15 March 2019

Table-Top Attack Simulations: Cyber Resilience's Swiss Army Knife

Michael Coden

Just as military commands play war games, organizations plan their own “fire drills” for cyberattacks. At BCG, we use table-top exercises (TTXs), which simulate cyberattacks for ourselves and our clients.

Cybersecurity can sometimes be abstract and hard to understand. Instead of stakeholders sitting down in a “death by PowerPoint” presentation where an expert explains complex topics to an audience, the audience actively participates in a TTX.

During TTXs, participants in simulated attack scenarios figure out ways they could have prevented an attack from succeeding, ways to mitigate impact and how to continue operations during an attack.

This means everyone -- from stakeholders on the board of directors and members of the C-suite down to incident response teams -- can gain a firsthand understanding of diagnostics, operational planning, strategic planning, awareness and engagement for a wide range of potential situations.

Simulations are critical to improving a team's incident response posture, and these exercises pay dividends in the real world. During a real fire, you don’t want to be trying to find the exits. A real emergency is the wrong time to practice any incident response plan.

Cyber Technology Investments

Properly designed TTXs can point to areas where organizations should prioritize technology investment. In one instance, we created a TTX for a client involving attacks on public cloud servers. The client’s IT organization initially denied that it had any public cloud servers.

However, during the TTX, the company discovered that its marketing organization had many customer-facing public cloud sites, some containing proprietary IP not known or monitored by IT. As a result, our client understood that implementing public cloud access controls and public cloud monitoring tools were urgent management priorities.

Cyber Policy Sufficiency

TTXs also show the comprehensiveness (or lack thereof) of cyber policies. Many organizations extend existing disaster policies to cyberattack issues. However, this can be an issue since TTXs can demonstrate that, unlike natural disasters with local consequences, cyberattacks can have a global impact.

Education Awareness And Engagement

Participants in a TTX can operate as a single crisis management team or be divided into smaller teams competing for the highest scores of cyber-resiliency or minimizing the damages due to the cyberattack. Our internal research shows participants emerge with a much deeper understanding of what is very complicated topic.

We have successfully used TTXs as educational experiences with groups ranging from the Community of Chairmen at the World Economic Forum to individual technical Incident Response Teams, and every level of management in between.

Making A Complex Topic Understandable

Cybersecurity is a complex field. TTXs help make clear how the manifold issues interplay in real life and how technical, procedural, process, policy, other decisions can have a significant impact on organizational profit and loss. For example, in a TTX it is easier to learn concepts like liabilities if a company continues operations in the face of a known breach, or requirements for notifying stakeholders.

How To Design A TTX

The first step in designing an effective TTX is defining the desired learning objectives. The scenarios can then created to force the participants to deal with the issues they are supposed to learn. For example, how to deal with a ransom demand; how to ensure all your cyber assets are known; how to recover those assets if they are compromised.

The second step requires some in-depth research into your organization's cyber crown jewels, as well as its current cyber resilience and response capabilities. The scenario needs to threaten truly valuable assets (e.g., data, money, intellectual property).

The third step is to present a scenario with artifacts (e.g., multimedia, video, real-time communications, etc.) that are realistic and believable. Only when the participants believe that the scenario is possible will your TTX be effective.

Cyberattacks are an organization-wide concern. Building an effective security strategy with policies that enable an organization to prevent successful attacks -- and minimize the impact of the cyberattacks that will be successful -- might be possible with theory alone. But to quote a popular aphorism: “In theory, theory and practice are the same. In practice, they are not.”

Participation in TTXs gives leaders and others an understanding of their cybersecurity posture, and it helps create a culture of cyber resilience that benefits the entire organization.

No comments: