct people to call to the bridge to handle the incidents (Y/N)? Do you feel that the exercise met the objectives: Test the impact of a data breach/APT/Malware on your infrastructure (Y/N)? To engage the appropriate teams to ensure that the existing processes, procedures and communications mechanisms for defending your internal networks and assets are sufficient (Y/N)? To ensure strong and successful internal coordination (Y/N)? Do you have any suggestions for improving the exercise that you participated in (Please list)? What do you feel were the major findings and gaps uncovered from the exercise (Please list)? ISSA Presentation 2/18/2014

31 ISSA Presentation 2/18/2014

Download ppt "Cyber Tabletop Exercises & Lessons Learned"

Similar presentations

Ads by Google