Cyber Tabletop Exercises & Lessons Learned David Dumas, CISSP, CISM david.dumas@verizon.com ISSA New England Chapter Board Member ISSA Distinguished Fellow February 18, 2014 Overview & Scope This presentation provides a security overview – – – – Why run a cyber tabletop exercise How to plan, design and write a cyber tabletop exercise Sample materials are provided Lessons learned are weaved in throughout the talk The views expressed herein are my own and do not necessarily reflect the views of my employer. 2/18/2014 ISSA Presentation 2 Why Run Cyber Tabletops Cyber risk falls into a hybrid category – We know it exits and we must prepare, but we don’t fully understand it’s consequences to the business Drill like you fight It may be in your policies It’s good for marketing and for cyber insurance annual reviews It is a good practice in some standards; may be in regulations – NIST SP 800-53 for Federal agencies to conduct exercises or tests for their systems’ contingency plans at least annually 2/18/2014 ISSA Presentation 3 Help & Ideas to Consider NIST SP800-84 – Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities Vendors that do tabletops – – – – http://www.attainium.net/index.php http://www.cyberexercises.com/index.shtml http://www.fema.gov http://www.avalias.com/products The exercises can be games – Cyber Flag exercises sharpen DoD cyber operations and defense • http://gcn.com/articles/2013/12/09/cyber-flag.aspx • Connecticut ISSA Chapter holding a national game soon My suggested process to learn how to do these exercises – Participate in one, help write and run one, then run your own exercise 2/18/2014 ISSA Presentation 4 Pre-Planning and Design for Your Exercise Initial guidelines based on my experience Type of Exercise Staff meeting Number of Injects or Months to Length of Number of scenarios Plan the Exercise Participants Needed Exercise 1 hour 20 3-4 1 Mini 2 hours 30-50 6-8 2-3 Full 4 hours 50 - 200 9-14 4-6 ISSA Presentation 2/18/2014 5 Design Your Cyber Tabletop Exercise From NIST SP800-84 – Determine the exercise topic based on the focus of the plan/issues being exercised – Determine the exercise scope based on the target audience – Identify the objectives of the exercise – Identify the individuals that should participate in the exercise and invite them to the event – Identify the writing staff for the exercise – Coordinate the logistics for the exercise event ISSA Presentation 2/18/2014 6 Objectives for Your Cyber Tabletop Exercise The tabletop exercise should be designed to meet the following objectives*: – – – – – – – – Provide feedback Clarify responsibilities Identify roles Enhance skills Assess capabilities Evaluate performance Measure and deploy resources Motivate employees * Security Executive Council white paper on “The Value of Tabletop Exercises”. ISSA Presentation 2/18/2014 7 Pre-Planning and Design for Your Exercise Pick something that needs fixing or help in funding…not things that are already working well Use credible scenarios - things that could really happen Understand the politics and that groups don’t like to be singled out for findings and gaps Determine writer subject matter experts (SME) – (3/group) Moderator, Scribe, Attendee coordinator – Find the best of the best in your company ISSA Presentation 2/18/2014 8 Pre-Planning and Design for Your Exercise (2) Research the ghosts in the closet – examples Research good, credible ideas – continue to listen inside and outside your company for ideas…Last ISSA meeting helped with an initial infection idea Train-the-trainer approach works well – find the best SMEs and get them onboard by asking their manager and showing career growth for them Pick the groups to work with and focus on (developers, IT , PR/media relations, legal, privacy, security, customer infrastructure, etc.) Write up questions for each inject that gets to the heart of the issues and brings out the ghosts in the closet – Ask the tough questions and find single points of failure ISSA Presentation 2/18/2014 9 Sample Summary of Logistics List From NIST SP800-84 – – – – – – – – – – Select a date for exercise conduct Reserve a conference room that will accommodate all participants Determine the need for audio/visual equipment Reserve audio/visual equipment, if applicable Identify the writing team Identify participants Invite participants Coordinate the development of the facilitator guide and participant guides Arrange for the printing of name tents Ensure conference room is available in sufficient time before the exercise to perform setup – Arrange for refreshments, if appropriate – Copy all files as a backup onto a CD-ROM, USB flash drive, or other removable media 2/18/2014 ISSA Presentation 10 Exercise Logistics Planning My list – Pick a date far in advance – people are busy – Decide if this will be in person or remote or a hybrid – Determine the number of phone bridges to use, international, size, should be moderated, one for the writers as a back channel too. – Instant Messaging sessions needed for the writers as a back channel – discuss issues, pace of the exercise, Q/A and save the chat sessions to review later for feedback on the event flow – Data files, videos, etc. can be used for details and forensics – Email distribution lists are necessary for keeping track of the attendees and one is needed for the control group to discuss issues as an alternate back channel – Determine the participant list ISSA Presentation 2/18/2014 11 Exercise Logistics Planning (2) Email invitees to hold the calendar date in advance, ensure that the critical attendees can make that date Location logistics need to be done in advance • • • • • • • • • • • Number of rooms Intranet connections Power for laptops Phone lines Speaker phone in each room Projector to display the injects/scenarios Lunch/snacks, water, restrooms near by Hotels nearby Travel information Management expense approvals to do this face-to-face Unique internal email distribution lists and phone bridges ISSA Presentation 2/18/2014 12 Documents to Write Design and write the following documents per NIST SP800-84 – Facilitator Guide • The purpose for conducting the exercise • The exercise’s scope and objectives • The exercise’s scenario, which is a sequential, narrative account of a hypothetical incident that provides the catalyst for the exercise and is intended to introduce situations that will inspire responses and thus allow demonstration of the exercise objectives • A list of questions regarding the scenario that address the exercise objectives – Participant Guide • The participant guide includes the same information as the facilitator guide without the list of questions. – After Action Report • Built from the findings and gaps and survey results ISSA Presentation 2/18/2014 13 Exercise Planning My list – Run the exercise by your manager to make sure it hits the mark and is not too severe. You will not be aware of all the politics so you need a sounding board – Post exercise survey – make it short and ask for any final comments and suggestions along with any findings or gaps (40% return rate is good) – Prepare an executive presentation on the top findings and gaps – Document next steps and work towards their closure with the responsible business where the findings and gaps reside. ISSA Presentation 2/18/2014 14 Things To Do and Remember Drill yearly on something – People and roles change a lot – continue to build contacts – The latest threats need to be analyzed for business impact – example: malware – If you don’t have a lot of time, do small tabletops Dress rehearsal is necessary for the writers, scribes and attendee coordinators – Turn on IM, email, bridges and test one inject all the way through so that everyone knows what they will be doing Politics can determine if people will speak up or stay quiet – Some groups are coached to not expose bad news so that the group does not look bad – The key to unlocking this is a good writing team that knows where the ghosts are and spins this into the injects and questions to answer ISSA Presentation 2/18/2014 15 Things To Do and Remember (2) Keep the exercise content secret to be effective but let everyone know that there will be an exercise during the specific date/time Make data files for full/regular exercise to dig into the details more and engage the technical staff Stay current on hacking trends and exploits and weave these into the exercise – Botnets, DDoS, APT, destructive malware, Phishing, application vulnerabilities, encryption exploits, social engineering, Web servers, data breaches in the news, etc. Also mention that this is an exercise verbally and on each email sent out Have fun so they will play again ISSA Presentation 2/18/2014 16 Other Options to Consider Weave in competitions to capture high-value assets in your company as an option Recall low-tech items like the card in the wallet and car glove box for key numbers, emails and bridges Use moderated bridges so unannounced attendees are kicked off and tracked If you are in person, use the close proximity to your advantage – Stop in as the Press and ask questions – Determine that email and phones are out and force them to walk to the other conference rooms to work together ISSA Presentation 2/18/2014 17 Ideas To Run Tabletops On Privacy Breach in the US and Internationally Large malware infection APT with loss of intellectual property Denial of Service outage Natural weather related disaster Man-made disaster Use of backup and alternate work sites Loss of power for an extended time-frame Loss of critical internal infrastructure Workplace violence BYOD data privacy incident Loss of cloud services Supply chain disruptions and inability to meet customer demand Blended exercise with physical and man-made incidents 2/18/2014 ISSA Presentation 18 Tabletop Roles to Assign for Each Group Exercise Coordinator – the leader of the exercise, they help where necessary and communicate on the timing of the next injects and resolve any issues that come up, they can act as the Press for questions too Moderator – part of the writing team, they read the injects, and run the Q/A Scribe/Proctor – part of the writing team, they take notes and help as new participants are brought to the remote bridges Attendee Coordinator –part of the writing team, the record the new attendee’s name and email so they can receive the future exercise injects. Spokesperson – a volunteer from the participants to present on the findings and gaps from their group Note: You need 3 staff from the writing team for each group that you have in the exercise. 2/18/2014 ISSA Presentation 19 Dress Rehearsal Checklist Go through the tools – Facilitator Guide and scripts – Data files – Spreadsheet of attendees Go through the process for the exercise – Open bridges early – The leader sets up IM chat for the writers – Someone needs to test the email distribution lists (pre-populate the internal exercise lists) – Join the call 10 minutes early on the main bridge – The leader does the introduction – Start the exercise with everyone on the full bridge – The main distribution list can be used to send the final questions to everyone – Closing by the leader – Thank everyone 2/18/2014 ISSA Presentation 20 Dress Rehearsal Checklist (2) Opening remarks: – – – – – – – – – – – Roll call This is only an exercise! A cyber drill. Discuss how the bridges will be used. You may invite in others as needed to the exercise. Participants are free to make decisions as they see fit. As the scenario is played out, participants will be prompted with questions to help guide where the events go. There are no right or wrong answers or decisions. While we encourage participants to think through decisions to best remediate problems, this exercise allows for “off the wall” responses or directions to discover how it will impact the Enterprise. Emails will be sent to you to read and we will discuss the questions for each inject on your team. We will wrap up the exercise and leave time at the end for closing questions and comments so stay around for the entire time. Any questions before we begin? The leader sends out the first inject to the email distribution list 2/18/2014 ISSA Presentation 21 Dress Rehearsal Checklist (3) Closing remarks: – The leader will provide a survey at a later date and you can add in more information at that time if we don’t have time for all of your feedback now…or if you think of something later on – Review the objectives for the exercise – Wrap-up questions and lessons learned documented by all on the bridge. • We are trying to summarize the key things learned from this experience highlighting what worked and any gaps or things missing. • We plan to roll all this up for a future security executive meeting so please be frank and open about the experience and the findings. – The leader reads the questions and we all listen and take notes – Wrap-up and thank everyone for their participation and the writers/planners – The leader will send out a survey to the participants to collect their feedback on the exercise. 2/18/2014 ISSA Presentation 22 Sample Layout for Your Conference Rooms 2/18/2014 ISSA Presentation 23 Sample Amenities For Your Conference Rooms Room C4001 C4002 C4003 B4002 B4007 B4008 2/18/2014 Start 7:00 AM 7:00 AM 7:00 AM 7:00 AM 7:00 AM 7:00 AM End 7:00 PM 7:00 PM 6:00 PM 7:00 PM 7:00 PM 7:00 PM Capacity 10 18 10 16 20 10 Amenities Analog Line, Speakerphone Analog Line, Speakerphone, TV, VCR, Overhead Projector, Whiteboard Analog Line, Speakerphone, Whiteboard Analog Line, Speakerphone, TV, VCR, Overhead Projector, Whiteboard Analog Line, Speakerphone, Overhead Projector, VGA, Whiteboard Analog Line, Speakerphone, Whiteboard ISSA Presentation 24 Sample Attendee List Participant Name David Dumas Email Address david.dumas@verizon.com 2/18/2014 Office Phone 781-xxx-xxxx Cell Phone 781-xxx-xxxx ISSA Presentation Org. Leadership Biz Unit John Doe Network Security Attended Yes 25 Sample Participant Overview and Introduction Divide participants among the tables representing each of the groups Moderator will introduce themselves Go around tables and have participants introduce themselves Select an in-person Spokesperson for the summary/conclusions at the end of the day Participants will read the company and situation background. Moderators will discuss how the events of the scenario will unfold and how questions will be presented to help guide the story The leader will send out a series of “events” via email at predetermined intervals for the participants to respond to. The emails will contain questions for the participants to answer within a specific amount of time. 2/18/2014 ISSA Presentation 26 Sample Inject/Scenario This is only an exercise - Inject 8 (7 minutes to read and discuss) Date: December 24, 4 PM The US Government is calling to see what is going on and how they can help. Major customers are calling for information and the help desks are overloaded. DHS, FBI, NSA and CIA are all calling your company contacts to ask what is going on and how can they help. Questions: What can we share with DHS, FBI, NSA, and CIA? Can we talk with all Gov’t branches, or should communication be limited? Should we have a spokesperson for government communications? This is only an exercise 2/18/2014 ISSA Presentation 27 Sample Build of the Injects/Scenarios Timeline 13 Event 2:30 PM Story Media Spin Questions Moderator Notes 13 Event (Sent to all) Date is now: March 16, 2014 (Ask all) Date is now: March 16, 2014 The security staffs have been working 24X7 for 4 weeks with little rest and no relief in sight. 2/18/2014 Where can you find alternative help? How will you deal with limited resources to get this incident under control? Is this OK to outsource for more staff? Who in the company can be cross-trained quickly to help with the incidents? ISSA Presentation Mandatory 13-sq.txt 13-bg.txt 13-data.txt 28 Sample Final Q&A at the End of the Exercise – What did you learn from this exercise that worked well? – What did you learn from this exercise that was broken? – Is there a need to update an incident response plan from this exercise? – Did you have all the tools, procedures, contacts, etc. necessary to battle these incidents at the office and at home? – Did you assign an incident commander and find all the necessary personnel? – What tools and hardware/software are you missing? – What are you lacking for secure communications? – What security staff training is missing? – What type of training is needed for regular employees? – Any suggestions for your existing processes and procedures? – Do you have single points of failures? 2/18/2014 ISSA Presentation 29 Sample Post Exercise Survey 1. Was it acceptable to be remote on bridges for the exercise (Y/N)? 2. Was the exercise too short (Y/N)? 3. Did the participants figure out the correct people to call to the bridge to handle the incidents (Y/N)? 4. Do you feel that the exercise met the objectives: – Test the impact of a data breach/APT/Malware on your infrastructure (Y/N)? – To engage the appropriate teams to ensure that the existing processes, procedures and communications mechanisms for defending your internal networks and assets are sufficient (Y/N)? – To ensure strong and successful internal coordination (Y/N)? 5. Do you have any suggestions for improving the exercise that you participated in (Please list)? 6. What do you feel were the major findings and gaps uncovered from the exercise (Please list)? 2/18/2014 ISSA Presentation 30 2/18/2014 ISSA Presentation 31