Kevin Owens has more than 25 years of experience in cybersecurity, in both the commercial industry and government sector (Department of Defense), uniquely qualifying him to examine a network from the adversary’s point-of-view. Kevin has traveled globally responding to security incidents and performing cyber and physical security assessments creating more defensible network postures, increasing the customers’ ability to detect and respond to an attack by closing vulnerabilities and significantly enhancing security. He has coordinated with several government agencies, law enforcement, national intelligence entities, private sector, and international constituents on cybersecurity issues and events.
Creating and Performing a Cybersecurity Tabletop Exercise
Not a week goes by without hearing about the latest cybersecurity breaches. Preparing for a cybersecurity incident at your company is important. There are several phases to a successful tabletop exercise. A tabletop exercise provides an opportunity for an organization to test contingency plans. These plans may address a variety of challenges which face an organization. Challenges to business continuity may come from Weather, Terrorism, Cyber incidents, insider threat, or a natural disaster. There are multiple levels of contingency plans, including incident response plans, emergency evacuation plans, business continuity plans. This paper will focus on developing and implementing a cybersecurity exercise.
Step 0: Understand why to perform a cyber exercise
Performing an exercise to simulate the performance of duties, tasks, and operations during a real incident will benefit your company in the following ways:
- Develop the roles and responsibilities for when an incident does occur
- Evaluate communication throughout your company
- Assess the current policies and procedures
- Develop an impact plan and what is your “Plan B”
- Evaluate the potential for cybersecurity insurance needs
- Map out the big decisions before something happens
- Educate senior leadership about potential threats and engage them in their role during a cyber exercise
- Truly understand how prepared you are for a cybersecurity incident
Step 1: Determine the type of exercise to be performed
Determine the function or capability to be tested such as a Disaster Recovery plan. Determine the type of incident or scenario in which the function or capability will be tested which can be an incident such as a successful ransomware attack.
Step 2: How to build the Exercise Design Team
Steps to select team members from across the organization for the Cyber Incident Response Plan Exercise.
Step 3: Create the Exercise Plan
The plan will include the following information for the exercise: Type; Scope; Goal(s); Objectives; Agenda; Participant instructions; Communications; Evaluations; and Assumptions.
Step 4: What drives the story? The narrative
How to weave the business and technology narrative together into a story that the participants can truly experience.
Step 5: How to develop the Exercise Injects
Exercise injects help move the story forward. Understand how to build these and identify different methods to inject delivery.
Step 6: One more look at Injects
Go through the injects again to ensure they are “water-tight” and are ready for people to interpret correctly during the exercise.
Step 7: Leading up to the Big Exercise Day
Step 8: Exercise Day
Step 9: Writing the After-Action Report (AAR)
The AAR is the formal report of the findings and lessons learned from the exercise.
Step 10: Exercise Follow-Up and Process Improvements
Present the AAR and gain consensus on the Plan of Action and Milestones (POAM). Follow-up on the milestones and track the progress to towards improvement of the system and processes.