- Cyber Crisis Response
Executive Leadership:
CEO, CRO, Sales & Marketing, Communications
WHO: Executive Leadership
WHAT: Cyber Crisis Response
Background:
Current Corporate Policies / Standards
Generating Corporate Cyber Goals / Objectives Developing
Corporate Response Policies and Standards Roles Key Cyber Staff
Personal Responsibility for Actions
Compromise Consequences / Business Impact Threats / Entry Level
Detection / Mitigation – Entry Level
Challenges: There is often a tendency among executive leaders to underestimate the importance of security. Therefore, keeping them engaged and invested in security initiatives may take significant efforts.
Cyber Skill Level: Medium
Duration: 1-3 hours
Frequency: Once per year
Responsibilities: As the top decisions makers, executive managers take an active and important role in the execution of all policies. Therefore they need to be aware and informed, regarding the overall organizational security posture – from the tools, staffing and the contingency plans to the rationale behind security strategy. And when there is a crisis, this is the group who will be responsible for deciding how to respond. For example, the communications leader must decide if and when to make public statements regarding a breach.
Instruction: Give executives hands-on practice responding to a full blown Cyber Crisis. In this skills development and simulation module, executives get an opportunity to practice in a fully realistic simulated environment. Possible situations range from: ransomware scenarios where they must decide whether or not to pay the ransom, creating and approving public statements regarding breaches, sharing breach information with law enforcement agencies, etc. All so that when incidents do arise, executive management is equipped with the necessary skills to respond fast and effectively to emergent situations.
Senior Management
WHO: Senior Management
WHAT: Cyber Incident Response Tabletop Exercise
Background:
Corporate Cyber Team / Responsibilities
Generating Corporate Policies and Standards
Current Corporate Policies / Standards
Personal Responsibility for Actions
Compromise Consequences / Business Impact
Threats / Entry level – Basic
Detection / Mitigation – Basic
Response Basics
Challenges: Senior managers need to understand the risks of strategic departmental assets and determine and enforce cyber security procedures. During major breaches, they must be be kept informed, take an active role in response, and be a part of critical decision making in real-time.
Cyber Skill Level: Low
Duration: 4 hours
Frequency: Once per year
Responsibilities: While not directly involved in managing cybersecurity incidents, senior managers often play an important role in decision making during high profile breaches and ransomware attacks. Each department manager must understand the security posture and risks of their departmental assets and quantify the cyber risk they pose to operations. For example, department managers must be aware of problems or vulnerabilities with ERP and other software platforms. Further, a business unit director must understand if paying a ransomware fee is the right move in certain situations because the lack of service might have a far more devastating business impact than simply paying the fee. Additionally, they are responsible for setting access and authorization levels to departmental resources and enforcing procedures.
Instruction: Quarterly breach response drills coaches senior managers and business owners by simulating cyber attacks that are relevant to them. Each session lasts approximately 4 hours depending on need and sessions can be tailored to fit the exact departmental needs. Sessions will provide the tools to: simulate effective breach notifications, assess business impact, make business decisions regarding services shutdown/runtime in crisis time and making sure the business is affected as little as possible. Possible scenarios can cover ransomware, to major data leaks, to DDoS attacks, to phishing and spam attacks. All aspects are targeted in a participatory way to give this group the tools they need to successfully lead their departments during a cybersecurity breach.
CISO and SOC Manager
WHO: CISO & SOC Manager
WHAT: Cyber Crisis Management & Attack Scenarios
Background:
Current Corporate Policies / Standards
Enforcing Policies and Standards
Personal Responsibility for Actions
Review Threats – Expert
Review Detection / Mitigation – Expert
Responses
Range Simulation / Interaction / Review (3 Scenarios)
Challenges: The CISO/SOC manager position requires facing many challenges such as managing multi-tier response teams, ensuring preparedness and prevention, aligning security efforts with business goals and handling cyber crises, from beginning to end. The responsibility of security lies squarely on the shoulders of the CISP or SOC manager. Thus you must do all you can to ensure that in the face of emergency, everyone knows their roles and responsibilities and performs them perfectly.
Cyber Skill Level: High
Duration: 2 full days
Frequency: Twice per year
Responsibilities: The CISO and/or SOC Manager are responsible for cyber security of the organization, bottom line. In the event of a breach, the CISO/SOC Manager must be abreast of all developing information in real-time and use it to make critical decisions, all while maintaining timely, accurate communications with the organization and outside entities such as the press, law enforcement and key allies in the cybersecurity community.
Instruction: Fully simulated cybersecurity skills development and practice will prepare CISOs and SOC managers to respond flawlessly when a cyber breach begins. Having practiced for the inevitable over and over, CISOs and SOC managers are better equipped to react optimally, despite the great pressure and intensity of the situation at hand. Simulation exercises also yield critical insights into organizational and procedural weaknesses and allow time to address them before the real crisis begins. The CISO and SOC manager should also run attack-scenario specific drills for all of the most pertinent cyber attack types: Ransomware, DDoS, Data & Privacy Leak, and more.
Tier 1 Security Analysts
WHO: Tier 1 Security Analysts
WHAT: Incident Response – Triage, Investigation & Response
Background:
Current Corporate Policies / Standards
Enforcing Policies and Standards
Personal Responsibility for Actions
Review Threats / Entry level – Expert
Review Detection / Mitigation – Expert
SIEM Review
Incidence Response
Range Simulation / Interaction / Review (3 Scenarios)
Challenges: The threat landscape is constantly changing and these relatively less-qualified analysts often lack the experience in crisis and breach management. Their lack of knowledge and experience means they tend to escalate too many alerts, creating a burdensome backlog for the Tier 2 analysts. When Tier 2 analysts are overloaded with alerts, they have trouble dedicating their efforts to the most critical and difficult incidents. They also have difficulty mastering the large number of security tools they are expected to know how to use. Additionally, Tier 1 analysts suffer from ‘alert fatigue’, resulting from the overwhelming amount of alerts generated by all the SOC tool.
Cyber Skill Level: Medium to High
Duration: 2 full days
Frequency: Twice per year
Responsibilities: Your Tier 1 Analysts are the first responders for all incoming security alerts. They are your organization’s first line of defense. The better they do their job, the less the stress is put on everyone else. The Tier 1 analysts monitor and triage alerts, identifying high risk situations and make the decision to escalate events when necessary. They also perform preliminary incident investigations.
Instruction: Simulation exercises, modeled after the events they deal with on a daily basis, as well as emergency situations, help prepare Tier 1 analysts to react more efficiently and effectively in their daily work as well as emergent situations. Simulation exercises allow relatively new, inexperienced analysts to gain practical experience quickly, allowing them to build confidence and advance their skill level more quickly.
Tier 2 & 3 Security Analysts
WHO: Tier 2 & 3 Security Analysts
WHAT: Advanced Investigation & Response, Skill Workshops
Background:
Current Corporate Policies / Standards
Enforcing Policies and Standards
Personal Responsibility for Actions
Review Threats – Expert
Review Detection / Mitigation – Expert
Responses
Range Simulation / Interaction / Review (3 Scenarios)
Challenges: Tier 2 and 3 analysts need to keep their skills sharp and up-to-date so that they can deal with the complicated, ever-shifting threats that come their way. Therefore, these experienced analysts must focus on constantly improving the broad skillset needed to do their job, which includes using the latest advanced tools and systems. Additionally, it can be challenging to work with Tier 1 analysts in a smooth and reliant way that ensures that the right group is tackling each issue.
Cyber Skill Level: High
Duration: 2 full days
Frequency: Twice per year
Responsibilities: Tier 2 and 3 analysts tackle the difficult situations that tier 1 analysts escalate to them. This includes complicated malware scenarios such as file-less and multi-pronged malware attacks. These expert analysts are in charge of complex procedures such as deep incident analysis, root cause analysis, determining if and which assets have been affected, forensics and reverse engineering.
Instruction: Tier 2 and 3 analysts are responsible to investigate and close the more serious cyber incidents. These are our professional cyber heroes, always under pressure to save the day when faced with new threats. They must ensure that their actions are choreographed with perfect precision, which is nearly impossible without a system of ongoing development. Skills development focuses on simulating full-scale attacks that are customized to the specific organization so they
experience the scenarios that pose the biggest threat to their network. Analysts learn to handle multiple systems and alerts during crisis, improve teamwork and knowledge in procedures, all of which will help them make it through incidents with as little collateral damage as possible.
Skill Workshops: This is a series of hands on workshops, presenting real environments with dedicated scenarios to improve particular skills that are critical to withstanding attacks, for example mobile forensics and ransomware reversing.
IT Department
WHO: IT Department
WHAT: Coordinate Cyber Response Drills
Background:
Current Corporate Policies / Standards
Enforcing Policies and Standards
Personal Responsibility for Actions
Review Threats / Entry level – Journeymen
Review Detection / Mitigation – Journeymen
Cyber Skill Level: Medium
Duration: 4 hours
Frequency: Once per year
Responsibilities: The IT department works with the SOC team, ensuring that response processes are in place, enforcing security protocols in the network and supporting cyber technology in the organization.
Challenges: Coordinating their work with the SOC in order to allow operations to run smoothly may run counter to what the IT department wants to focus on.
Skills Development: Skills development sessions help IT staffers understand their role in upholding and enforcing security policies. Sessions focus on creating smooth handovers, escalation protocols, crisis management and communication channels.
General Employees
WHO: General Employees
WHAT: Cyber Security Awareness & Prevention
Background:
Current Corporate Policies / Standards
Personal Responsibility for Actions
Review Threats / Entry level
Secure User Interaction
Cyber Skill Level: Low
Duration: 2 hours
Frequency: Twice per year
Responsibilities: This group must be aware of the threats that exist. They must know that phishing emails, malicious links, fraudulent websites and rogue employees are all very real, and if they aren’t careful, they might end up exposing their entire organization to a wide scale attack.
Challenges: Security is often the very last thing on this group’s radar. They are not oriented towards security threats and their performance isn’t measured by keeping their organization secured. Bottom line – security is not their focus and they are at high risk for becoming victims of human engineering tactics.
Education: Your general employees need to become educated in the very basics of cyber security awareness; they must learn what phishing emails look like, how to recognize fraudulent websites, how to create solid passwords and how to spot potentially malicious insiders. Sessions focus on learning the threat landscape and impact and learning to detect, avoid and report suspicious activity.
External Contractors
WHO: External Contractors
WHAT: Cyber Security Awareness & Prevention
Background:
Current Corporate Policies / Standards
Personal Responsibility for Actions
Review Threats / Entry level
Secure User Interaction
Cyber Skill Level: Low
Duration: 2 hours
Frequency: Twice per year
Responsibilities: The responsibility of any external contractor you might engage with is to keep supply chain protocols and security procedures. Unfortunately, external contractors can easily become points of entry for cyber attacks.
Challenges: The most major challenge here is that it’s very hard to control what your third party vendors do because they aren’t bound by, or even fully aware of, your organizational rules and protocols.
Education: Partner security education should focus on reviewing security protocols and common “dos and don’ts”.