Organize a cyber crisis exercise in a large company

Cyberrisk Management & Strategy Ethical Hacking & Incident Response

Posted on

Evaluating the integration of Cyber in the crisis management system, improving interactions between the different units, testing the capacity of the security sector to make itself understood by top management… there are many reasons to organise a Cyber crisis exercise.

For my part, I think I’ve taken part in a at least ten simulations over the past year… but beware: we don’t always talk about the same thing! From a simple table-top process test to SOC/CERT training to a large-scale exercise involving dozens of crisis cells and months of preparation, the resources allocated are very disparate.

This article focuses on this last category: the most ambitious exercises, blockbusters of the genre, the Armageddon of the fake Cyber attack! 😉 Let’s take a closer look at how to make such an exercise a success… and make it fun and memorable!


What’s a typical crisis exercise?

If I had to give some figures on the biggest “typical” exercises organised in France, I would say: one day of exercise, 150 players mobilised, 10-12 crisis cells in several countries, 30 accomplices, 20 observers… and more than 300 stimuli sent! Clearly, making a success of such an event requires both a high level of preparation and a very solid animation team on the D-day for the final staging.

A key issue: there will only be one take. It is therefore essential that ALL the actors get into the game, that no one gets bored or feels useless, and finally that the scenario involves all the participants. Imagine the scene: no one wants to mobilize several hours of COMEX members to hear “not very credible” or “it couldn’t happen to us in real life” during the debriefing. Months of work would be wasted. Preparation and animation are the key words of an exercise.


Six months to prepare

1/ Choose the attack scenario

The first months of work are always devoted to the attack scenario. Ransomware, targeted fraud, attacking suppliers… the choice of weapons is large. In ambitious exercises, it is not rare to combine several attacks in only one crisis: smoke screen launched by the attackers, identification of a second group during the investigations… you can be creative! Whatever the scenario chosen, the key is to be as precise as possible:

  • What are the attackers’ motives?
  • What path of attack did they take?
  • When was the first intrusion?

The exercise will be long… and it is best to be prepared when 150 players start investigating an attack for several hours. Spear-phishing, waterholing, code compromise, privilege escalation… of course the vulnerabilities used by the fictitious attacker are not real, but they must be plausible and “validated” by technical accomplices throughout the preparation. Similarly for business impacts, they should be reviewed with business specialists: the amount of fraud at which the situation becomes critical, critical activities to be targeted as a priority, the most sensitive customers… The choice and involvement of accomplices are essential, and I strongly recommend that you integrate them into the coordination unit on D-day. They can be of great help to you, and it will be a pleasure for them.


2/ Build the script of the exercise

Then, the script is built, which consists in defining minute by minute the information that will be communicated to the players. The calibration of the exercise rhythm is a complex point: should a new stimuli be sent every 2 minutes? Every 10 minutes? The temptation to impose an infernal rhythm is great to “master” the scenario, but be careful to leave enough space for the cells to think. If the scenario is well constructed, there will be no room for boredom… the players’ ability to create their own problems during the exercise should never be underestimated!

The start of the exercise is another complex point: should we start directly on a crisis situation (for example, activation of a Ransomware) or on a simple alert that will test the general mobilization process? In the field, it is almost always this second option that is chosen. It makes it possible to mobilize the technical teams (CERT, SOC, IT…) for the entire duration of the exercise, as soon as the alert is given, and to include the decision-making units rather in the second part of the exercise. Try to reserve the agenda of the COMEX members for a whole day… you will quickly understand that this is the best solution!


3/ Prepare the stimuli

The attack is now scripted, the script is ready… all that remains is to produce these famous stimuli that will be sent to the players throughout the exercise. Technical reports, fake tweets, messages from worried customers… it’s all about anticipating and producing everything that can be useful for the players.

To captivate, don’t hesitate to use video. Indeed, nothing is more striking than a fake NBC report relaying the current attack (logo, board… the more realistic the better). And for even more realism, think about including in the videos people “known” in the company (message from the CEO, interview of a factory boss…). The same goes for the technical side: the duration of the exercises often does not allow the players to carry out the technical investigations themselves, but they will ask a lot of the facilitators. Malware analysis reports, application log extracts, IP address lists… everything must be ready to avoid panic.

As mentioned in the introduction, the most ambitious exercises may require the creation of 300 stimuli to get through the day and remain credible… it is a lot of work.


D-day: everybody is on stage

D-Day: 5am, meeting with all the animation team and observers for final adjustments and coffee. A few hours later, the observers go to their crisis cells and start the players’ briefing.

Starting on a good basis

Warning: for many players, this may be their first exercise. The briefing is essential to avoid, for example…

  1. Players call the police (the real police…) in the middle of the exercise;
  2. The players contact a mailing list of 400 people without specifying that it is an exercise;
  3. Real customers be called to be reassured;
  4. A production site is neutralized “by prevention”.

These are true stories. To avoid such situations, it is essential to hammer out the rules of the game during the briefing: the players must obviously communicate with each other, but to contact external stakeholders, they must go through the animation unit. The facilitators and accomplices grouped together in the cell thus find themselves throughout the day in the shoes of a client, a technical expert, a CEO or a regulator, according to the players’ requests. A rather unique experience!


Rely on an efficient animation unit

The sequence of events depends on the efficiency of the animation cell. A successful exercise includes a lot of improvisation on the day. You have to know how to readjust the stimuli according to the reactions of the players, react live when they call you, accelerate or delay the pace of the exercise according to the information transmitted by the observers… in short, the score is never fixed and the animation cell will be put to the test on the day of the exercise. The largest crisis exercises have particularly professional crisis management units, including the head of the facilitators, PMO, technical manager, business manager, call management centre, etc. Imagine: 150 players sending an email or a question every 5 minutes,  that is about 30 answers per minute…

For my part, I prefer not to take any risks on D-Day and recreate teams that are used to working together and know each other by heart. It’s the best way to gain the precious seconds that will prevent the animation unit from going into crisis itself.