“Hope is not a strategy.”
While blunt in delivery, the message implied in Vince Lombardi’s famous saying is simple: to win any game or challenge, preparation is necessary. As a former NFL coach and executive, Lombardi understood the need to prepare game-winning strategies. Security professionals must also prepare to stop the next breach and prevent the theft of valuable, sensitive data and digital assets.
Without the proper security plan in place, no organization can successfully identify and keep intruders out of their networks and away from valuable digital assets. A tabletop exercise is an effective and efficient means to test your organization’s resources, tools, and security plan, specifically as they relate to incident response.
A tabletop exercise takes incident response planning out of the abstract and into the real world without the interruption of an actual attack. CrowdStrike Services facilitates tabletop exercises regularly for customers, and in doing so, offers the experience of a targeted attack in a time-compressed fashion.
In a tabletop exercise, CrowdStrike leads individuals from across your organization through a simulated cyber incident, while facilitating conversations about current processes and areas for improvement. This cross-functional exercise allows key individuals and groups outside of IT to better understand the cyber landscape, internal processes, and more importantly, their role during a cyber attack.
The participants interact and respond to events as they unfold in a classroom-like setting. The members of this crisis management group talk through a simulated attack, its possible impact across the organization, and the means for effectively dealing with that impact. Any gaps in people, process, knowledge and technology are also revealed through discussion and noted for later recommendations to fill those gaps.
The benefits of an incident response exercise include:
- Testing the incident response plan before relying on it
How do you know if your plan will work? A documented plan that has not been tested may not work properly, despite how good it looks on paper. Additionally, the pace of the exercise can be controlled, allowing for questions and analysis of the plan’s effectiveness.
- Identifying process and knowledge gaps
Testing the plan will help to find areas of improvement that are better identified before a real incident occurs.
- Determining how well your departments can work together
Plans can involve multiple areas of an organization and some of them typically may not work together. Testing the plan can help participants better understand their roles and how different areas interrelate during a crisis.
In essence, a tabletop exercise provides a means of identifying gaps proactively rather than during an actual cyber incident. CrowdStrike has deep experience in conducting incident response against targeted threats — this provides us with a real-world perspective that informs any tabletop exercise we develop for our clients. The following examples of tabletop exercises illustrate the value various clients have realized across various industries.
A BAD DAY ON WALL STREET
A major U.S. investment bank wanted to test its ability to respond to a sophisticated, targeted attack on its network.
Through a simulated attack on the company’s trading infrastructure, CrowdStrike challenged the company’s executive leadership to confront an existential crisis with legal, regulatory, reputational, and technological dimensions. CrowdStrike led the organization through a scenario in which a series of events involving fraudulent transactions occurred without detection, resulting in millions of dollars in losses.
Mimicking the tactics, techniques, and procedures of known threat groups, CrowdStrike challenged the company’s technical responders to identify, assess, and respond to a realistic attack scenario, while also translating the technical implications into actionable information for business leaders.
The exercise exposed conflicting expectations over key decision-making authorities and gaps in the company’s ability to protect and restore critical systems. Following the exercise, the company revised its incident response plans and scheduled additional exercises to evaluate its progress.
UNCOVERING CORPORATE ESPIONAGE
A Global 500 manufacturing company, having expanded its IT security team and overhauled its incident response plans, wanted to test its ability to respond to a realistic attack.
CrowdStrike simulated a targeted attack that compromised key executives’ email accounts, resulting in the theft of sensitive business plans that put the company at a disadvantage in M&A negotiations. The simulated attack mirrored the methods of an adversary CrowdStrike had observed targeting other companies in the sector.
After the exercise concluded, one participant confided that the scenario was eerily similar to an episode the company had experienced several years earlier. Participants took away a better understanding of the new incident response plan and their roles in it. They also identified a clear need to include additional stakeholders in the plan, define executive decision-making authority, and deploy additional technical controls.
STEALING THE CROWN JEWELS
An exercise at a major U.S. technology company exposed the challenges of responding to a cyber breach when only partial information was available.
Simulating real-world attacker methods, CrowdStrike tested the Security Operations Center’s ability to gather more information about an intruder who was skilled at avoiding detection and likely monitoring the company’s internal communications. When the investigation turned up inconclusive evidence suggesting attackers may have taken new product designs, corporate executives faced a set of critical business decisions against a still-uncertain backdrop.
The exercise highlighted areas where additional technologies could improve visibility, as well as a need to better define the roles and responsibilities of technical and executive personnel. “We failed this test,” one of the participants commented, “but we learned what we need to do to pass the next one.”
RETAIL UNDER FIRE
A large U.S. retailer wanted to test its capacity to handle multiple incidents at once.
CrowdStrike developed a plausible scenario in which the company’s IT staff received and had to prioritize multiple simultaneous security alerts while juggling information requests from business leaders.
When a system outage proved to be the result of a programming error, investigators pivoted to antivirus detection, discovering payment card theft. This thrust business leaders into a more active role in managing the risk to their business, addressing legal obligations, and responding to news media.
Most participants were unaccustomed to working with one another, and the simulation forced collaboration in a realistic, high-pressure environment. Based on the exercise,the company revised its incident response strategies and planned additional tabletops at regular intervals to foster continued team building.
By working through scenarios that revealed deficiencies in communication, collaboration and tools, these clients better understood the steps necessary to improve their incident response plans. To prevent intrusions, prepare for them by identifying various actionable gaps necessary to augment current security infrastructure and methods. Combining insights produced by these exercises with with a true next-generation endpoint protection solution, such as the CrowdStrike Falcon platform, provides your organization with the best defense — one that even Vince Lombardi might be proud of.
To learn how CrowdStrike Services can help you prepare to stop the next breach, download our Tabletop Exercise data sheet.