A cybersecurity exercise helps you prepare for an incident

Anne Oikarinen

Anne Oikarinen

Senior Security Consultant

August 21, 2020 at 15:15

 

A laptop was left unattended in a cafeteria. An email was sent to the wrong recipient. An organization forgot to remove the admin credentials of an ex-employee. Signs of spyware were spotted in the network traffic. These smaller or bigger information security incidents that endanger data confidentiality, integrity, and availability are not unheard of and part of everyday life. Who to call? Is it OK to shut down the infected computer? How to get back to normal? To avoid panic in a real cyber emergency, you should prepare for information security incidents in advance with cybersecurity exercises.

Cybersecurity exercises are tailored according to the organization's needs. The possibilities range from an hour-long workshop examining process phases to a full-day functional drill where you also rehearse decision-making and communications. A more technical cybersecurity exercise can be a week-long boot camp involving attacking and defending in a real-like IT environment. Testing whether you can restore backups also counts as an exercise. Or why don't you try an escape room or social engineering roleplay? You can read more about the variety of cybersecurity exercises from our service pages.

You can arrange a tabletop cybersecurity exercise online as well as in a meeting room.
You can arrange a tabletop cybersecurity exercise online as well as in a meeting room.

The exercise length, content, and participants should be selected based on the organization's needs and goals. It's usually a good idea to start with shorter exercises – the longer the training and the larger the participant count, the more you will need to prepare. After you've gained some experience, you can invite your partners to practice incident handling with you.  

Handle cyber incidents like a pro with these exercise scenarios

Many of the cybersecurity incidents that took place this summer could have happened to almost any organization. With the following scenarios that we created, you can easily test your processes and communications in advance.

Scenario 1: Social media takeover

An employee has reached out because odd-looking messages with shortened URLs have recently been sent from the company Twitter account. A few people have already commented on these messages and asked what's going on. The CEO also notices that someone else must have retweeted things from his account.

The scenario is based on a Bitcoin scam this summer. The Twitter accounts of several well-known people were breached by using social engineering. After gaining access, the attackers tweeted messages asking for Bitcoin payments. 

Who to invite in this scenario:

Representatives from the following areas of responsibility: 

  • Management
  • Communications
  • Marketing
  • Information Security

Questions to think about in this exercise:

  • What are the first actions you take after hearing about the incident?
  • Who do you need to inform about the situation? How urgent is it to contact them?
  • Does your organization have instructions on what to do after hearing about the incident?
  • Who is responsible for all decisions and actions?
  • What else do you need to do to recover from the situation?
  • Are you required to inform any authorities about the incident? Or are there recommendations to do so? For example, law enforcement, Data Protection Ombudsman, or the national CERT? Who will inform them, and what channels should they use? 
Scenario 2: Ransomware

There's a fault in your essential, customer-facing service. Several servers and workstations have stopped working, and their displays show a message demanding a Bitcoin ransom to recover the data. It looks like the ransomware has also hit the servers containing the personal data of your customers. Customer support inbox and the company's social media accounts are flooded with messages asking when you're going to fix this. Speculations about the downtime reason circulate on Twitter, and a reporter has attempted to call the CEO several times. 

Bonus exercise: This is a so-called double extortion case, so the attacker is threatening to publish all the data unless the company pays an extra ransom. 

This exercise scenario is related to the fairly recent cyberattack against Garmin. As a result of the attack, it was impossible to use the Garmin Connect service to synchronize and analyze smartwatch measurement data. The downtime also affected aviation equipment.

Or maybe this smaller-scale incident in Finland gives your company a more fitting perspective? A car repair shop was forced to close its doors for a few days and revert to a six-month-old inventory after getting hit by ransomware. 

Who to invite in this scenario:

Representatives from the following areas of responsibility:

  • Management
  • Communications
  • Sales & Marketing
  • Information Security
  • Data Protection
  • IT

Questions to think about in this exercise:

  • What are your plans the recover from the situation?
  • Who do you need to inform about the situation (inside and outside the organizations, to partners, etc.?
  • How can you get the contact information to reach out to customers and other stakeholders if the ransomware has now encrypted that data, too?
  • What are the roles and responsibilities during the incident recovery process?
  • Are your service providers and software vendors aware of the incident handling process?
  • Is customer data compromised? What does it mean from a data protection point-of-views?
  • Do you need to take pause ad campaigns or perform any other actions related to ads or digital marketing?
  • Who will keep track of situational awareness?
  • The management wants a briefing about the situation. Make a summary in 10 minutes.
It's crucial to communicate with other stakeholders during a cybersecurity incident.
It's crucial to communicate with other stakeholders during a cybersecurity incident.

 

Scenario 3:" Tech support" has gained access to the organization's computers

The local IT support has returned from the summer holidays and is chatting with people from other departments over lunch. One of the employees wants to know about the new hire in the IT department. The person was pleased because a friendly IT support guy had called them directly one day after noticing a computer fault. The person who asked wasn't entirely sure whether the issue had been solved after installing a new program. Soon it turns out that many others at the same table had received similar calls.

This scenario is related to the tech support scam, where the caller pretends to be from Microsoft or the internet service provider Elisa

Who to invite in this scenario:

Representatives from the following areas of responsibility:

  • Communications
  • Information Security
  • IT

Questions to think about in this exercise:

  • What are your plans the recover from the situation?
  • Who do you need to inform about the situation?
  • What resources are available?
  • Do you need more information or advice related to, for example, legal or compliance matters?
  • Estimate the possible impact to data confidentiality, integrity, and availability.

How to find more information about cybersecurity exercises?

You can find more ideas about exercise scenarios from the Center of Internet Security's whitepaper, Six Scenarios to Help Prepare Your Cybersecurity Team. And you can always try some evergreen exercises like crypto miningelectricity outageinfected open-source components, or white-hat hacker reporting a vulnerability. Do you know how to respond?

 

Interested in cybersecurity exercises and need help? 

If you want to learn more and know what it takes from your organization to arrange a training session, download our whitepaper Cybersecurity exercises expose vulnerabilities in decision-making.

Related blogs