Cybersecurity exercises have become more prevalent in recent years. Despite this, many people are not familiar with them. In this blog on why cyber exercises work, we’ll give you three real-world examples you can learn from and possibly apply to your situation.
Exercises are used to prepare and test a person or group to respond to a specific set of circumstances, like a fire drill for a building or a monetary stress test for a bank. These types of exercises have been around for years. When we consider cybersecurity, there are generally two types of exercises: discussion-based or tabletop exercises and operational or functional exercises.
What Are Tabletop Exercises?
Tabletop exercises are good for talking through the who, what, when, where and how of a situation. Typically during these exercises, a group of people gather in a conference room and work through what might happen in a potential incident. A moderator is used to “set the stage” or describe the scenario. For example, if the primary and backup website servers were to go down, the moderator would ask specific questions about how certain people or groups within the organization would respond to the situation.
Tabletops can be used at any level (management through the individual contributor level) and test what people know about processes and procedures. This type of exercise can also be good for reviewing documented procedures to see if they work and if there are any documentation gaps.
What Are Functional Exercises?
Functional exercises are used to see how well processes work by testing the people who are supposed to perform them. They test actions as well as equipment, hardware, and/or software. A fire drill is a good example. When the alarm is pulled, the sound should be broadcast through the building’s speakers and the alert lights should flash. People should get up from their desks and leave the building in an orderly manner, and the automatic fire doors should close properly. If people are supposed to gather in the parking lot away from the building, a manager can see if there is a safe area to meet in case of an actual fire. A drill will show if all of these things happen as planned.
A functional exercise has differing levels of realism. Certain actions can be simulated when less realism is required (like pulling the fire alarm). Other times, more realism is called for, and something like a small fire is lit in a controlled environment to have the fire department actually put out a fire.
Functional exercises in the cybersecurity realm are similar: they test people, processes and equipment where they normally work (like at a desk or a cubicle, as opposed to a conference room). This type of exercise takes more time and effort and is more disruptive to normal business operations. However, this is a better test of how things would actually happen during an actual crisis.
What Are Some Real-World Examples?
Now that you know a little bit about cybersecurity exercises, let’s take a look at some examples of how they have helped actual organizations deal with real-life situations.
Example #1: U.S. County
A U.S. county performed a cybersecurity functional exercise that also tested the continuity of operations during a cyber incident. In the exercise, a simulated storm destroyed the building where the security operations center (SOC) was housed. From this exercise, the county IT security manager learned that no backup location was identified for personnel to operate out of during a catastrophic event to continue operations.
One year later, a major category five hurricane forced the SOC team to evacuate the primary location for a few days. The lessons learned from the functional exercise made it far easier and smoother to successfully transfer temporary operations to another location in the county. Memorandums of understanding, technology, and supplies were already pre-positioned, allowing the SOC to seamlessly transition. Practicing real-world possibilities and working out the “devil in the details” really helps an organization prepare for the worst.
Example #2: State Government
Creating muscle memory between different teams within organizations is an important aspect of building communication and tasking pathways to reduce the response time for cyber remediation.
A state created a high-level tabletop exercise scenario for its 30 counties. The scenario began with credential harvesting from employees — stealing usernames and passwords via malware. The attacker used those credentials to gain access to a variety of county and state systems, including public safety systems. The counties ran the scenario concurrently with the state to practice coordination and decision making.
The group then provided lessons learned to their county leadership and elevated key takeaways to the state level for a state-wide report.
Example #3: Fortune 500 Company
A Fortune 500 company performed a cyber exercise in which one of its main enterprise resource planning (ERP) systems was compromised by a threat actor who threatened ransomware. Part of the exercise also brought the integrity of their email system into question. During the after-exercise lessons learned session, the finance department participant stated that he was not aware of just how intertwined one particular server of the ERP system was with all of their operations. The public affairs participant also determined that they didn’t really have a plan for how to send out communications when email integrity was in question.
This illustrates that since cyber exercises can and should be performed with groups outside IT security, many unforeseen circumstances and unintended consequences can be brought to light.
What Are The Next Steps Should You Take?
If you think a cybersecurity exercise could benefit your organization, here are recommended next steps:
- Talk to your counterparts from similar organizations and agencies that have completed cyber exercises to get their advice and insights. Was it worth the time and effort? What were the most useful takeaways from it? Have they made any changes to their teams or processes as a result? What surprised them the most?
- Ask about who created, organized and led the cyber exercise for them. Did the vendor have expertise in the unique needs of public safety? How much time and effort did the vendor require for preparation in advance of conducting the exercise? How many participants were involved in the exercise? Did they include representatives from all departments or just some? How long did the exercise take? Their answers can help you determine what you should consider when evaluating advisory services.
- Talk with your internal stakeholders to decide which type of exercise is right for your organization at this time, and what you hope to get out of it, as well as what should be budgeted for it and who all should be involved.
- Schedule your cybersecurity exercise for a time that works for you and all the relevant stakeholders at your organization. Keep in mind that what works for the security team might not be a good time for other teams, and plan accordingly.
In summary, here’s a recap of why exercises work and why you should use them. Although there are other types of exercises, tabletop and functional exercises are the most common ones. Cybersecurity exercises take these and apply them to the cyber world. Instead of talking about the server going down because of equipment failure, the group would discuss how to respond to a hacked server or a successful ransomware attack. A functional cyber exercise might include the incident response team actually going through the process of discovering what happened by looking at fake log data with evidence of a hacker’s actions.
You can get a better idea of what to expect and what you might consider for your own agency by talking to peers and solution providers with expertise in both public safety and cybersecurity, as well as experience in conducting exercises for municipalities and private organizations. Finally, by including a wide range of representatives from across your own organization in cyber exercises and applying the learnings from the exercise to update or create your incident response plan, you can ensure that everyone understands their roles and responsibilities in the event of an actual cyber attack or security incident to ensure that you’re better prepared for any scenario.
Motorola Solutions offers a wide range of Advisory Services, including Cyber Exercises, to help organizations prepare for and prevent cyber attacks. Contact us for more information.