1 / 31

Cyber Tabletop Exercises & Lessons Learned

Cyber Tabletop Exercises & Lessons Learned. David Dumas, CISSP, CISM david.dumas@verizon.com ISSA New England Chapter Board Member ISSA Distinguished Fellow February 18, 2014. Overview & Scope. This presentation provides a security overview Why run a cyber tabletop exercise

yamal
Télécharger la présentation

Cyber Tabletop Exercises & Lessons Learned

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Tabletop Exercises& Lessons Learned David Dumas, CISSP, CISM david.dumas@verizon.com ISSA New England Chapter Board Member ISSA Distinguished Fellow February 18, 2014

  2. Overview & Scope • This presentation provides a security overview • Why run a cyber tabletop exercise • How to plan, design and write a cyber tabletop exercise • Sample materials are provided • Lessons learned are weaved in throughout the talk The views expressed herein are my own and do not necessarily reflect the views of my employer. ISSA Presentation 2

  3. Why Run Cyber Tabletops • Cyber risk falls into a hybrid category • We know it exits and we must prepare, but we don’t fully understand it’s consequences to the business • Drill like you fight • It may be in your policies • It’s good for marketing and for cyber insurance annual reviews • It is a good practice in some standards; may be in regulations • NIST SP 800-53 for Federal agencies to conduct exercises or tests for their systems’ contingency plans at least annually ISSA Presentation

  4. Help & Ideas to Consider • NIST SP800-84 • Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities • Vendors that do tabletops • http://www.attainium.net/index.php • http://www.cyberexercises.com/index.shtml • http://www.fema.gov • http://www.avalias.com/products • The exercises can be games • Cyber Flag exercises sharpen DoD cyber operations and defense • http://gcn.com/articles/2013/12/09/cyber-flag.aspx • Connecticut ISSA Chapter holding a national game soon • My suggested process to learn how to do these exercises • Participate in one, help write and run one, then run your own exercise ISSA Presentation 4

  5. Pre-Planning and Design for Your Exercise • Initial guidelines based on my experience ISSA Presentation

  6. Design Your Cyber Tabletop Exercise • From NIST SP800-84 • Determine the exercise topic based on the focus of the plan/issues being exercised • Determine the exercise scope based on the target audience • Identify the objectives of the exercise • Identify the individuals that should participate in the exercise and invite them to the event • Identify the writing staff for the exercise • Coordinate the logistics for the exercise event ISSA Presentation

  7. Objectives for Your Cyber Tabletop Exercise • The tabletop exercise should be designed to meet the following objectives*: • Provide feedback • Clarify responsibilities • Identify roles • Enhance skills • Assess capabilities • Evaluate performance • Measure and deploy resources • Motivate employees * Security Executive Council white paper on “The Value of Tabletop Exercises”. ISSA Presentation

  8. Pre-Planning and Design for Your Exercise • Pick something that needs fixing or help in funding…not things that are already working well • Use credible scenarios - things that could really happen • Understand the politics and that groups don’t like to be singled out for findings and gaps • Determine writer subject matter experts (SME) • (3/group) Moderator, Scribe, Attendee coordinator • Find the best of the best in your company ISSA Presentation

  9. Pre-Planning and Design for Your Exercise (2) • Research the ghosts in the closet – examples • Research good, credible ideas – continue to listen inside and outside your company for ideas…Last ISSA meeting helped with an initial infection idea • Train-the-trainer approach works well – find the best SMEs and get them onboard by asking their manager and showing career growth for them • Pick the groups to work with and focus on (developers, IT , PR/media relations, legal, privacy, security, customer infrastructure, etc.) • Write up questions for each inject that gets to the heart of the issues and brings out the ghosts in the closet • Ask the tough questions and find single points of failure ISSA Presentation

  10. Sample Summary of Logistics List • From NIST SP800-84 • Select a date for exercise conduct • Reserve a conference room that will accommodate all participants • Determine the need for audio/visual equipment • Reserve audio/visual equipment, if applicable • Identify the writing team • Identify participants • Invite participants • Coordinate the development of the facilitator guide and participant guides • Arrange for the printing of name tents • Ensure conference room is available in sufficient time before the exercise to perform setup • Arrange for refreshments, if appropriate • Copy all files as a backup onto a CD-ROM, USB flash drive, or other removable media ISSA Presentation

  11. Exercise Logistics Planning • My list • Pick a date far in advance – people are busy • Decide if this will be in person or remote or a hybrid • Determine the number of phone bridges to use, international, size, should be moderated, one for the writers as a back channel too. • Instant Messaging sessions needed for the writers as a back channel – discuss issues, pace of the exercise, Q/A and save the chat sessions to review later for feedback on the event flow • Data files, videos, etc. can be used for details and forensics • Email distribution lists are necessary for keeping track of the attendees and one is needed for the control group to discuss issues as an alternate back channel • Determine the participant list ISSA Presentation

  12. Exercise Logistics Planning (2) • Email invitees to hold the calendar date in advance, ensure that the critical attendees can make that date • Location logistics need to be done in advance • Number of rooms • Intranet connections • Power for laptops • Phone lines • Speaker phone in each room • Projector to display the injects/scenarios • Lunch/snacks, water, restrooms near by • Hotels nearby • Travel information • Management expense approvals to do this face-to-face • Unique internal email distribution lists and phone bridges ISSA Presentation

  13. Documents to Write • Design and write the following documents per NIST SP800-84 • Facilitator Guide • The purpose for conducting the exercise • The exercise’s scope and objectives • The exercise’s scenario, which is a sequential, narrative account of a hypothetical incident that provides the catalyst for the exercise and is intended to introduce situations that will inspire responses and thus allow demonstration of the exercise objectives • A list of questions regarding the scenario that address the exercise objectives • Participant Guide • The participant guide includes the same information as the facilitator guide without the list of questions. • After Action Report • Built from the findings and gaps and survey results ISSA Presentation

  14. Exercise Planning • My list • Run the exercise by your manager to make sure it hits the mark and is not too severe. You will not be aware of all the politics so you need a sounding board • Post exercise survey – make it short and ask for any final comments and suggestions along with any findings or gaps (40% return rate is good) • Prepare an executive presentation on the top findings and gaps • Document next steps and work towards their closure with the responsible business where the findings and gaps reside. ISSA Presentation

  15. Things To Do and Remember • Drill yearly on something • People and roles change a lot – continue to build contacts • The latest threats need to be analyzed for business impact – example: malware • If you don’t have a lot of time, do small tabletops • Dress rehearsal is necessary for the writers, scribes and attendee coordinators • Turn on IM, email, bridges and test one inject all the way through so that everyone knows what they will be doing • Politics can determine if people will speak up or stay quiet • Some groups are coached to not expose bad news so that the group does not look bad • The key to unlocking this is a good writing team that knows where the ghosts are and spins this into the injects and questions to answer ISSA Presentation

  16. Things To Do and Remember (2) • Keep the exercise content secret to be effective but let everyone know that there will be an exercise during the specific date/time • Make data files for full/regular exercise to dig into the details more and engage the technical staff • Stay current on hacking trends and exploits and weave these into the exercise • Botnets, DDoS, APT, destructive malware, Phishing, application vulnerabilities, encryption exploits, social engineering, Web servers, data breaches in the news, etc. • Also mention that this is an exercise verbally and on each email sent out • Have fun so they will play again ISSA Presentation

  17. Other Options to Consider • Weave in competitions to capture high-value assets in your company as an option • Recall low-tech items like the card in the wallet and car glove box for key numbers, emails and bridges • Use moderated bridges so unannounced attendees are kicked off and tracked • If you are in person, use the close proximity to your advantage • Stop in as the Press and ask questions • Determine that email and phones are out and force them to walk to the other conference rooms to work together ISSA Presentation

  18. Ideas To Run Tabletops On • Privacy Breach in the US and Internationally • Large malware infection • APT with loss of intellectual property • Denial of Service outage • Natural weather related disaster • Man-made disaster • Use of backup and alternate work sites • Loss of power for an extended time-frame • Loss of critical internal infrastructure • Workplace violence • BYOD data privacy incident • Loss of cloud services • Supply chain disruptions and inability to meet customer demand • Blended exercise with physical and man-made incidents ISSA Presentation

  19. Tabletop Roles to Assign for Each Group • Exercise Coordinator – the leader of the exercise, they help where necessary and communicate on the timing of the next injects and resolve any issues that come up, they can act as the Press for questions too • Moderator – part of the writing team, they read the injects, and run the Q/A • Scribe/Proctor – part of the writing team, they take notes and help as new participants are brought to the remote bridges • Attendee Coordinator –part of the writing team, the record the new attendee’s name and email so they can receive the future exercise injects. • Spokesperson – a volunteer from the participants to present on the findings and gaps from their group Note: You need 3 staff from the writing team for each group that you have in the exercise. ISSA Presentation

  20. Dress Rehearsal Checklist • Go through the tools • Facilitator Guide and scripts • Data files • Spreadsheet of attendees • Go through the process for the exercise • Open bridges early • The leader sets up IM chat for the writers • Someone needs to test the email distribution lists (pre-populate the internal exercise lists) • Join the call 10 minutes early on the main bridge • The leader does the introduction • Start the exercise with everyone on the full bridge • The main distribution list can be used to send the final questions to everyone • Closing by the leader • Thank everyone ISSA Presentation

  21. Dress Rehearsal Checklist (2) • Opening remarks: • Roll call • This is only an exercise! A cyber drill. • Discuss how the bridges will be used. • You may invite in others as needed to the exercise. • Participants are free to make decisions as they see fit. • As the scenario is played out, participants will be prompted with questions to help guide where the events go. • There are no right or wrong answers or decisions. While we encourage participants to think through decisions to best remediate problems, this exercise allows for “off the wall” responses or directions to discover how it will impact the Enterprise. • Emails will be sent to you to read and we will discuss the questions for each inject on your team. • We will wrap up the exercise and leave time at the end for closing questions and comments so stay around for the entire time. • Any questions before we begin? • The leader sends out the first inject to the email distribution list ISSA Presentation

  22. Dress Rehearsal Checklist (3) • Closing remarks: • The leader will provide a survey at a later date and you can add in more information at that time if we don’t have time for all of your feedback now…or if you think of something later on • Review the objectives for the exercise • Wrap-up questions and lessons learned documented by all on the bridge. • We are trying to summarize the key things learned from this experience highlighting what worked and any gaps or things missing. • We plan to roll all this up for a future security executive meeting so please be frank and open about the experience and the findings. • The leader reads the questions and we all listen and take notes • Wrap-up and thank everyone for their participation and the writers/planners • The leader will send out a survey to the participants to collect their feedback on the exercise. ISSA Presentation

  23. Sample Layout for Your Conference Rooms ISSA Presentation

  24. Sample Amenities For Your Conference Rooms ISSA Presentation

  25. Sample Attendee List ISSA Presentation

  26. Sample Participant Overview and Introduction • Divide participants among the tables representing each of the groups • Moderator will introduce themselves • Go around tables and have participants introduce themselves • Select an in-person Spokesperson for the summary/conclusions at the end of the day • Participants will read the company and situation background. • Moderators will discuss how the events of the scenario will unfold and how questions will be presented to help guide the story • The leader will send out a series of “events” via email at pre-determined intervals for the participants to respond to. The emails will contain questions for the participants to answer within a specific amount of time. ISSA Presentation

  27. Sample Inject/Scenario This is only an exercise - Inject 8 (7 minutes to read and discuss) Date: December 24, 4 PM The US Government is calling to see what is going on and how they can help. Major customers are calling for information and the help desks are overloaded. DHS, FBI, NSA and CIA are all calling your company contacts to ask what is going on and how can they help. Questions: What can we share with DHS, FBI, NSA, and CIA? Can we talk with all Gov’t branches, or should communication be limited? Should we have a spokesperson for government communications? This is only an exercise ISSA Presentation

  28. Sample Build of the Injects/Scenarios ISSA Presentation

  29. Sample Final Q&A at the End of the Exercise • What did you learn from this exercise that worked well? • What did you learn from this exercise that was broken? • Is there a need to update an incident response plan from this exercise? • Did you have all the tools, procedures, contacts, etc. necessary to battle these incidents at the office and at home? • Did you assign an incident commander and find all the necessary personnel? • What tools and hardware/software are you missing? • What are you lacking for secure communications? • What security staff training is missing? • What type of training is needed for regular employees? • Any suggestions for your existing processes and procedures? • Do you have single points of failures? ISSA Presentation

  30. Sample Post Exercise Survey • Was it acceptable to be remote on bridges for the exercise (Y/N)? • Was the exercise too short (Y/N)? • Did the participants figure out the correct people to call to the bridge to handle the incidents (Y/N)? • Do you feel that the exercise met the objectives: • Test the impact of a data breach/APT/Malware on your infrastructure (Y/N)? • To engage the appropriate teams to ensure that the existing processes, procedures and communications mechanisms for defending your internal networks and assets are sufficient (Y/N)? • To ensure strong and successful internal coordination (Y/N)? • Do you have any suggestions for improving the exercise that you participated in (Please list)? • What do you feel were the major findings and gaps uncovered from the exercise (Please list)? ISSA Presentation

  31. ISSA Presentation

More Related