CRISIS RESPONSE EXERCISE
Service Description
CAG’s experience conducting incident response against targeted threats gives us a real-world perspective on the process. As part of our crisis response exercise program, we guide your organization – both executive and technical participants – through a crisis scenario based on a pre-determined focus area. This exercise offers the experience of a crisis response in a time-compressed manner, without the risk and time investment of full penetration testing.
Our Methodology
CAG will start with an initial scoping discussion among a small set of informed individuals to focus the exercise and brainstorm potential scenarios. The goal of this meeting will be to start developing scenarios, along with identifying the individuals who can speak to the topic areas, to provide support for a realistic and accurate exercise. The “informed group” that participates in these discussions should be limited in size and these individuals should play a very small role in the tabletop discussion, if at all.
Following the initial scenario brainstorming session, we will prioritize the scenario that we want to work and coordinate with your assigned project lead to arrange interviews with the employees who can speak to the technical controls in place relevant to that scenario. As these discussions take place, CAG may suggest that we move to an alternate scenario based on the information that is gathered and the feasibility of the scenario. Absent this occurring, CAG will gather the necessary data points to build the scenario that accurately reflects your environment and the associated controls. We will also review any relevant documentation related to the scenario topic to help better craft the slides.
The individuals providing the information related to vulnerabilities, controls, and other related data points for the scenario should also have a limited participation role in the tabletop exercise, as they are considered “informed.” We will travel to your site and perform these interviews. We’ll meet with each group or person for about 45 to 60 minutes, and two of our consultants will perform the interview. We will seek to understand how your people and tools contribute to your current incident detection and response capabilities, what your technical capabilities are, how those capabilities complement or conflict with others in your organization, and other human and technical factors.
Following the on-site and remote (as necessary) scenario development, CAG will create a slide presentation that outlines the actual scenario to be presented during the tabletop. Those individuals who are “informed” will be asked to help vet the scenario for accuracy and realism, and to suggest improvements. This will be done through a CAG-led walkthrough of the draft scenario. Once all parties agree, or at the point where it is agreed that participants must “suspend reality,” we will finalize the scenario.
Prior to the tabletop, you will identify the appropriate audience. This group should include members of your technical IT staff, as well as operations executives, business leaders, public relations, legal and other support personnel. You will be responsible for inviting these individuals to the session and for tracking attendance as necessary. Prior to the tabletop, you will provide us with a list of participants, including their functional business line, and where they may have input in the discussion.
We will present an incident scenario in tabletop form, and your attendees will discuss how they would detect, respond and react to such an occurrence. We’ll base this scenario on an attacker that our intelligence sources determine would be relevant to your organization. During the roundtable, we will proctor the conversation, but your staff will explore the experience: they will make decisions, discover gaps in their knowledge and processes and learn more about the attackers your organization faces today.
For example, here are some elements of scenarios we have previously presented to clients:
- Responding to a distributed denial of service (DDoS) attack on public-facing infrastructure
- Conducting incident response operations while an adversary has compromised internal communications
- Responding to a nation-state style targeted attack with the objective of information theft
- Managing reputation-related effects of a security breach
- Assessing whether a critical IT service is still trustworthy
- Interacting with uncooperative external providers, such as bulletproof hosting companies
- Receiving notification of a data breach from a business partner, a third party, or a customer
- Reacting to public disclosure of insider information and managing public relations
- Determining whether a detected attack was externally targeted or a malicious insider
- Interacting with business partners and customers during a security incident
- Understanding notification responsibilities to regulating entities
- Planning for coordinated remediation events
- Notifying other victims of an attack based on an internal incident
- Investigating a crashed, compromised server to determine its role in a larger incident
Our Deliverables
In addition to the usual status updates and meetings, we will deliver the following:
- At the conclusion of the crisis response exercise, we will lead a discussion on key takeaways and action items. This discussion is intended to prompt individuals to point out areas where improvements are necessary. Many of these will have fallen out during the tabletop scenario, but others may be identified during this roundtable discussion.
- CAG will provide these takeaways, along with our own observations, to you for review. At that time, you will confirm the key takeaways (against the notes you have taken) and ensure that appropriate ownership has been assigned to each item. This may be the individual who spoke the observation or someone else based on your organizational knowledge.
- We will consider the key takeaways and develop a deliverable that defines common themes.
- We will then take those themes and help you to prioritize which items are most important to ensuring the success of your crisis response exercise program.
