Continuing our series on Preparedness, and this mini-series — exercises (see previous post for the intro to exercises) — this installment and the next build on our introduction, and in the section that follows we’ll look at different types of discussion-based exercises as we consider some of the ways our fictional character, Johnny, (introduced in our previous post on training) and his colleagues at Acme Innovations can approach progressive exercise design as they look to decrease the risks associated with the threat of ransomware.
The quotes below are taken from the Homeland Security Exercise and Evaluation Program (HSEEP). To start, we break exercises up into two categories – Discussion-Based and Operations-Based Exercises – and we typically progress from one to the other as we build capabilities and increase complexity, although there is certainly room for some back and forth.
- “Discussion-based exercises include seminars, workshops, tabletop exercises (TTXs), and games. These types of exercises can be used to familiarize players with, or develop new, plans, policies, agreements, and procedures. Discussion-based exercises focus on strategic, policy-oriented issues. Facilitators and/or presenters usually lead the discussion, keeping participants on track towards meeting exercise objectives.”
- “Operations-based exercises include drills, functional exercises (FEs), and full-scale exercises (FSEs). These exercises can be used to validate plans, policies, agreements, and procedures; clarify roles and responsibilities; and identify resource gaps. Operations-based exercises are characterized by actual reaction to an exercise scenario, such as initiating communications or mobilizing personnel and resources.”
“Seminars generally orient participants to, or provide an overview of, authorities, strategies, plans, policies, procedures, protocols, resources, concepts, and ideas. As a discussion-based exercise, seminars can be valuable for entities that are developing or making major changes to existing plans or procedures. Seminars can be similarly helpful when attempting to assess or gain awareness of the capabilities of interagency or inter-jurisdictional operations.”
Johnny wants to ensure his colleagues understand ransomware and some of the examples of incidents and best practices that he can share. After talking with some of his coworkers, contacts at other companies, and local government partners through the state fusion center, he develops a half-day seminar event. The Ransomware Seminar includes a mix of panels and presentations. The agenda covers what ransomware is, and a short presentation by the Acme security team on other types of cyber extortion. Two guest speakers discussed case studies from real ransomware attacks they endured. Government partners (coordinated via the fusion center) and the Acme security team shared government and industry best practices. In closing, the Acme CISO shared final thoughts to help encourage ideas in preparation of the next exercise event.
“Although similar to seminars, workshops differ in two important aspects: participant interaction is increased, and the focus is placed on achieving or building a product. Effective workshops entail the broadest attendance by relevant stakeholders. Products produced from a workshop can include new standard operating procedures (SOPs), emergency operations plans, continuity of operations plans, or mutual aid agreements. To be effective, workshops should have clearly defined objectives, products, or goals, and should focus on a specific issue.”
Shortly after the Ransomware Seminar, Johnny conducts an Acme Ransomware Response Planning Workshop. The event includes selected members from Acme’s security team, several executives and line managers, legal representatives, members from IT support, business continuity, incident response teams, and other selected personnel.
“During the planning of any type of cyber-focused exercise, an organization should strive for inclusion of a wide variety of personnel from various departments such as these to properly develop a realistic, focused exercise that addresses cross-cutting organizational issues.” – Gary Benedict, Section Chief of the DHS National Cyber Exercise & Planning Program
The group reviews highlights from the seminar with the purposes of establishing clear planning guidance and an outline of how Acme wants to respond to a ransomware incident. The actual procedures will be developed after the workshop, but informed by decisions made at the exercise.
“A TTX is intended to generate discussion of various issues regarding a hypothetical, simulated emergency. TTXs can be used to enhance general awareness, validate plans and procedures, rehearse concepts, and/or assess the types of systems needed to guide the prevention of, protection from, mitigation of, response to, and recovery from a defined incident. Generally, TTXs are aimed at facilitating conceptual understanding, identifying strengths and areas for improvement, and/or achieving changes in perceptions.”
“Whether its conducted with external partners or just with internal staff, a TTX environment encourages open discussion and often networking of key personnel, ensuring understanding of roles and responsibilities and preventing the notion of ‘exchanging business cards during a disaster.’” – Gary Benedict, Section Chief of the DHS National Cyber Exercise & Planning Program
After completing the “Acme Ransomware Response Annex” to the Acme Incident Response Plan, Johnny develops a TTX based on a real-world ransomware outbreak and a fictional incident at Acme. The TTX includes many of the same personnel involved in the workshop, with a few additional players. This time, rather than exploring how they may want to respond, the participants exercise the Annex to gain familiarity with now-defined expected roles and responsibilities, and to validate that the Annex properly and effectively addresses the incident. Following the TTX, Johnny develops and After Action Report and… wait (!), we’ll cover that in the next installment of this series!
“A game is a simulation of operations that often involves two or more teams, usually in a competitive environment, using rules, data, and procedures… Games explore the consequences of player decisions and actions. They are useful tools for validating plans and procedures or evaluating resource requirements. During game play, decision-making may be either slow and deliberate or rapid and more stressful, depending on the exercise design and objectives. The open, decision-based format of a game can incorporate ‘what if’ questions that expand exercise benefits. Depending on the game’s design, the consequences of player actions can be either pre-scripted or decided dynamically. Identifying critical decision-making points is a major factor in the success of evaluating a game.”
Based on time and resources, and his assessment of utility for this threat, Johnny will not conduct a ransomware game. While he’d like to see the entire exercise series progression, he determines that after the TTX, Acme will move into some short, focused drills. Drills, and other operations-based exercises, will be addressed in our next installment, as we continue our discussion on exercise types and wrap-up this mini-series on exercises.