Event Recording

Exercising Your Cyber Crisis Plans

Name: Exercising Your Cyber Crisis Plans
Uploaded: 2022-11-10T12:00:00+01:00
Duration: 17 min 51 s
Description: This video has no description

Posted on Nov 10, 2022

Speaker

Lester Chng

Senior Advisor, Financial Crimes Unit Exercises
Bank of Montreal

Show Transcript

Thank you so much. Good afternoon everyone in Berlin. I'm calling in from Toronto, Canada. It's 6:00 PM outside and I'm glad to be able to talk about exercising your cyber crisis plants. So with German Precision, I will start right on time. So this is a little bit about me and why am I in this position talking about exercising and crisis. So my background is I, in my former life I was a nav officer in the Singapore Navy and that's where I specialize in training simulations. And I ran the neighbor simulation center for the Navy.

That's where we conducted exercises on a daily basis to train our offices and crew in warfare and decision making, communication and teamwork. And I have currently transited out of the military into the financial sector and I've also moved countries. So currently I'm based in Toronto, Canada, where I work for Bank of Montreal running and exercise program to tackle the difficult questions in various scenarios.

So for example, some of the exercises that we have run here is ransomware exercises, DDoS exercises, and we have also conducted multiple in-house purple team exercises to really test the full response of the entire bank in dealing with a cyber crisis. So that's a bit about me and I'm here to tell you more about exercising your crisis plan. So this is what I propose. I propose that exercises are the only way that your team can demonstrate that you are ready to handle a crisis. We all have cybersecurity programs that we are building out.

Millions are spent yearly, but exercises are the only way to show it. Let me explain why. So like I mentioned, there are so many ways that for you to track the progress of your program. So there are maturity skills. You can also get a third party consultant to come and measure you against your peers, measure you against the industry on how well you're doing in terms of implementing controls and implementing all the tools that you purchase. And that's everyone's favorite KPIs.

I mean, you can track your KPIs monthly, quarterly, yearly, but all of these measures will not tell you whether your team is ready to handle a crisis. So I'll go on and explain about the different types of exercises that you can start thinking about including in your overall cyber security program and really demonstrate that your team with all the new tools that have purchased with all the controls that they have in place, would then ultimately be ready to handle a crisis. Because we all know it. It's not if you get hit nowadays, it's when you get hit. How do you recover, how do you respond?

And then how do you quickly get back to business as usual? So the first type of exercise is drills. So like the well oil Mercedes, F1 pit crew, we see here drills are the best way to train a set of fixed or well-documented procedures to help your team be efficient, help your team work together, build up teamwork and synergies. So this normally take place a shorter duration, 30 minutes to an hour.

And some examples I have here for a, a cyber perspective, you can exercise or you can drill on writing up situation reports if something were to happen, you can exercise your different teams within your security operations center who is handling the the cases, how is it being escalated? If I were to call in another technology team to support, how is that done? Do they have all the contact lists in in in place? Do they know where to go to find certain artifacts?

So those types of training objectives, using a drill would enable your team to, to eventually be a well oil machine so that in times of crisis you want your teams to do this sort of administrative task as the second nature and not to spend the time and effort there. You want them to elevate their safe reserve, their mentor capacity for higher cognitive tasks such as analysis, looking at the the track starting the the IOCs rather than finding out which contact list to send. Who am I supposed to contact if this were to happen?

So drills are a good type of exercise to really make your team a well oiled machine. The next type of exercises, I I believe we are all fairly familiar. Most of us should be cyber security professionals. We should have been involved in a tabletop exercise, a TTX at one point or another. So TTX is a longer form exercise, usually one to four hours. I wouldn't recommend anything more than that because it's hard to maintain some, a team's attention for more than four hours sitting around a table discussing a scenario.

So tabletop exercises are an efficient way to bring across a scenario, a cyber scenario, and use it to socialize a potential threat, a ttp, and even socialize what the responses would be to your internal teams. So it is a good tool especially to engage your stakeholders from your security operations team to your rest of your corporate support areas such as your legal teams, your media relations teams, technology teams. So the exercise are a great way to let them know what type of support you may need in terms of a crisis.

And that's where they would, they have, they would have the opportunity to surface potentially some risk, some dependencies, how much time they would need to. For example, if your security teams are advising to segregate a network to shut down, bring down an application, the technology teams would then be able to advise that it may take a certain amount of time, it may take a certain yeah amount of scripting to be written before we shut that down. There's no one kill switch for an application.

I think tabletop exercises are also a very efficient use of time, especially with the C-suite group. The decision makers utilizing tabletop exercises would allow you the security team to bring forth difficult questions to the decision makers in times of peace, in times of without the stress and pressure of a real incident where they are forced to answer difficult questions such as, do we wanna pay the ransom? Are we even allowed to pay the ransom? Do we have a a, a storage of Bitcoin?

Maybe maybe we can afford it now given the crash the last few days, but do we have a really pool of bitcoin, our wallet really to make that transaction? So those are difficult questions that you would want to run your decision making group team through in a, in a tabletop exercise rather than the first time they're hearing it is during a real crisis. So tabletop exercise are an excellent way to bring about new topics, bring about latest threat, and give people teams involved time and space to discuss some of the difficult questions that your teams will have to answer during a crisis.

So the type of exercises, this are what we term as functional exercises. So this are the type of exercise where it's a bit more hands on keyboard and the duration wise may take from spend days to months, including preparation. It may take up to six months just to execute a functional exercise. So there are few types of functional exercises. One is the cyber range where you go, you bring your team offsite normally to a party, they have a isolated range and you can exercise your, your response there. The other type is a full skill adversion.

So that's where your internal rate team or you have an external consultant, they would emulate the TTPs of a known track actor and they would attack your production systems. So this is the the highest learning value that your team can bring, whether it's the, the learning value of your brand, nine incident response teams.

And if you do escalate it to your decision makers, you can really, it's, it's the best way without being attack and handling a real incident or crisis to show that your team is ready from a detection point of view, from a mitigation point of view, and even internal communications with your stakeholders, how your company would handle an incident. So we all know that cyber incidents do not just affect the cyber team, do not just affect the technology teams. How does it disrupt business? Who is making decisions on certain cause to bring down services, bring down applications?

It is not a cyber security teams decision and therefore running a full skill adversary, simulation, emulation exercise would really allow your teams to go through the rigor of a simulated attack. It will be drawn out for days. There will be need for external parties to come in to support as will be in a real incident.

So this really brings together how your team will respond and it builds up that confidence not only internally to your team, but also your, your csu your bot that okay, all the money spent, all the people that we have hired are really here and they're ready to handle touch with if our company gets a tech. So those are the three types of exercises that you may wanna consider running for your organization. So when should I run some, when should I run this exercises? So here I propose four, four times that you may want consider doing it.

The first one is when you have a significant change in members of makeup of your team. We all know that the turnover rate is very high in this very hot industry. So if that's you feel that there's a, your, your leadership teams have changed slightly or even your CSO has changed, I think that's a good time to run an exercise. It allows you as a leader or you as a a member of the team to understand who and how the team works. And as a leader it's also opportunity for you to clarify your expectations of how and what you want your teams to, to focus on, to prioritize in a real incident.

So it's a good time to get everyone up to speed and it gives you the platform to set your directions the next time is when you implement new tools. We all know there's a lot of tools being onboarded.

Yes, there's user acceptance for bringing tools on board to production, but that's not what I'm talking about. I'm talking about when your team has used it, this fine tuning phase has gone over and you wanna demonstrate the capability of your team to utilize the tools. That's where you can run and exercise to demonstrate that little one a change in tr level. So the military does a change in tread level. They're well, or if tread level changes, there's a whole suite of DEFCON changes, mobilization that you would have to do.

So in a corporate world when the TR level changes, run an exercise, get everyone up to speed on what's the latest potential attack vector, what's the latest TTPs have been employed by this particular threat actor in, in this level. And that's where people can quickly refresh themselves off the knowledge and as well as increase their sort of readiness to respond. And the last one here, unfortunately if you have been hit by incident, there will be a post incident, Martin post mortem. There will be lessons learned that you have to implement sometime down the road.

Run that exercise again and make sure that the lessons are indeed well learned. So this are four times to run an exercise. Okay? So this is an entire list of the value that exercises can bring to your team. So I will not go through the entire list and hopefully by now I've convinced you that exercises are really the only way to demonstrate that your team is ready to handle an incident. If it blows up to a crisis, your teams are well, well drilled. Everyone knows their roles and responsibilities and that's where exercises really help to make your team work together.

And I've come to my second last slide and I hope I've convinced you that exercise are the only way to demonstrate that your team is ready to handle a crisis. So thank you for attending. I hope you enjoy the rest of your session in Berlin or your joining on live. I I'm very active on LinkedIn, so feel free to connect with me there. If you other questions about exercises, I'll, I'll be happy to answer them. Connect with me on LinkedIn, Lester tune.

If not, I will open it up for, for questions please. Thank you. Thanks very much Lester. Do we have any questions in the room?

No, well just gimme a shout if you do. Just having a look online. Yeah.

Lester, how can cybersecurity leaders get buy-in from the management and the staff to support regular cybersecurity crisis exercises? Yeah, so I think it is a, it's a very good point. You probably need a lot of executive buy-in to execute it. But let me, let me tell you a story about how important it is. So like in the start of the year, two weeks before the current Russia, Ukraine conflict internally, we ran a destructive malware tabletop exercise with the highest decision makers in the bank.

We highlighted the potential risks, we highlighted what the environment and we also put forth if it were to escalate what type of enhanced controls that we are going to recommend to implement. Lo and behold, one week later, we, we all know what happened. It is still ongoing. We quickly managed to push through the approvals for those enhanced controls and thereafter nobody questioned why we needed to run exercises. Cause we have demonstrated that through our trade intelligence, we're able to understand what the trend is.

We're able to look forward and say, okay, if is what to happen, what we are we gonna put forth? And when it did happen, the, the approvers were almost seamless. We all know how difficult it is to push through new controls, especially ones that make people's lives a bit more inconvenient. So run that exercise, convince them that okay, the track is real, all that money spent is not for nothing and demonstrate that through a rail run exercise. And you would have that hopefully not such, not some, so much difficulty in conducting a regular cadence of exercises thereafter.

Okay, great. Thanks. That brings us nicely to time. Please show your appreciation for Lester. Thank you so much. Enjoy the rest of your summit.