The technical teams might immediately rebut the possibility of this scenario because the organization has deployed advanced endpoint threat protection. Even if the simulation facilitator asks the participants to imagine the endpoint protection failing or the possibility of an asset without the protection, the simulation could come across as unrealistic for the technical stakeholders, and any next steps in the simulation are shrouded in an attitude of “that would never happen.”
Remedy: To avoid this roadblock, it is vitally important that scenarios are created using the organization’s standards, security controls, and technology. Scenario preparation should start with a session that includes key technical and security stakeholders to identify governance procedures, IR plans, and the existing technology stack to replicate semirealistic scenario details within the exercise.
Customized scenarios might start by exploiting known gaps within the environment or technology stack. Examples include a device or network segment that has been provided a policy exception to standard security controls or through a trusted IT vendor solution (supply chain attack) that would allow an attacker to gain a foothold into the environment. To resonate with technical teams, it’s imperative to reinforce that security controls actually can fail and updates within the simulation might include a worst-case scenario. Setting appropriate expectations, establishing the rules of engagement, and customizing the scenario all can support a more successful training session.
Pitfall 2: Focusing solely on the technical response
While IT bears a lot of the responsibility for an organization’s ransomware response, it should not have the responsibility for responding to an incident and simultaneously leading operational continuity processes.
Remedy: Organizations should make sure tabletop simulations are conducted across two sessions, with different objectives:
Technical tabletop simulations. Technical tabletop simulations should be performed with a customized threat scenario and established expectations. Participants that should be involved in the technical simulations are those that support the technology efforts of the organization, typically inclusive of IT, information security, the security operations center, and the help desk. The goal of a technical tabletop simulation is to identify the technical response to the incident, evaluate different containment and response strategies, identify technical gaps with the cybersecurity program, and determine the extent to which executive decision requirements arise.
Executive tabletop simulations. A separate exercise should be with executive leadership, which plays a key role in terms of communication and business decisions that need to be made in an incident response scenario. The same technical threat should be presented with augmentations from the lessons learned in the technical session. Executive members of the organization should participate with the goal of identifying the business- and operational-level response while IT identifies, contains, and recovers from a material threat. Key questions that will need to be answered from this session include:
- At what point does the business consider paying the ransom?
- What is the duration the business can continue in downtime operations?
- When should insurance providers be contacted?
- Is there a point at which the organization will turn away customers, patients, or clients?
- What kind of support do third-party organizations provide in this situation?
- How does the organization respond to media requests?
- How will the organization communicate with vendors, partners, customers, and the larger employee base?
- What are the highest priority business processes and applications that must be kept functional or restored first?
Pitfall 3: Not having the right team for the session
One of the most challenging parts of organizing an incident response simulation exercise is who to invite. Sometimes too many people are invited, and other times, the right participants are not lined up.
Remedy: One rule of thumb is to limit the number of participants to 20 or fewer. Exercises with more than 20 attendees tend to end with only a handful of individuals participating in the exercise. As facilitators of these exercises, ultimately all invited individuals have roles to play during the simulation. Moreover, having a prebuilt list of thought-provoking questions aligned with each individual’s role supports an all-encompassing session.
The following chart is a general guide on who to invite to these exercises. Keep in mind that those invitations should be within the context of the size and complexity of the organizations.