Ransomware, espionage, data theft… Threats and attack scenarios are manifold, as are attackers’ tactics and techniques (the MITRE framework, for example, can be used to map them).
To contain the impact of a security incident and foster resilience, the entire organization must be ready to react in the event of a crisis, from technical teams to external communications teams.
In a previous article, we looked at how to set up a crisis management exercise, and how to organize decision-making and operational crisis units.
Let’s now take a look at the main pitfalls identified by the ANSSI (French Cybersecurity Agency) to ensure that the exercise is as effective as possible.
The responsibilities of participants in a crisis management exercise
A project group is generally made up of:
- a person in charge of running the exercise, either the cyber decision-maker or the security manager, who may also be in charge of running the exercise;
- people in charge of planning, who may also be part of the facilitation team;
- players;
- observers.
The person(s) in charge of the exercise, as well as the observers, can identify problematic situations, and the exercise leader can intervene to redirect the course of the exercise, based on the solutions proposed by ANSSI.
Crisis management exercises: main pitfalls
Cyber issues are not well understood or explained
The decision-making crisis team is generally made up of members whose day-to-day work does not involve cybersecurity. If the organization has not set up any awareness-raising or popularization sessions around cybersecurity, this lack of culture and common language can generate misunderstandings.
What can be done in this case?
- The animation team can organize ad hoc exchanges to reinforce the dialogue.
Decisions taken by the crisis unit do not correspond to exercise objectives
A crisis situation is exceptional, and can lead to exceptional or even drastic decisions.
But, for example, if the objective of the exercise is to maintain the IT infrastructure in operational condition in the event of an attack, and the decision-making team decides to interrupt the IT system, the objective has been missed.
What can be done in this case?
- It’s the role of the exercise team to refocus the exercise by reminding participants of the objective. This may take the form of a stimulus within the simulation, or it may be necessary to leave the exercise for a moment to bring the situation back into focus.
Decision-making and operational units don’t understand each other
Just as in the field, theory and practice can diverge. For example, the choices made by the decision-making unit may present obstacles to the operational unit, for technical, planning or resource reasons…
The crisis management exercise is also designed to raise these issues and get to grips with them, rather than having to face a wall in a real crisis situation.
What can be done in this case?
- The team in charge of facilitation can ask questions that draw attention to the unrealistic nature of certain decisions, or point out what is missing to put them into practice.
The decision-making crisis unit is transformed into an operational crisis unit
A decision-making unit must draw on the technical expertise of the operational unit, but is not intended to replace it.
However, it can happen that the members of the decision-making unit discuss technical subjects when this is not supposed to be their responsibility.
What can be done in this case? Here are a few options for the animation unit:
- Intervene to raise awareness of the roles of each unit.
- Hold separate discussions with the member of the decision-making unit concerned, to clarify the scope and expertise of each crisis unit.
- Create incentives to encourage the member of the decision-making unit to contact the operational crisis unit.
Technical teams are over-solicited
In contrast to the case where the decision-making unit takes ownership of technical decisions, it can also overload the operational unit, to the detriment of the group’s other components.
In other words, it seeks permanent control over technical issues, at the risk of forgetting the rest of the impacts associated with the crisis: communication, organization of business teams, etc.
What can be done in this case?
- Limit communication channels to the operational unit;
- or designate a person to filter and prioritize requests.
It is also important to remind the decision-making team that investigations take time, and that technical information should be passed on only when it has been validated, and not as it comes in.
In addition to the pitfalls frequently encountered during a crisis management exercise, certain behaviors can be induced by the very specific situation represented by the exercise. These can be either over- or under-reactive.
Crisis management exercises: remedying simulation bias
For a successful exercise, the exercise team must also take into account the reactions and behavioral biases associated with the crisis situation.
These behaviors can be detected by observers, or by the exercise team, who can provide responses to keep the exercise on course.
ANSSI lists a number of possible behaviors at group or individual level, categorizes them, and suggests solutions.
Over-reaction behaviour
- Agitation and signs of stress
Solution: Reassure employees of the objectives of the exercise, in particular that the aim is not to evaluate or punish, but to identify areas for improvement.
- Monopolization of attention or actions
Solution: Involve the person whose perimeter is not respected, so that they can give their opinion or act directly within the perimeter for which they are legitimate.
- Excessive control or requests
Solution: Do not respond to all requests from the person concerned or postpone responses.
- Authoritarian behavior and decision-making
Solution: Temporarily lead the person concerned towards an action which does not involve exchanges with the other cells (public speaking, independent thinking or production task).
Behaviors assimilated to an under-reaction
- Disinterest or disengagement
Solution: Incentivize the person concerned with a stimulus that makes them return to the action.
- Deception or disempowerment
Solution: Invite the person concerned to regain control or make a decision, using devices or tools within his or her scope (following the unavailability of certain applications, the triggering of a DRP or BCP, etc.).
- Lack of dynamism
Solution: Remind participants of the exercise’s crucial timeframe, even if it’s a simulation. Set regular deadlines to punctuate interactions (status updates, reports, etc.).
- Lack of leadership
Solution: Set deadlines requiring decisions to be made and communicated (press briefing, investors, executive committee, etc.).
Cybersecurity crisis exercise: the importance of adapting to the players
As we have seen, despite meticulous preparation, crisis simulation exercises can be marked out by unforeseen events that require adaptations.
What’s more, although a timetable is drawn up in advance to define the pace and intensity of the simulation stages, it can always be modified during the exercise.
For example, it may be necessary to:
- guide reactions to certain stimuli, in particular, inviting players to perform an action or take a decision at a given moment (disconnect the network, contact the press…);
- draw attention to certain details that players may have missed (implications or side effects of certain actions…);
- or, on the contrary, if certain stages have been completed earlier than planned, anticipate the next stages in order to maintain the pace…
In short, the ability to react and adapt to hazards during the exercise is an opportunity to prepare for the unforeseen events that will inevitably arise in a real crisis situation.
And now, to go further to strengthen your IT assets security,
do you know what KPI’s to assess?