Jani had a regular day at the office – except that this wasn’t his office. Jani had infiltrated a company. Meanwhile, Tommi casually walked into a building and grabbed a bunch of confidential documents. Moments later, Markku got inside the company network with targeted malware. What on earth was going on?
A cybersecurity exercise helps you prepare for an incident
Nixu Blog
September 27, 2021 at 09:00
A laptop was left unattended in a cafeteria. An email was sent to the wrong recipient. An organization forgot to remove the admin credentials of an ex-employee. Signs of spyware were spotted in the network traffic. These smaller or bigger information security incidents that endanger data confidentiality, integrity, and availability are not unheard of and part of everyday life. Who to call? Is it OK to shut down the infected computer? How to get back to normal? To avoid panic in a real cyber emergency, you should prepare for information security incidents in advance with cybersecurity exercises.
Cybersecurity exercises are tailored according to the organization's needs. The possibilities range from an hour-long workshop examining process phases to a full-day functional drill where you also rehearse decision-making and communications. A more technical cybersecurity exercise can be a week-long boot camp involving attacking and defending in a real-like IT environment. Testing whether you can restore backups also counts as an exercise. Or why don't you try an escape room or social engineering roleplay? You can read more about the variety of cybersecurity exercises from our service pages.
The exercise length, content, and participants should be selected based on the organization's needs and goals. It's usually a good idea to start with shorter exercises – the longer the training and the larger the participant count, the more you will need to prepare. After you've gained some experience, you can invite your partners to practice incident handling with you.
Handle cyber incidents like a pro with these exercise scenarios
Many of the cybersecurity incidents that took place this summer could have happened to almost any organization. With the following scenarios that we created, you can easily test your processes and communications in advance.
Scenario 1: Social media takeover
An employee has reached out because odd-looking messages with shortened URLs have recently been sent from the company Twitter account. A few people have already commented on these messages and asked what's going on. The CEO also notices that someone else must have retweeted things from his account.
The scenario is based on a Bitcoin scam this summer. The Twitter accounts of several well-known people were breached by using social engineering. After gaining access, the attackers tweeted messages asking for Bitcoin payments.
Who to invite in this scenario:
Representatives from the following areas of responsibility:
- Management
- Communications
- Marketing
- Information Security
Questions to think about in this exercise:
- What are the first actions you take after hearing about the incident?
- Who do you need to inform about the situation? How urgent is it to contact them?
- Does your organization have instructions on what to do after hearing about the incident?
- Who is responsible for all decisions and actions?
- What else do you need to do to recover from the situation?
- Are you required to inform any authorities about the incident? Or are there recommendations to do so? For example, law enforcement, Data Protection Ombudsman, or the national CERT? Who will inform them, and what channels should they use?
Scenario 2: Ransomware
There's a fault in your essential, customer-facing service. Several servers and workstations have stopped working, and their displays show a message demanding a Bitcoin ransom to recover the data. It looks like the ransomware has also hit the servers containing the personal data of your customers. Customer support inbox and the company's social media accounts are flooded with messages asking when you're going to fix this. Speculations about the downtime reason circulate on Twitter, and a reporter has attempted to call the CEO several times.
Bonus exercise: This is a so-called double extortion case, so the attacker is threatening to publish all the data unless the company pays an extra ransom.
This exercise scenario is related to the fairly recent cyberattack against Garmin. As a result of the attack, it was impossible to use the Garmin Connect service to synchronize and analyze smartwatch measurement data. The downtime also affected aviation equipment.
Or maybe this smaller-scale incident in Finland gives your company a more fitting perspective? A car repair shop was forced to close its doors for a few days and revert to a six-month-old inventory after getting hit by ransomware.
Who to invite in this scenario:
Representatives from the following areas of responsibility:
- Management
- Communications
- Sales & Marketing
- Information Security
- Data Protection
- IT
Questions to think about in this exercise:
- What are your plans for recovering from the situation?
- Who do you need to inform about the situation (inside and outside the organization, partners, etc.?)
- How can you get the contact information to reach out to customers and other stakeholders if the ransomware has now encrypted that data, too?
- What are the roles and responsibilities during the incident recovery process?
- Are your service providers and software vendors aware of the incident handling process?
- Is customer data compromised? What does it mean from a data protection point-of-view?
- Do you need to pause ad campaigns or perform any other actions related to ads or digital marketing?
- Who will keep track of situational awareness?
- The management wants a briefing about the situation. Make a summary in 10 minutes.
Scenario 3:" Tech support" has gained access to the organization's computers
The local IT support has returned from the summer holidays and is chatting with people from other departments over lunch. One of the employees wants to know about the new hire in the IT department. The person was pleased because a friendly IT support guy had called them directly one day after noticing a computer fault. The person who asked wasn't entirely sure whether the issue had been solved after installing a new program. Soon it turns out that many others at the same table had received similar calls.
This scenario is related to the tech support scam, where the caller pretends to be from Microsoft or the internet service provider Elisa.
Who to invite in this scenario:
Representatives from the following areas of responsibility:
- Communications
- Information Security
- IT
Questions to think about in this exercise:
- What are your plans for recovering from the situation?
- Who do you need to inform about the situation?
- What resources are available?
- Do you need more information or advice related to, for example, legal or compliance matters?
- Estimate the possible impact on data confidentiality, integrity, and availability.
How to find more information about cybersecurity exercises?
You can find more ideas about exercise scenarios from the Center of Internet Security's whitepaper, Six Scenarios to Help Prepare Your Cybersecurity Team. And you can always try some evergreen exercises like crypto mining, electricity outage, infected open-source components, or white-hat hacker reporting a vulnerability. Do you know how to respond?
Interested in cybersecurity exercises and need help?
If you want to learn more and know what it takes from your organization to arrange a training session, download our whitepaper Cybersecurity exercises expose vulnerabilities in decision-making.