Last updated at Wed, 13 Dec 2017 18:54:55 GMT


In the series of articles titled “Incident Response Life Cycle in NIST and ISO standards” I reviewed incident response life cycle defined and described in NIST Special Publication (SP) 800-61 – Computer Security Incident Handling Guide.

Before I move on to discuss ISO/IEC 27035 standard, I believe it is interesting to discuss shortly how cybersecurity exercises can help prepare to handle incidents.

Cybersecurity is a battlefield. We should not only take actions to minimize probability of attack and prepare ourselves – with tools and procedures – to react to an attack. The incident response team should devote time to regularly take part in externally organized incident handling exercises.

I had a pleasure of leading the team that came third in Cyber Europe 2016 pan-European cybersecurity exercises.

In this two-part article I review goals, course and benefits of these exercises. I also review shortly DHS (Department of Homeland Security) Cyber Storm exercises.

Example Cyber Europe 2016 incident scenarios

Here are three example technical incident scenarios used during Cyber Europe 2016 exercises:

  • A company is hit by information leakage scandal concerning top clients. Three employees of the company ISP are suspects. Images of two of their encrypted USB sticks are available for analysis.
  • A Linux server is taken over by the attackers. The machine is then converted into a waterhole. The player must identify the infection vector, clean the server from potential backdoors and locate the malware hosted and used in the waterholing attacks.
  • An incident response team is notified of suspicious behaviour of Windows machines. A malicious looking file is detected after preliminary forensics analysis. Large volume of sensitive corporate data is also found – it is encrypted. The players must identify all malware capabilities.

There were also non-technical incidents, here are the examples:

  • Social media accounts of C-level staff get compromised and display false declarations related to ongoing events.
  • False statements are sent to journalists.
  • Violent defacements of the website of the target are picked up in social media and the news.

How did it look from participating team point of view?

It was hard 🙂 First of all, the injects (simulated incidents) in technical part of CE 16 were not the easy ones. But we had a great technical team that not only was a sum of competences of its members, but it was even more thanks to real-time communication tools we used and good work coordination. The two-days operational part was not a walk in the park either. We needed to act very fast, coordinate our activities on national level (different incident solution clues were distributed to different entities, so participants did not have all clues at their hands) and also we needed to constantly monitor fake media. But we managed to control our stress and properly organize our activities and we did it – we came third in Europe. I can only say that I’m proud of the team I led.

Why you should participate in cybersecurity exercises

It should already be clear from the above technical details that cybersecurity exercises are worth the time and effort needed for participation.

But let me re-iterate the benefits of cybersecurity exercises:

  • the incident response team is activated into “almost-real” action, by external entity;
  • the incident response team internal activities coordination can be trained;
  • individual capabilities of incident response team members can be trained;
  • the incident response team SOPs (Standard Operating Procedures) can be tested for their effectiveness and speed of execution, and improved if needed;
  • the inter-departmental incident response cooperation can be trained;
  • gaps in incident response team capabilities can be identified;
  • legal and regulatory compliance level can be tested and improved.

Cybersecurity exercises can also be an excellent opportunity to test security automation software that can be used to automate incident response procedures.

DHS Cyber Storm

DHS (Department of Homeland Security) also organizes cybersecurity exercises. Their purpose is to “assess and strengthen cyber preparedness, examine incident response processes, and enhance information sharing among federal, state, international, and private sector partners”. Their last edition, Cyber Storm V, was run a year ago (in March 2016).

According to the DHS post-exercise report, participation focused on the IT, Communications, Healthcare and Retail critical infrastructure sectors. The participants exercised response to a significant cyber incident and coordinated the response among federal, state, private sector, and international organizations. The sector coordination bodies, such as Information Sharing and Analysis Centers and Information Sharing and Analysis Organizations tested their coordination mechanisms.

Exercising the information sharing capabilities and compliance was an important part of Cyber Storm V. One of the key findings of Cyber Storm V was that important challenges around information sharing still exist. I recently wrote about information sharing, both in terms of NIST 800-61 information sharing recommendations and about CISA (Cybersecurity Information Sharing Act) and Automated Cybersecurity Information Sharing with DHS AIS system.

The exercise scenario was related to DNS and PKI. Affected systems were diverse corporate and government systems, including medical devices and payment systems. Resolution required advanced malware analysis and a coordinated government and private sector response.

Besides information sharing challenges, another Cyber Storm V findings were:

  • a national-level incident response plan would optimize response;
  • players displayed awareness of government bodies (NCCIC/DHS) role in information sharing and situational awareness;
  • the new sectors that participated in Cyber Storm for the first time, observed the value of formalized information sharing, coordination and reporting.

Watch the Cyber Storm web page for next Cyber Storm editions.

Commercial cybersecurity exercises

There are also commercial cybersecurity exercise services available on the market. They can be customized to the needs of your company. But If considering one, carefully examine such service quality, costs and benefits. If possible, take part in larger, non-profit cybersecurity exercise and treat commercial one as additional training resource.

References and further reading

ENISA Cyber Europe 2016 cybersecurity exercises
DHS Cyber Storm cybersecurity exercises
Information Sharing Recommendations of NIST SP 800-61
Automated Cybersecurity Information Sharing with DHS AIS system