When Tabletop Exercises Become Real-World Events

Newspaper With Cyber Attack Headline

It happened again a couple months ago; an eerie sense of déjà vu as I read reports about suspected malware-enabled ATM jackpotting in Latin America. I had seen this attack before — not in the headlines, but in a tabletop exercise that CrowdStrike® Services had developed and delivered for another bank months earlier.

I got that same feeling last year reading about the Banco de Chile attack. In that case, it was not just the targeting of the SWIFT network that seemed familiar —that had happened plenty of times before. There were other details, like the use of destructive malware to create a diversion for the security team and even the specific threat actor (if public attribution is to be believed).

In all, this feeling of having already experienced a new type of attack scenario has happened about a half-dozen times. I see reports of a new or novel breach and immediately recognize it as something almost identical to an incident I or my colleagues previously simulated in an exercise.

Scenarios That Became Breaches — Coincidence?

We’re hardly clairvoyant; nor are we like the characters in Sphere whose imaginings of destruction are manifest by some supernatural force. (At least I hope not.) This is really just a matter of coincidence. But unlike a stopped clock that is right twice a day, these coincidences are more than dumb luck. They are the result of a deliberate effort to make our tabletop exercises as realistic as possible.

Of course, it all depends on what our clients are looking for. We are frequently asked to recreate breaches that have already made headlines: NotPetya and the Sony breach are common requests, though some clients focus on more industry-specific episodes.

Others ask us to be more creative; to develop a plausible future scenario that will force their responders to confront something unknown. To do this, we have to think both like an attacker and a defender. What assets does the target organization have that an attacker would value? How would different attackers go after those assets? How would the organization’s defenses hold up against different methods of attack? Where are the opportunities for detection and containment?

Developing Realistic Exercises Is Key

CrowdStrike has some unique resources to help us answer these questions. CrowdStrike Falcon™ Intelligence provides a rich resource to understand threat actors’ motives and methods, allowing us to emulate their targeting behavior, as well as the tactics, techniques and procedures of an organization’s likeliest adversaries. If an organization has particularly robust defenses, our Red Team can help identify the weakest points. Our experience responding to so many breaches gives us a nuanced understanding of how responders are likely to act – and, when relevant, how advanced adversaries will adjust their approach when they know they’ve been spotted.

We also spend time getting to know our clients’ environments. Having a detailed understanding of a likely attack scenario is one thing, gaming out how that scenario would unfold in a specific environment is another. Our goal is to hear someone in every exercise utter the same five words: “This could absolutely happen here.”

Be Prepared for Life Imitating Art

Sometimes we get really close. A couple weeks after simulating an extortion attempt against a bank whose customer data was stolen after their data-handling vendor was compromised, we read about a similar attack affecting a pair of Canadian banks. On another occasion, the night before we were set to simulate the outbreak of a WannaCry variant in a manufacturing company’s shop floor due to an unscrupulous third-party, they called to report just such an outbreak.

Thankfully, the vast majority of the exercise scenarios we have dreamed up – including all of the most sinister ones – have not materialized in this way. But those few occasions, where reality has mimicked make-believe, validate our approach and reinforce our belief that there is value in training not just for the last fight, but for the next one.

Additional Resources

CrowdStrike Falcon Free Trial

Try CrowdStrike Free for 15 Days Get Started with A Free Trial