As we continue in our series on Preparedness, and concluding this mini-series on exercises, in the section that follows, we’ll look at different types of operations-based exercises as we continue to explore some of the ways our fictional character, Johnny, and his colleagues at Acme Innovations can take a progressively challenging approach to exercise design as they strive to better prepare for and decrease the risks associated with the threat of ransomware.
As with the previous post, the quotes below are taken from the Homeland Security Exercise and Evaluation Program (HSEEP). In our last post, we addressed some of the discussion-based exercises Johnny and the Acme team would be conducting. Moving on to more complex and realistic operation-based exercises, Johnny is ready to try some simple drills.
“A drill is a coordinated, supervised activity usually employed to validate a specific function or capability in a single agency or organization. Drills are commonly used to provide training on new equipment, validate procedures, or practice and maintain current skills. For example, drills may be appropriate for establishing a community-designated disaster receiving center or shelter. Drills can also be used to determine if plans can be executed as designed, to assess whether more training is required, or to reinforce best practices. A drill is useful as a stand-alone tool, but a series of drills can be used to prepare several organizations to collaborate in an FSE. For every drill, clearly defined plans, procedures, and protocols need to be in place. Personnel need to be familiar with those plans and trained in the processes and procedures to be drilled.”
Using the newly validated Annex as reference, and based on the same scenario that was previously exercised, Johnny conducts several short drills to validate that personnel understand and are able to execute roles, responsibilities, and procedures detailed in the Annex. With leadership approval, Johnny leads three unannounced drills over the course of a two-week period. One drill involves several individuals reporting a suspected ransomware infection on their device to different parts of Acme in order to test recipients’ ability to properly receive and understand the messages, as well as communicate the suspicious incident to the proper POCs within the time frame determined in the Annex. A second drill exercises the leadership decision making processes upon notification of a suspected ransomware incident. The third drill allowed participants the opportunity to practice reestablishing files from back-ups following a notional ransomware infection.
“FEs are designed to validate and evaluate capabilities, multiple functions and/or sub-functions, or interdependent groups of functions. FEs are typically focused on exercising plans, policies, procedures, and staff members involved in management, direction, command, and control functions. In FEs, events are projected through an exercise scenario with event updates that drive activity typically at the management level. An FE is conducted in a realistic, real-time environment; however, movement of personnel and equipment is usually simulated. FE controllers typically use a Master Scenario Events List (MSEL) to ensure participant activity remains within predefined boundaries and ensure exercise objectives are accomplished. Simulators in a Simulation Cell (SimCell) can inject scenario elements to simulate real events.”
Following the drills, and with opportunities to make some minor refinements to the Annex and some retraining on key tasks, Johnny is approved to plan a three-hour FE that implements the procedures detailed in the Annex from initial identification of a suspected ransomware incident in real time. In a scheduled and announced exercise that includes all appropriate personnel, the Acme team wants to assess what they are successfully able to accomplish in a finite period of time and to gauge if they are able to properly follow procedures under the stress of an expanding outbreak.
“FSEs are typically the most complex and resource-intensive type of exercise. They involve multiple agencies, organizations, and jurisdictions and validate many facets of preparedness. FSEs often include many players operating under cooperative systems such as the Incident Command System (ICS) or Unified Command. In an FSE, events are projected through an exercise scenario with event updates that drive activity at the operational level. FSEs are usually conducted in a real-time, stressful environment that is intended to mirror a real incident. Personnel and resources may be mobilized and deployed to the scene, where actions are performed as if a real incident had occurred. The FSE simulates reality by presenting complex and realistic problems that require critical thinking, rapid problem solving, and effective responses by trained personnel. The level of support needed to conduct an FSE is greater than that needed for other types of exercises.”
Here, Gary adds that ideally, “A full-scale cybersecurity exercise could include using a simulated cyber range environment to replicate an organization’s network, allowing for testing of response activities to simulated attacks or incidents.” It is important to try and make exercises — particularly operational exercises — as realistic as possible, and following Gary’s advice here can help challenge participants in as realistic a manner as possible.
For this year Acme has determined they are going to keep the exercise internal, and not include external subject-matter expertise that would be employed in the event of an incident beyond their team’s ability to internally manage. Following the FE, and some other exercise events that are already planned for this year, Johnny is tasked with integrating a ransomware attack into a more complicated FSE for next year that will include an additional scenario variable and the inclusion of external personnel in several areas.
Whatever your organizations’ cyber risk focus, taking the time to plan and resource an effective, progressive exercise program can go a long way in supporting effective preparedness, and ensuring timely and successful response to incidents. The ability to properly respond to an incident can save an organization a lot of time and money — minimizing downtime and helping to minimize impacts, while supporting a quick return to normal operations.
While exercises are critical and provide an awesome opportunity for rehearsals to real incidents, the greatest value of an exercise actually comes not during, but after the event. As with Organizing and Equipping, another too-often neglected part of preparedness, follows the conduct of the exercise — the Evaluation and Improvement process, which will be Part Six in our ongoing series on Preparedness & Cyber Risk Reduction!