Scammers Already Taking Advantage of Hurricane Harvey, Registering Domains

The physical damage from Tropical Storm Harvey is expected to spread further in the coming week as the storm continues to move along the Gulf Coast. At least 10 people in Texas have been killed related to the storm, local officials said, and the continuing rainfall could total as much as 50 inches in some areas by the end of the week. On Monday, a day after Louisiana Gov. John Bel Edwards called on the federal government for assistance, President Donald Trump declared a state of emergency in Louisiana. Texas Gov. Greg Abbot described the storm as “one of the largest disasters America has ever faced,” and FEMA administrator Brock Long said the agency is gearing up for the years-long recovery process that will follow.

Naturally, people want to help the victims with that recovery process, and scammers are already capitalizing on that goodwill to defraud individuals and carry out other malicious activity, several agencies have warned.

The Better Business Bureau said it has already seen sketchy crowdfunding efforts and expects the coming months to see the usual flood of “storm chasers” — ranging from legitimate contractors looking for business to scammers attempting to take advantage of those who’ve already been victimized by the storm. In addition, US-CERT is warning users “to remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey.”

SurfWatch Labs also noted in a recent customer alert that we have observed hundreds of new domains being registered containing “harvey,” many of which will likely be used for scams related to the storm.

SurfWatch Labs alert on Hurricane Harvey scams.

Scams following national disasters like Harvey have come to be the norm, as malicious actors will attempt to exploit any event or news story that grabs the collective consciousness of a large group of people. For example, researchers recently discovered that the Chinese group APT 17 was leveraging the popularity of Game of Thrones in spear phishing emails designed to infect their targets with malware by teasing potential victims with the headline, “Wanna see the Game of Thrones in advance?”

Similar attack vectors leveraging users’ natural curiosity tend to follow nearly every major news story; however, with natural disasters people are more willing to hand over their payment information and make a donation, so there is more profit — and more incentive — for fraudsters to capitalize on such events. These attack vectors include:

  • email phishing designed to steal personal and financial information;
  • fake websites and crowdfunding pages impersonating legitimate charities;
  • in-person and phone scammers, such as fake contractors or government officials that offer services or aid with no intention of following through;
  • and social media posts designed to entice users to either visit a malicious site, download malware, provide personal information, or perform acts that will earn the fraudster money.
Fake videos like this one observed by Malwarebytes following the disappearance of a Malaysian Airlines flight are often spread via social media and lead to surveys that harvest personal information or earn affiliate cash for the scammers.

With the National Weather Service describing Harvey as “unprecedented” and “beyond anything experienced,” it is likely that relief efforts will continue for years into the future. As SurfWatch Labs noted after Hurricane Matthew, those who wish to help or are seeking aid should be cautious about who they provide information to in order to avoid falling victim to these social engineering scams. Some tips include:

  • Never click on links or open attachments unless you know who sent it and what it is. Malicious email attachments and links are among the most common ways for cybercriminals to spread malware and steal information.
  • Never reply to emails, text messages, or pop-ups that ask for personal information.
  • Cybercriminals may use a combination of fraudulent emails and phone numbers to increase their appearance of authority. Always verify that communication is valid by contacting the organization directly before providing any sensitive information.
  • If donating to a charity, make sure it is one you know and trust. The FTC recommends checking out charities via the Better Business Bureau’s (BBB) Wise Giving AllianceCharity NavigatorCharity Watch or GuideStar.

Preparedness & Cyber Risk Reduction Part Six: Evaluate & Improve

With the goal of reducing cyber risk and by supporting effective incident response, heretofore in our series on Preparedness, we have explored the different components of the Preparedness Cycle — the continuous cycle of planning, organizing, training, equipping, and exercising. In this second to last post in the series, we’ll briefly look at the last two parts: evaluating and taking corrective actions. For common understanding, let’s start with two exercise-specific definitions via the FEMA Preparedness Toolkit:

  • Evaluation: “Exercise evaluation is the cornerstone of an exercise and maintains the functional link between exercise and improvement planning. Through exercise evaluation, organizations assess the capabilities needed to accomplish a mission, function, or objective. Effective exercise evaluation involves planning for exercise evaluation, observing and collecting data during exercise conduct, analyzing data, and reporting exercise outcomes.”
  • Improvement Planning: “Exercises afford organizations the opportunity to evaluate capabilities and assess progress toward meeting capability targets in a controlled, low-risk setting. An effective corrective action program develops improvement plans that are dynamic documents, with corrective actions continually monitored and implemented as part of improving preparedness.”

For those desiring a “deep dive” into exercise evaluation and improvement planning, review the guidance in the 2013 Homeland Security Exercise and Evaluation Program (HSEEP). That will provide details on the process of developing and conducting evaluation and improvement planning and documentation, addressing ideas such as Exercise Evaluation Guides (EEGs), data collection, after action reporting, and developing an improvement plan and corrective action program. Below, I’d like to share a few ideas for additional consideration.

Do What Works

The HSEEP guidance above provides specific approaches that work. Using well-established standards like Core Capabilities and EEGs provide common terms and references, and help promote consistency in evaluations and documentation. All good! However, not every exercise is resourced (nor really requires) the complete HSEEP approach. HSEEP is guidance and should be treated as exactly that. If you want to irritate an exercise pro, tell them you want an “HSEEP-compliant exercise” and watch their eyes roll into the deepest parts of their skull … What is critical is that you plan for evaluations hand-in-hand with training and exercises and that you have a deliberate approach. Your organization may have some specific ways you like to capture and report information or you may need to be mindful of certain sensitivities. More often, you have to contend with being under-resourced and need to manage the best evaluation you can with what you have available in both people and time. What is most important is that you know what you have available, deliberately plan as part of the training and exercise development process, and ensure evaluation does occur and is documented. If you do that, however exactly you have to do it, you’re doing pretty well!

Get Buy-In

As noted in our mini-series on exercises, exercises tend to get the most attention. Exercises are fun! — evaluations are much more boring, and can be contentious, and frustrating… Getting buy-in early and from the right people can save planners (particularly junior personnel) a lot of grief and greatly help support an effective and value-added evaluation. We want to gain buy-in into our approach to the evaluation, as well as to the activities supporting the evaluation and improvement planning. So, who do we need buy-in from? Well, ideally, everyone. But given we can’t court every leader and participant, it is good to try and ensure that your exercise sponsor is on-board, as well as those that will help conduct the evaluation.  For events like After Action Meetings (AAM; again, refer to HSEEP guidance for details), know who some of the key players and influencers are and work with them to help them understand what you’re doing, where it’s going, and to get their support for the process and your efforts. And know who you’re going to be putting some focus on and get ahead of potential tensions and flare-ups — but engage them privately before doing so publicly. If you’re about to go into an AAM and know that a certain organization or department is about to hear some things they won’t like, talk to them ahead of time (which hopefully you’ve done in developing the evaluation) and agree to how you may approach some of the more difficult areas. They may still not like your approach, but by engaging them, you may get more support, or at least less objection (and sometimes you won’t, and it might get ugly…). In both developing the evaluation process and in conducting the evaluation and after action activities, building support and getting others to invest in what you’re doing can grease the process and make it a lot more successful.

Seek Continuous Improvement

One of my favorite books is the classic Animal Farm and like Boxer, the hardworking but rather dim horse in that story, my typical approach to things is to put my head down, block out the noise and tell myself, “I will work harder.” After many years of ugly running and punishing my Achilles, I started cycling about a year ago. Applying my usual approach, I try to muscle through every challenge, which has some utility. But, when I take the time to look at my stats, assess parts of the ride and how I tackled them, compare with previous workouts, and otherwise assess and evaluate my performance, I’m able to better understand how I did and how I can improve. My goal is to keep getting better. In Animal Farm, Boxer’s valiant efforts end in the care of the “Horse Slaughterer and Glue Boiler,” and I’d prefer a smarter, more positive outcome. By properly planning and preparing for my ride evaluation, taking the appropriate amount of time to review, assess, and evaluate my performance, I am able to work towards continuous improvement and hopefully reaching the desired level of physical fitness. Hopefully… The same approach should be applied towards exercises and preparedness broadly. Develop a multi-year plan (as discussed in previous posts in this series), establish goals and milestones, plan but be flexible, and seek to continuously improve the readiness and resilience of your organization through effective evaluation, corrections, and improvement planning.

With this post, we’ve worked our way through the Preparedness Cycle! In the concluding segment to this series, I’ll talk to Jeff Peters as we conclude this series on the Preparedness Cycle, some common issues, best practices, and more.

Weekly Cyber Risk Roundup: Another Ethereum Heist and FBI Warns Against Kaspersky Lab

Cryptocurrency theft was the week’s top trending cybercrime story as malicious actors were able to capitalize yet again on an upcoming Ethereum initial coin offering (ICO) to steal approximately $500,000 worth of Ether — this time from investors in the cryptocurrency platform Enigma.


Enigma said that malicious actors managed to compromise the domain, its Slack channel, and certain email lists. The actors then posted messages via the compromised channels claiming that the platform was offering a “pre-sale” of tokens ahead of next month’s official ICO.

Enigma CEO Guy Zyskind said the attack “joins a long list of other similar attacks plaguing the crypto-community.” For example, just last month there were three different multi-million dollar Ethereum heists: $34 million was stolen due to a bug in the code of the Parity Ethereum client and $10 million and $8.4 million were stolen during the ICOs of Coindash and Veritaseum.

“We want to make sure that no one in our community that was a victim to this well-coordinated phishing attack is financially hurt,” Zyskind said in a blog post. “We will restore funds to everyone that lost money in this recent scam attempt after our token sale concludes.”

With four large Ethereum thefts over just the past month, it is clear that malicious actors have found a new — and relatively simple — way to capitalize on the excitement of Ethereum investors. Similar attacks will likely occur in the future as malicious actors play copycat and attempt to capitalize on other ICOs for a quick payday.


Other trending cybercrime events from the week include:

  • Hacktivist and political leaks: Web hosting provider DreamHost had its services disrupted by a DDoS attack on Wednesday. It’s unclear who orchestrated the attack, but DreamHost was recently involved in several politically-charged news stories. The Anonymous-affiliated group AnonOps leaked the private cell phone numbers and email addresses of 22 Republican congressmen in an effort to get individuals to urge their members of Congress to condemn President Trump’s recent statements surrounding Charlottesville and push for his impeachment. The hacking group known as “Fancy Bear” released information related to doping in FIFA, including email exchanges between FIFA and representatives of anti-doping agencies, files showing the number of players using illegal substances, and therapeutic use exemption data, which gives athletes medical permission to take banned substances.
  • Healthcare-related breaches: A hacker claiming to represent Anonymous said he gained access to a database of NHS patient data managed by SwiftQueue and downloaded over 11 million records, but SwiftQueue said that its database only contains records for 1.2 million individuals and that its initial investigation suggests only 32,501 “lines of administrative data” have been accessed. MJHS Home Care is notifying patients that an employee email account was compromised due to a phishing incident and that patient information may have been exposed. The Institute for Women’s Health in Texas is notifying patients of the discovery of a keylogger on its network. Salina Family Healthcare Center is notifying patients that their personal information may have been compromised due to a June 18 ransomware infection. St. Mark’s Surgical Center is notifying patients of a April 13 ransomware infection that may have compromised their personal information.
  • Carbon Black says bug affected 10 customers: Cybersecurity company Carbon Black said that 10 of its customers were potentially impacted by a corner-case bug that may have resulted in some miscategorized files being uploaded to a third-party, cloud-based scanner. The bug was introduced in Cb Response sensor versions 5.2.7+ and 6.0.4+ from April 2017 or later, the company said, and required a series of other conditions in order to be triggered.
  • Other notable incidents: A database that appears to be associated with the online group hotel room booking service Groupize was found exposed on the Internet. The researchers who discovered the exposed database said it contained many hotel documents, including service agreements, earnings, and details about commissions, which allowed them to see “exactly how the discount hotel business model works in detail.” The City of Oceanside, California, has suspended its online utility bill payment system over concerns that the system may have been breached after multiple users reported that they received unauthorized charges on their payment cards. The hacking group OurMine hijacked the Twitter and Facebook accounts of Sony’s PlayStation Network (PSN) and claims to have a stolen PSN database; however, media outlets reported that there does not appear to be any evidence as of yet supporting the claims of a breached PSN database.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week

2017-08-25_RiskScoresIn July, the U.S. government removed the Russia-based Kaspersky Lab from two lists of approved government vendors, and recently it was revealed the the FBI has been warning private organizations to stop using Kaspersky products as well.

The FBI has been briefing private companies on the threat since the beginning of the year, citing intelligence that claims to show the company is an unacceptable threat to national security, officials told CyberScoop. The FBI has prioritized briefing organizations in the energy sector and those that use ICS and SCADA systems, as well as large tech companies.

The officials claim that Kaspersky has deep and active relationships with Russian intelligence and have highlighted multiple specific accusations of wrongdoing, sources told CyberScoop.

Kaspersky denied the allegations, with a representative saying that the company is “caught in the middle of a geopolitical fight” and “has never helped, nor will help, any government in the world with its cyber-espionage or offensive cyber efforts.”

CyberScoop reported that organizations using ICS and SCADA systems have been relatively cooperative and that some have already moved forward and signed deals with Kaspersky competitors. However, those in the tech space don’t have the same sense of urgency and have been less receptive to the FBI’s recommendations.

In addition, Reuters reported that a defense spending policy bill from the Senate Armed Services Committee was recently amended to prohibit the U.S. Defense Department from using Kaspersky software platforms because the company “might be vulnerable to Russian government influence.”

Weekly Cyber Risk Roundup: Charlottesville Sparks Hacktivism and Controversy

The politics surrounding the “Unite the Right” rally and its counter-protests in Charlottesville spilled over into the cyber world this week as hacktivists took action against websites and a debate emerged around the ethics of hosting white nationalist websites as well as doxing individuals who attended the rally.


Under the hashtag #OpDomesticTerrorism, hacktivists have urged DDoS attacks against white nationalist websites and posted leaks of some of those websites’ alleged members. In addition, the hacking group known as “New World Hackers” said it carried out a DDoS attack against the Charlottesville city website to “deliver our own version of justice to the KKK and government.”

Other individuals began to search through the many images of the “Unite the Right” rally in order to publicly identify those who attended the event. The man behind the Twitter account “Yes, You’re Racist” called on users to help identify the “nazis marching in #Charlottesville” so he could “make them famous.” However, not all the doxing attempts were accurate. For example, an assistant professor at the University of Arkansas was wrongly identified and said he eventually had to call the police due to numerous threats being made against him and his wife as well as their home addresses being posted online. The man behind the Twitter account said he’s received death threats over the doxing as well.

Technology companies were also brought into the debate. GoDaddy, Google, Cloudflare, Zoho, Sendgrid, and Discord all cut services to the Neo-Nazi website The Daily Stormer, USA Today reported. However, those actions led to a rebuke from the Electronic Frontier Foundation for private companies “decid[ing] who gets to speak and who doesn’t.”


Other trending cybercrime events from the week include:

  • HBO troubles continue: The hacking group OurMine temporarily hijacked several HBO social media accounts. In addition, the group of hackers that breached HBO in late July has continued to leak stolen episodes and other documents. Authorities also said that four current and former employees at Prime Focus Technologies, which handles Star India’s data, have been arrested on suspicion of leaking a Star India copy of the August 7 episode of Game of Thrones. Finally, a third-party vendor accidentally posted the August 20 episode of Game of Thrones on the HBO Nordic and HBO España platforms, and that episode was quickly pirated.
  • DDoS attacks make headlines: DDoS attacks against Blizzard disrupted services for several popular games, including Overwatch and World of Warcraft. The website of Ukraine’s national postal service Ukrposhta was the target of a two-day long DDoS attack that caused slowdowns and interruptions for the website and its services.
  • More ransomware infections: LG Electronics said that the self-service kiosks at some of its service centers were infected with ransomware, causing some access problems. The ransomware appears to have been identical to the WannaCry ransomware that made headlines in May, officials from the Korea Internet & Security Agency said. Pacific Alliance Medical Center said that a June 14 ransomware infection may have compromised the protected health information of patients.
  • Data inadvertently exposed: Voting machine supplier Election Systems & Software exposed the personal information of more than 1.8 million Illinois residents due to an insecure Amazon Web Services device. ES&S said the exposed server did not include “any ballot information or vote totals and were not in any way connected to Chicago’s voting or tabulation systems.” The Texas Association of School Boards notified some school district employees that a server containing their names and Social Security numbers “inadvertently became visible on the Internet.”
  • Other notable incidents: Surgical Dermatology Group in Alabama is notifying patients that their personal and healthcare information may have been compromised due to a breach at its cloud hosting and server management provider, TekLinks, Inc. City of Hope said that it is notifying patients that their medical information may have been compromised following an email phishing incident that led to four employee email accounts being compromised. OSHA has suspended access to its new Injury Tracking Application (ITA) after it was notified by the Department of Homeland Security of a potential breach of user information. The Scottish Parliament said it was the target of a brute force cyber-attack and members of parliament and staff with parliamentary email addresses were warned to make sure their passwords were as secure as possible. A former Columbia Sportswear information technology manager was charged with one count of computer fraud for allegedly accessing the company’s computer systems for more than two years after leaving the company.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week

2017-08-18_RiskScoresOne of the week’s most notable advisories involved the software vendor NetSarang and a backdoor dubbed “ShadowPad” that was shipped out with a July version of the company’s products.

“Regretfully, the Build release of our full line of products on July 18, 2017 was unknowingly shipped with a backdoor, which had the potential to be exploited by its creator,” NetSarang said in a statement. “The fact that malicious groups and entities are utilizing commercial and legitimate software for illicit gain is an ever-growing concern and one that NetSarang, as well as others in the computer software industry, is taking very seriously.”

The issue was first discovered by a financial institution partner of Kaspersky Lab — which described the backdoor as “one of the largest known supply-chain attacks” —  after discovering suspicious DNS requests originating on a system involved in the processing of financial transactions. Those requests were later discovered to be the result of a malicious module hidden inside a recent version of NetSarang software.

“If the attackers considered the system to be ‘interesting,’ the command server would reply and activate a fully-fledged backdoor platform that would silently deploy itself inside the attacked computer,” Kaspersky wrote. “After that, on command from the attackers, the backdoor platform would be able to download and execute further malicious code.”

That malicious module has been activated at least once in Hong Kong, but it is possible that other organizations have been infected, the researchers said. NetSarang said that the affected builds are Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220. Organizations using those builds should cease using the software until an update can be applied.

Preparedness & Cyber Risk Reduction Part Five C: Operations-Based Exercises

As we continue in our series on Preparedness, and concluding this mini-series on exercises, in the section that follows, we’ll look at different types of operations-based exercises as we continue to explore some of the ways our fictional character, Johnny, and his colleagues at Acme Innovations can take a progressively challenging approach to exercise design as they strive to better prepare for and decrease the risks associated with the threat of ransomware.

As with the previous post, the quotes below are taken from the Homeland Security Exercise and Evaluation Program (HSEEP). In our last post, we addressed some of the discussion-based exercises Johnny and the Acme team would be conducting. Moving on to more complex and realistic operation-based exercises, Johnny is ready to try some simple drills.


“A drill is a coordinated, supervised activity usually employed to validate a specific function or capability in a single agency or organization. Drills are commonly used to provide training on new equipment, validate procedures, or practice and maintain current skills. For example, drills may be appropriate for establishing a community-designated disaster receiving center or shelter. Drills can also be used to determine if plans can be executed as designed, to assess whether more training is required, or to reinforce best practices. A drill is useful as a stand-alone tool, but a series of drills can be used to prepare several organizations to collaborate in an FSE. For every drill, clearly defined plans, procedures, and protocols need to be in place. Personnel need to be familiar with those plans and trained in the processes and procedures to be drilled.”

Using the newly validated Annex as reference, and based on the same scenario that was previously exercised, Johnny conducts several short drills to validate that personnel understand and are able to execute roles, responsibilities, and procedures detailed in the Annex. With leadership approval, Johnny leads three unannounced drills over the course of a two-week period. One drill involves several individuals reporting a suspected ransomware infection on their device to different parts of Acme in order to test recipients’ ability to properly receive and understand the messages, as well as communicate the suspicious incident to the proper POCs within the time frame determined in the Annex. A second drill exercises the leadership decision making processes upon notification of a suspected ransomware incident. The third drill allowed participants the opportunity to practice reestablishing files from back-ups following a notional ransomware infection.

Functional Exercises

“FEs are designed to validate and evaluate capabilities, multiple functions and/or sub-functions, or interdependent groups of functions. FEs are typically focused on exercising plans, policies, procedures, and staff members involved in management, direction, command, and control functions. In FEs, events are projected through an exercise scenario with event updates that drive activity typically at the management level. An FE is conducted in a realistic, real-time environment; however, movement of personnel and equipment is usually simulated. FE controllers typically use a Master Scenario Events List (MSEL) to ensure participant activity remains within predefined boundaries and ensure exercise objectives are accomplished. Simulators in a Simulation Cell (SimCell) can inject scenario elements to simulate real events.”

Following the drills, and with opportunities to make some minor refinements to the Annex and some retraining on key tasks, Johnny is approved to plan a three-hour FE that implements the procedures detailed in the Annex from initial identification of a suspected ransomware incident in real time. In a scheduled and announced exercise that includes all appropriate personnel, the Acme team wants to assess what they are successfully able to accomplish in a finite period of time and to gauge if they are able to properly follow procedures under the stress of an expanding outbreak.

Full-Scale Exercises

“FSEs are typically the most complex and resource-intensive type of exercise. They involve multiple agencies, organizations, and jurisdictions and validate many facets of preparedness. FSEs often include many players operating under cooperative systems such as the Incident Command System (ICS) or Unified Command. In an FSE, events are projected through an exercise scenario with event updates that drive activity at the operational level. FSEs are usually conducted in a real-time, stressful environment that is intended to mirror a real incident. Personnel and resources may be mobilized and deployed to the scene, where actions are performed as if a real incident had occurred. The FSE simulates reality by presenting complex and realistic problems that require critical thinking, rapid problem solving, and effective responses by trained personnel. The level of support needed to conduct an FSE is greater than that needed for other types of exercises.”

Here, Gary adds that ideally, “A full-scale cybersecurity exercise could include using a simulated cyber range environment to replicate an organization’s network, allowing for testing of response activities to simulated attacks or incidents.” It is important to try and make exercises — particularly operational exercises — as realistic as possible, and following Gary’s advice here can help challenge participants in as realistic a manner as possible.

For this year Acme has determined they are going to keep the exercise internal, and not include external subject-matter expertise that would be employed in the event of an incident beyond their team’s ability to internally manage. Following the FE, and some other exercise events that are already planned for this year, Johnny is tasked with integrating a ransomware attack into a more complicated FSE for next year that will include an additional scenario variable and the inclusion of external personnel in several areas.

Parting Thoughts

Whatever your organizations’ cyber risk focus, taking the time to plan and resource an effective, progressive exercise program can go a long way in supporting effective preparedness, and ensuring timely and successful response to incidents. The ability to properly respond to an incident can save an organization a lot of time and money — minimizing downtime and helping to minimize impacts, while supporting a quick return to normal operations.

While exercises are critical and provide an awesome opportunity for rehearsals to real incidents, the greatest value of an exercise actually comes not during, but after the event. As with Organizing and Equipping, another too-often neglected part of preparedness, follows the conduct of the exercise — the Evaluation and Improvement process, which will be Part Six in our ongoing series on Preparedness & Cyber Risk Reduction!

Weekly Cyber Risk Roundup: More HBO Leaks and UK Talks New Data Protections

HBO was once again the week’s top trending target as the actors behind the company’s breach continued to leak data stolen from the company, including emails that showed HBO attempted to negotiate a $250,000 “bounty payment” in response to the theft.


A source told Reuters that the negotiation email was sent as a stall tactic and that HBO never intended to pay the attackers, who reportedly demanded $6 million in ransom.

“You have the advantage of having surprised us,” HBO’s email read, according to Variety. “In the spirit of professional cooperation, we are asking you to extend your deadline for one week.”

The actors behind the attack claim to have stolen 1.5 terabytes worth of data. In late July, the group leaked several episodes of unaired HBO shows as well as leaked a script for an unaired episode of Game of Thrones. Last Tuesday the group leaked an additional 3.4 GB of data.

As The Guardian reported, that leak included more Game of Thrones scripts, internal HBO documents, and a month’s worth of emails from HBO’s vice president for film programming. Among the documents were technical data detailing HBO’s internal network and administrator passwords, a spreadsheet of legal claims against the TV network, job offer letters to several top executives, slides discussing future technology plans, and a document that appears to list the contact information of Game of Thrones actors.

The group also claimed that HBO was its seventeenth target and that HBO was only the third company to have not paid the ransom demanded by the group. An HBO spokesperson previously said that the company’s ongoing investigation “has not given us a reason to believe that our e-mail system as a whole has been compromised.”


Other trending cybercrime events from the week include:

  • Actors target Ireland’s grid: Ireland’s EirGrid said that the country’s electric grid was targeted by state-sponsored actors that managed to gain access to a Vodafone network used by the company and then compromised routers used by EirGrid in Wales and Northern Ireland. The breach of the Vodafone network allowed the hackers to create a type of wiretap known as Generic Routing Encapsulation (GRE) to tunnel into EirGrid’s Vodafone router, the Independent reported.
  • Millions of Venezuelans lose cell service: Venezuelan government websites were the target of a massive cyber-attack allegedly carried out by a group known as “The Binary Guardians,” and as a result seven million mobile phone users were left without service, government officials said. The attacks affected the Movilnet’s GSM platform, officials said, leaving seven million of the thirteen million mobile phone users without service.
  • New data breaches: Parkbytext is notifying its users that their information may have been compromised due to malware during a service outage. The personal information of 100,000 Dutch drivers was leaked due a flaw in the LeaseWise software created by software company CarWise ICT and used by 52 Dutch car leasing companies. UCLA officials said that a Summer Sessions and International Education Office server was potentially breached in a May 18 cyber-attack and that the personal information of 32,000 students may have been compromised.
  • Agencies warn of phishing scams: A new phishing scam is impersonating tax software providers in an attempt to steal credentials from tax professionals, the IRS warned. Scammers are impersonating officials from the National Institutes of Health and telling consumers that they’ve been selected to receive a $14,000 grant in an attempt to get victims to pay a fee via gift cards or their bank account numbers, the FTC warned.
  • Arrests and sentences: Two Israeli men were arrested and indicted in Israel on charges believed to be related to operating the DDoS-for-hire service known as vDOS. A former employer of Allen & Hoshall has been sentenced to 18 months in prison for repeatedly accessing the company’s servers over a two-year period in order to obtain proprietary information. An Australian man has been sentenced to an 18-month suspended sentence for his role in operating an illegal network that allowed the selling of unauthorized access to Foxtel service to more than 8,000 people.
  • Other notable incidents: Pernod Ricard SA, producer of Absolut vodka and Chivas Regal Scotch whisky, was the target of a cyber-attack, and some employees at the company’s London office had to turn in their computers to be inspected for infections, sources told Bloomberg. Four different anonymous Bloomberg chat rooms were shut down after a user from the investment firm Janus Henderson sent an unmasked list of all the previous day’s 866 participants in the metal and mining chat room to people in the chat room.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week

2017-08-11_RiskScoresThe UK Department for Digital, Culture, Media & Sport (DCMS) released a statement of intent on a new data protection bill last week.

The goal of future data protection acts is to “ensure that we help to prepare the UK for the future after we have left the EU,” wrote DCMS Minister for Digital Matt Hancock.

“The EU General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive (DPLED) have been developed to allow people to be sure they are in control of their personal information while continuing to allow businesses to develop innovative digital services without the chilling effect of over-regulation,” Hancock wrote. “Implementation will be done in a way that as far as possible preserves the concepts of the Data Protection Act to ensure that the transition for all is as smooth as possible, while complying with the GDPR and DPLED in full.”

In short, any changes to UK law will be designed around existing international frameworks such as GDPR, which already includes provisions such as individuals being able to exercise their “right to be forgotten” and request that their personal information be deleted, as well as the potential for much larger penalties for organizations that suffer data breaches. As the BBC reported, the current maximum fine for breaking existing data breach protection laws is £500,000, and that will be increased up to £17 million or 4% of global turnover.

As Daradjeet Jagpal noted, the UK government intends to apply for some exemptions from the GDPR, such as allowing organizations other than police to process personal data on criminal convictions and offences, as well as allowing automated data processing — with the caveat that individuals will have the right to challenge any resulting decisions and request human intervention.

Numerous surveys this year have noted that a significant percentage of organizations remain unprepared for the upcoming implementation of GDPR, which is set to go into effect on May 25, 2018. For example, Veritas reported that only nine percent of UK organizations that believe they are prepared for the GDPR are likely in actual compliance. Organizations should remain aware of any potential changes in data protection laws such as GDPR and work to ensure that they will be in compliance with those changes before they become the law of the land.

TheShadowBrokers Continue to Leak Exploits and Generate Profits

A few weeks ago, our team at SurfWatch Labs released its mid-year threat intelligence report, which largely focused on how leaked exploits have helped to fuel cybercrime over the first half of the year. While the leak of exploits and hacking tools is not new — 2016’s surge of IoT-powered DDoS attacks were propelled by the release of the Mirai source code, for example — several high-profile global attacks leveraging leaked exploits in 2017 have helped to once again push the conversation to the forefront.

At the heart of that conversation is a group known as TheShadowBrokers. TheShadowBrokers is best known for its April 2017 release of stolen NSA exploits such as EternalBlue, an exploit that was leveraged, along with other leaked exploits, into May’s outbreak of WannaCry and June’s outbreak of NotPetya.

However, TheShadowBrokers first made headlines nearly a year ago when it announced that it was auctioning off a cache of tools stolen from the NSA’s Equation Group:

How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. …

At this point, it remains unclear exactly how the sensitive hacking tools and exploits were stolen from the NSA, although investigators are pursuing several theories. What is clear is that multiple individuals were in possession of that data — including NSA contractor Harold T. Martin III, who was arrested two weeks after TheShadowBrokers announced its auction of NSA tools.

Timeline of NSA breach.

Although officials have not linked TheShadowBrokers and Martin, both of them were in possession of stolen NSA tools. Martin’s lawyer said that Martin’s intention was to use the data to get better at his job, not to ever release it. That is not true with TheShadowBrokers, who appear to enjoy toying with the media and have used the publicity around the WannaCry and NotPetya attacks to promote its new monthly exploit service.

What’s in TheShadowBrokers’ Monthly Exploit Service?

TheShadowBrokers claim to have released two sets of data dumps related to its monthly service so far — one for June and one for July — and each month they have continued to jack up the price of the data.

  • The June dump sold for 100 ZEC (Zcash) or 500 XMR (Monero).
  • The July dump sold for 200 ZEC or 1000 XMR.
  • The upcoming August dump is selling for 500 ZEC or 2000 XMR.

At today’s prices, that equates to more than $121,000 worth of Zcash or $101,000 worth of Monero for the August dump. Naturally, security researchers and organizations would like to know if the exploits and other data being released by the group is on par with EternalBlue, something less worrisome, or an elaborate troll job — but that’s a hefty price to pay a malicious actor just find out.

There was a brief crowdfunding effort by security researchers to purchase the exploits, but that was pulled after shortly after it was announced due to “legal reasons.”

However, at least one alleged purchaser of the June data dump was not satisfied with the 500 XMR purchase, writing under the name “fsyourmoms” on Steemit:

TheShadowBrokers ripped me off. I paid 500 XMR for their “Wine of the Month Club” and only they sent me a single tool that already requires me to have a box exploited. A tool, not even an exploit! The tool also looks to be old, and not close to what theShadowBrokers said could be in their subscription service.

An anonymous researcher that has been attempting to track Monero transactions associated with TheShadowBrokers, who posts on Steemit under the name “wh1sks,” later verified that “fsyourmoms” did, in fact, send 500 XMR to TheShadowBrokers’ June monthly dump address.

Image from “wh1sks” on Steemit.

The same researcher has confirmed that TheShadowBrokers likely received three Monero payments for its June data dump (including “fsyourmoms”) and two Monero payments for its July data dump.

“We know that TSB received no more than 2000 XMR [for its July dump],” the researcher wrote last week, although it is possible the group sent itself transactions to make it appear as though sales were occurring.

Like TheDarkOverlord, TheShadowBrokers appears to be trying to project an image of great success — perhaps to entice more people to purchase its services. As the group wrote in its August monthly dump announcement:

July is being good month for TheShadowBrokers Monthly Data Dump Service, make great benefit to theshadowbrokers. … Due to popular demand theshadowbrokers is raising prices for August to 500 ZEC or 2000 XMR.

TheShadowBrokers is also accepting Zcash, which cannot be tracked using the same methods as Monero. Therefore, it’s unclear how many transactions have been made using Zcash, and its possible that a larger number of users may have purchased the group’s data dumps.

If we take “fsyourmoms” at his or her word — who is the only individual to have publicly confirmed a purchase from TheShadowBrokers, as far as I can tell — we know that the June dump contained only one tool, but we don’t know what that tool even was. Was it worth more than $20,000 worth of cryptocurrency? At least one buyer says no. It remains unclear what was in the July dump, and what will be included in the upcoming August dump.

A lot remains unanswered when it comes to TheShadowBrokers, but it appears likely that other users have purchased or will purchase TheShadowBrokers’ data dumps. That means more dangerous tools and exploits could make their way into the hands of malicious actors in the near future, which is bad news for organizations. As we noted in our mid-year report, the impact of these leaked tools and exploits is often more dangerous and has a longer-lasting effect than perhaps any other type of cyber incident.

Preparedness & Cyber Risk Reduction Part Five B: Discussion-Based Exercises

Continuing our series on Preparedness, and this mini-series — exercises (see previous post for the intro to exercises) — this installment and the next build on our introduction, and in the section that follows we’ll look at different types of discussion-based exercises as we consider some of the ways our fictional character, Johnny, (introduced in our previous post on training) and his colleagues at Acme Innovations can approach progressive exercise design as they look to decrease the risks associated with the threat of ransomware.

The quotes below are taken from the Homeland Security Exercise and Evaluation Program (HSEEP). To start, we break exercises up into two categories – Discussion-Based and Operations-Based Exercises – and we typically progress from one to the other as we build capabilities and increase complexity, although there is certainly room for some back and forth.

  • Discussion-based exercises include seminars, workshops, tabletop exercises (TTXs), and games. These types of exercises can be used to familiarize players with, or develop new, plans, policies, agreements, and procedures. Discussion-based exercises focus on strategic, policy-oriented issues. Facilitators and/or presenters usually lead the discussion, keeping participants on track towards meeting exercise objectives.”
  • Operations-based exercises include drills, functional exercises (FEs), and full-scale exercises (FSEs). These exercises can be used to validate plans, policies, agreements, and procedures; clarify roles and responsibilities; and identify resource gaps. Operations-based exercises are characterized by actual reaction to an exercise scenario, such as initiating communications or mobilizing personnel and resources.”


“Seminars generally orient participants to, or provide an overview of, authorities, strategies, plans, policies, procedures, protocols, resources, concepts, and ideas. As a discussion-based exercise, seminars can be valuable for entities that are developing or making major changes to existing plans or procedures. Seminars can be similarly helpful when attempting to assess or gain awareness of the capabilities of interagency or inter-jurisdictional operations.”

Johnny wants to ensure his colleagues understand ransomware and some of the examples of incidents and best practices that he can share. After talking with some of his coworkers, contacts at other companies, and local government partners through the state fusion center, he develops a half-day seminar event. The Ransomware Seminar includes a mix of panels and presentations. The agenda covers what ransomware is, and a short presentation by the Acme security team on other types of cyber extortion. Two guest speakers discussed case studies from real ransomware attacks they endured. Government partners (coordinated via the fusion center) and the Acme security team shared government and industry best practices. In closing, the Acme CISO shared final thoughts to help encourage ideas in preparation of the next exercise event.


“Although similar to seminars, workshops differ in two important aspects: participant interaction is increased, and the focus is placed on achieving or building a product. Effective workshops entail the broadest attendance by relevant stakeholders. Products produced from a workshop can include new standard operating procedures (SOPs), emergency operations plans, continuity of operations plans, or mutual aid agreements. To be effective, workshops should have clearly defined objectives, products, or goals, and should focus on a specific issue.”

Shortly after the Ransomware Seminar, Johnny conducts an Acme Ransomware Response Planning Workshop. The event includes selected members from Acme’s security team, several executives and line managers, legal representatives, members from IT support, business continuity, incident response teams, and other selected personnel.

“During the planning of any type of cyber-focused exercise, an organization should strive for inclusion of a wide variety of personnel from various departments such as these to properly develop a realistic, focused exercise that addresses cross-cutting organizational issues.” – Gary Benedict, Section Chief of the DHS National Cyber Exercise & Planning Program

The group reviews highlights from the seminar with the purposes of establishing clear planning guidance and an outline of how Acme wants to respond to a ransomware incident. The actual procedures will be developed after the workshop, but informed by decisions made at the exercise.

Tabletop Exercises

“A TTX is intended to generate discussion of various issues regarding a hypothetical, simulated emergency. TTXs can be used to enhance general awareness, validate plans and procedures, rehearse concepts, and/or assess the types of systems needed to guide the prevention of, protection from, mitigation of, response to, and recovery from a defined incident. Generally, TTXs are aimed at facilitating conceptual understanding, identifying strengths and areas for improvement, and/or achieving changes in perceptions.”

“Whether its conducted with external partners or just with internal staff, a TTX environment encourages open discussion and often networking of key personnel, ensuring understanding of roles and responsibilities and preventing the notion of ‘exchanging business cards during a disaster.’” – Gary Benedict, Section Chief of the DHS National Cyber Exercise & Planning Program

After completing the “Acme Ransomware Response Annex” to the Acme Incident Response Plan, Johnny develops a TTX based on a real-world ransomware outbreak and a fictional incident at Acme. The TTX includes many of the same personnel involved in the workshop, with a few additional players. This time, rather than exploring how they may want to respond, the participants exercise the Annex to gain familiarity with now-defined expected roles and responsibilities, and to validate that the Annex properly and effectively addresses the incident. Following the TTX, Johnny develops and After Action Report and… wait (!), we’ll cover that in the next installment of this series!


“A game is a simulation of operations that often involves two or more teams, usually in a competitive environment, using rules, data, and procedures… Games explore the consequences of player decisions and actions. They are useful tools for validating plans and procedures or evaluating resource requirements. During game play, decision-making may be either slow and deliberate or rapid and more stressful, depending on the exercise design and objectives. The open, decision-based format of a game can incorporate ‘what if’ questions that expand exercise benefits. Depending on the game’s design, the consequences of player actions can be either pre-scripted or decided dynamically. Identifying critical decision-making points is a major factor in the success of evaluating a game.”

Based on time and resources, and his assessment of utility for this threat, Johnny will not conduct a ransomware game. While he’d like to see the entire exercise series progression, he determines that after the TTX, Acme will move into some short, focused drills. Drills, and other operations-based exercises, will be addressed in our next installment, as we continue our discussion on exercise types and wrap-up this mini-series on exercises.

Weekly Cyber Risk Roundup: HBO Hackers Promise More Leaks and Dark Web Vendors Reuse Passwords

HBO was among the week’s top trending cybercrime targets as malicious actors claimed to have stolen 1.5 terabytes of company data and subsequently leaked upcoming episodes of “Ballers,” “Room 104,” “Insecure,” and the unaired comedy “Barry,” which is scheduled to air in 2018. The hackers also leaked the script for Sunday night’s episode of Game of Thrones before it aired, as well as the apparent personal information and account details of a senior HBO executive.


In a separate incident, Sunday night’s episode of Game of Thrones was leaked several days early and spread via torrent sites due to an incident at distribution partner Star India, which published the episode early on its official website before removing it shortly thereafter.

The actors behind the HBO breach initially teased that more leaks were “coming soon.” Later, someone claiming to represent the group told The Hollywood Reporter that additional leaks would occur on Sunday; however, the contact then said the leaks would be delayed “because of some new buyers.”

“Some of HBO’s top competitors are negotiating with us for buying the dump,” the contact wrote in an email. “The deal are near to close. Poor HBO never rise again.”

As THR pointed out, it’s unlikely HBO’s direct rivals would purchase the stolen data. Variety reported that the hackers appeared to have accessed thousands of internal documents, employee data, and possibly internal corporate email. CEO Richard Plepler notified employees that the incident “resulted in some stolen proprietary information, including some of our programming.” However, CNN reported that HBO does not believe the company’s email system as a whole was compromised, despite THR’s contact alleging that they still have “full access to their webmails.”


Other trending cybercrime events from the week include:

  • Airlines issue warnings: Virgin America notified employees and contractors that their information may have been compromised due to a network intrusion first detected on March 13, 2017. The unauthorized access may have compromised the login credentials of approximately 3,120 employees and contractors, as well as the personal information of 110 employees. Malicious actors have leaked data allegedly tied to Spirit Airlines Free Spirit accounts after a failed extortion attempt against the airline. Spirit said that the actor attempted to extort the company using previously compromised email addresses and passwords from other data breaches. Canadian airline WestJet announced that the profile data of some WestJet Rewards members has been disclosed online by an unauthorized third party. WestJet did not indicate what data was leaked or how many customers were affected.
  • #LeakTheAnalyst operation targeting researchers: A hacking group going by the name “31337 Hackers” leaked data belonging to a security researcher working for FireEye’s breach investigation unit Mandiant, and the group also may have gained access to the researcher’s Hotmail, OneDrive, and LinkedIn accounts. The data appears to be stolen from the researcher’s personal computer, and there is “no evidence that FireEye or Mandiant systems were compromised,” FireEye said. The group said the leak is part of a larger operation that is targeting security researchers, dubbed “#LeakTheAnalyst.”
  • New data breaches: Health insurer Anthem said that 18,500 customers’ personal and medical information may have been compromised by an employee at LaunchPoint. The Daniel Drake Center for Post-Acute Care is notifying 4,721 patients that their information may have been compromised due to an employee accessing their medical records without authorization. Kaleida Health is notifying patients that their information may have been compromised due a phishing incident that allowed an unauthorized third party to gain access to a small number of Kaleida Health email accounts. Kids Pass said that the personal information of users could have been compromised by changing the URL of the activation code sent to new users in order to view other account holders’ data. An attacker managed to trick an employee at A9t9 into handing over the company’s Google developer account credentials and then pushed out a malicious version of the Copyfish Chrome extension.
  • More ransomware: An unnamed Canadian company paid $425,000 after a ransomware attack encrypted its production databases and backups. The intruders gained access due to spear phishing messages that were sent to six senior company officials. Northwest Rheumatology of Tucson is notifying patients that their information may have been compromised following a ransomware attack that occurred on April 10, 2017.
  • Arrests and sentences: The security researcher known as “Malwaretech,” who is best known for helping to stop the spread of the WannaCry malware, was arrested for allegedly creating and distributing the Kronos banking Trojan. A Seattle man has been arrested on charges of extorting multiple media companies with threats of DDoS attacks. A Russian citizen was sentenced to 46 months in prison for his role in infecting tens of thousands of computers with the Ebury malware.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week

2017-08-04_RiskScoresLaw enforcement continues to target activity on the dark web following the recent takedown of AlphaBay and Hansa Market, two of the three largest cybercriminal marketplaces on the dark web.

Those takedowns left Dream Market as the new king of the dark web; however, there has been speculation by its users that Dream Market may have been compromised by law enforcement as well — or at least that 16 vendor accounts on the site may have been compromised.

One of those 16 alleged vendors said that Dutch law enforcement had seized his or her vendor account and changed all of its information on the same night that Hansa Market was taken offline.

“I can clearly say that (at least) my account was seized by dutch LE,” the user wrote. “I think they came on it through my sillyness using same password on hansamarket. … I don’t think dreammarket itself is compromised, I only think the LE is trying to fuck the rest out of this community by using log-in informations from other markets.”

As Naked Security reported, there has been no confirmation from the Dutch police about the alleged takeover of Dream Market accounts, but it makes sense that authorities would exploit password reuse and lack of two-factor authentication by cybercriminals in order to further their reach into active dark web markets.

A recent survey (PDF) found that 81% of those in the U.S. reuse passwords across multiple online accounts — and this now includes dark web vendors too, if the Dream Market news is any indication. This reuse occurs despite the fact that password reuse and credential-stuffing attacks lead to numerous cases of account takeovers, data breaches, and other cybersecurity incidents each week.

It may be impossible to stop users from reusing passwords, but, as Troy Hunt noted, NIST recommends that organizations become proactive and block passwords that have been previously tied to data breaches in order to improve security. That’s why he’s released a list of 320 million previously compromised passwords for organizations to download for free and use to protect their systems.

“Use this data to do good things,” Hunt wrote. “Take it as an opportunity to not just reduce the risk to the service you’re involved in running, but also to help make people aware of the broader risks they face due to their password management practices.”

Preparedness & Cyber Risk Reduction Part Five A: Intro to Exercises

Returning to our ongoing series on Preparedness, this post addresses what is probably the most fun part of preparedness — exercises! A championship football team needs to be complete — with great linemen to fight in the trenches, defensive players to dominate their side of the ball, skills players and special teams to razzle and dazzle and put up points, and then there’s the quarterback — the attention getting centerpiece of nearly every team. Champions in preparedness also need to have success through every part of the Preparedness Cycle — the continuous cycle of planning, organizing, training, equipping, exercising, evaluating, and taking corrective actions to support effective incident response — but exercises, like quarterbacks, seem to always garner a lot of attention and can be seen to make or break the rest of the program.

To help highlight some areas with expert insight, I’ve asked a colleague to share some wisdom as well. Several areas below include comments from my colleague, Gary Benedict, who serves as the Section Chief of the Department of Homeland Security’s National Cyber Exercise & Planning Program.

What Are Exercises?

As we have noted in previous parts of this series, our focus on preparedness is to effectively support our efforts to reduce organizational risks — the “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences.” Exercises play a critical role to that end. The Homeland Security Exercise and Evaluation Program (HSEEP) defines exercises as instruments “to train for, assess, practice, and improve performance in prevention, protection, mitigation, response, and recovery capabilities in a risk-free environment. Exercises can be used for testing and validating policies, plans, procedures, training, equipment, and interagency agreements; clarifying and training personnel in roles and responsibilities; improving interagency coordination and communications; improving individual performance; identifying gaps in resources; and identifying opportunities for improvement.”

HSEEP “provides a set of guiding principles for exercise programs, as well as a common approach to exercise program management, design and development, conduct, evaluation, and improvement planning. … Through the use of HSEEP, exercise program managers can develop, execute, and evaluate exercises that address the priorities established by an organization’s leaders. … These priorities guide the overall direction of a progressive exercise program, where individual exercises are anchored to a common set of priorities or objectives and build toward an increasing level of complexity over time. Accordingly, these priorities guide the design and development of individual exercises. … Through improvement planning, organizations take the corrective actions needed to improve plans, build and sustain capabilities, and maintain readiness. … HSEEP exercise and evaluation doctrine is flexible, scalable, and adaptable, and is for use by stakeholders across the whole community.”

I really appreciate the HSEEP methodology because it is logical, repeatable, helps us all use common terms, and is flexible. FEMA has written, “Exercise practitioners are encouraged to apply and adapt HSEEP doctrine to meet their specific needs.” We won’t get into all the weeds of exercises here, but the current version of HSEEP can be accessed here and I encourage anyone involved in the planning of exercises to take time to get familiar with this document.

Types of Exercises

When we look at the Preparedness Cycle, exercises are usually placed in the sequence noted above — planning, organizing, training, equipping, exercising, evaluating, and taking corrective actions. That is the right place for them to be; however, they may also be used to help inform planning and can be very effective for that purpose. One important idea to understand is that an effective exercise program should progress through a series of successive and increasingly complex exercises leading up to the desired level of proficiency and preparedness. “This progressive approach, with exercises that build upon each other and are supported at each step with training resources, will ensure that organizations do not rush into a full-scale exercise too quickly. Effective planning of exercises and integration of the necessary training will reduce the waste of limited exercise resources and serve to address known shortfalls prior to the conduct of the exercise” (HSEEP).

In planning the progressive schedule of exercises, it is important that exercises are conducted at a cadence that allows organizations to learn from previous exercises and make appropriate procedural refinements before engaging in more challenging exercises. This can be a particular challenge for large organizations with broad regulatory accountability, especially ones that are also trying to support external exercises such as with government or their information sharing communities. Exercise planners often know where some of the likely trouble areas for an organization may be — for many exercises capabilities such as communications and planning repeatedly come up, for example — and should work with their organization to provide enough time to learn and improve before progressing to more complex activities and repeating the same mistakes.

From his years of experience in cyber and physical security exercises, Gary adds that the progressive, “building block approach should be documented into a multi-year Training and Exercise strategy (which we referred two in part two of this series under Preparedness Planning). A critical component to the success of this approach is also having senior leadership approval and buy-in. Exercise strategy can be influenced by organizational ongoing risk analysis, so exercise planners should allow some flexibility in the strategy to be adjusted as the risk landscape evolves.”    

What follows are brief descriptions of the different exercise types, and some ideas on how they may fit into a cybersecurity exercise program. To do that, we’ll continue the adventures of our Preparedness Champion, Johnny, and his company Acme Innovations (see previous blogs for reference).

If you recall from our previous post on training, Johnny and his colleagues at Acme Innovations had identified the threat of ransomware as a very concerning risk for Acme. In the next installment of this series we’ll be looking at the different exercise types as we consider some of the ways Johnny may develop a progressive exercise program to build preparedness and be ready for a potential ransomware incident.