As Guillaume Poupard reminds us in the introduction to the ANSSI (French Cybersecurity Agency) guide to organizing cyber crisis management exercises, summarized in this article: “An attack that is stopped by good preparation makes no noise!”
Although an attack is bound to cause upheaval and stress, preparing for it is the best way to contain its effects.
Let’s take a look at how to set up cyber crisis management exercises, so that an IT security incident makes as little noise and leaves as few traces as possible. But first, what is a cybersecurity crisis?
Cybersecurity crisis: definition
A cyber-attack is an attack on IT equipment that can lead to a crisis. All organizations are concerned, whatever their size or sector of activity.
Source ANSSI – “Organize a cyber crisis management exercise” guide
Furthermore, a crisis is “a rare event with a strong impact”:
- It can affect an organization via multiple channels and spread within the information system and beyond.
- If the impact is certain (finances, reputation, organization…), it can be difficult to estimate precisely.
- The attack may evolve, insofar as the attacker may react to the protection and remediation actions implemented by the organization, and it may be repeated over time.
Given that a cyber crisis requires advanced technical skills and exceptional organization, it is essential to ensure that all parties involved are prepared to act effectively: technical teams (CIO, CISO, etc.), as well as business teams (Legal, Communications, HR, Finance, etc.). This is one of the few types of crises that can involve all of a company’s teams in terms of impact and resolution.
Time management is also particular in a cybersecurity crisis: investigation time can be much longer than decision-making and resolution time. In fact, the decision-making unit must wait for the results of the operational unit, which implies a particularly high level of coordination between all stakeholders.
Crisis exercises at the heart of awareness-raising initiatives
To raise awareness about cybersecurity issues, reinforce knowledge and, above all, build resilience in the face of a crisis, there’s nothing like a simulation!
This initiative is central to any awareness-raising approach and helps to put stakeholders in the right situation.
“My advice […]: prioritize cybersecurity awareness at all levels of the organization: invest in effective solutions, raise staff awareness of the latest threats, and encourage a security culture where everyone feels responsible for protecting the organization’s data. This approach, involving both technical and human resources, significantly increases the company’s level of security.”
Sofiane Benou, CRO – Scalair
“Incidents and crises are effectively managed by well-trained teams who know the plans, but rarely consult them when such situations arise.
It’s unreasonable to think that team expertise alone will be enough to cope with all contingencies.
Nor is it reasonable to believe that drafting strategies and plans without training those who are supposed to apply them will be enough to apprehend all dreaded situations.
Resilience and crisis management are two themes that have strong similarities and share the characteristic of needing to be thought through upstream, integrated into teams as they go along, and above all tested.”
Rémy Dutartre, Head of Resilience and Crisis Management Consulting – Thales Cyber Solutions
Let’s get down to the details of preparing for a cyber crisis.
The benefits of cyber crisis management exercises
First and foremost, there are a number of essential principles to bear in mind when setting up crisis simulation exercises:
- The scenario must be plausible;
- The exercise must in no way impact the normal activity of the organization or its information system (with the possibility of deploying a dedicated test environment, also known as a “range”, for more experienced organizations);
- The aim is not to surprise, trick or deceive participants, but to win their support by demonstrating the benefits of the exercise itself, and of the planned crisis management system.
In addition to improving teams’ preparedness to deal with a crisis, an exercise also helps to reinforce knowledge of IT security and maintain teams’ commitment and vigilance.
It also helps to meet the legal requirements in force for certain business sectors, such as Basel 3 for finance, Solvency 2 for finance and insurance, or NIS2… In some cases, the exercise must be accompanied by legal declarations in accordance with the applicable legislation.
Planning a cybersecurity crisis management exercise
A crisis simulation exercise must be governed by a set of specifications.
These define the objectives of the exercise, the events and incidents to be tested, the participants, the scenario and the success indicators.
These specifications can be drawn up by a dedicated in-house project group, or possibly with the support of an external service provider (consultancy company).
The role of this project group is to frame the exercise, prepare the attack scenario, plan the format (tabletop exercise, simulation, etc.), lead the exercise, and prepare the feedback document.
It is made up of a person in charge of running the exercise, and people in charge of planning and running it.
Exercise participants can be divided into three groups: players, facilitators and observers (if an external service provider is involved, the latter two roles are performed by them).
Exercise objectives can be defined according to the threats facing the organization:
- site defacement,
- DDoS attack,
- data theft,
- ransomware…
or needs identified internally, in liaison with the various stakeholders (technical experts, communication specialists, management team, etc.) to strengthen their involvement:
- train members of the organization,
- test specific devices (technical solutions, communication devices…)…
Finally, planning must also include the logistical aspects of the test:
- location,
- duration,
- materials required,
- organization of preparatory meetings,
- organization of feedback and feedback meetings…
The exercise specifications include all information relating to the organization of the exercise: who will take part and in what role, under what conditions, the scenario, the timetable (pace and intensity of the exercise, which can be defined with the help of special software), the documentation given to participants beforehand (scenario, models of documents used during the exercise, etc.)…
A crisis management exercise needs to be prepared not only in terms of technical aspects, but also in terms of communication, in the case of crises which may have a media impact.
Feedback from a cyber crisis exercise
A crisis management exercise allows you to test your own technical solutions, organization and communication system, and to learn from them.
It helps to identify strengths and areas for improvement, so as to be ready at a moment’s notice. To do this, here are three important steps to follow at the end of an exercise.
On-the-spot feedback
Participants are still under the effect of the exercise, and this is the time to gather feedback and vent any frustrations about what was tested, and about the exercise itself.
Positive feedback is just as important as points for improvement.
This on-the-spot feedback session can take the form of a round-table discussion during which participants review the organization of the exercise, the scenario, the quality of the exchanges… Note that it is preferable to let the players speak first, to avoid the influence of observers.
Several feedback can be organized in parallel if several crisis units have been set up for the exercise.
After-the-fact feedback
It provides a further opportunity to consolidate reflection on the results of the crisis management exercise, with greater hindsight.
It can take place from a few days to a few weeks after the exercise, in addition to the on-the-spot feedback, possibly with the support of a survey.
It should bring together all participants and take around 1 hour, to address new points or revisit the on-the-spot evaluation, and it can be supplemented by individual discussions.
Written report and feedback
Finally, a written report and a feedback session enable us to capitalize on the lessons learned during the exercise. The report brings together all the written elements produced during the exercise, as well as the notes and minutes of the various feedback sessions.
It ensures that all stakeholders have the same level of information and understanding, and they can define a common action plan to optimize the crisis management system.
Good practice: complexity can increase from year to year, from single-cell to multi-cell, and progressively multi-site…
In a forthcoming article, we’ll be taking a closer look at the pitfalls and biases to be avoided to ensure an exercise under the best possible conditions. Stay tuned!
In the meantime, see how human analysis remain essential
to investigate in the event of a security alert: