Cyber response is about asking questions and making key decisions about the recovery stage based on the understanding of the incident. Simulation of a cyber emergency scenario is a critical part of building cyber resilience into your organisation. This interactive exercise will challenge the participants to make decisions that will influence the outcome of the cyber incident story. At the end of the training there will be time to reflect on the outcome of each group’s decisions, providing insights into the impact of the decisions made.
Each group will have a specific cyber security challenge assigned to them and a leader to guide them through the scenario response process. Once the damage has been assessed ie what is the attackers goal, what type of incident is it, how serious is the incident, has the system been compromised; you will need to agree with the group how do you isolate that breach, who has been affected and should they be informed, how can business be resumed quickly and securely, what are the priorities, who should lead on the business continuity, what are the next steps, who needs to be informed, have stakeholders, staff or the press already found out?
In terms of the recovery steps, what can you do to prevent the attack from happening again, are your monitoring tools and processes sufficient, which of your pieces of equipment or devices are the most vulnerable, are your critical data and systems backed-up, what is the “cyber kill chain” ie a sequence of stages required for an attacker to successfully infiltrate a network and exfiltrate data from it, how can your monitoring and response plan be improved?
SCENARIO 1: One of your employees has opened a spam email which contained malware that has enabled a hacker to gain access to the network
SCENARIO 2: Following a data security breach a reporter has gotten wind of details about the attack and has been in contact with you
SCENARIO 3: The CEO is angry about how the response is going and creating more problems than they are solving
SCENARIO 4: Your system has been compromised and there is a blackout at the power station affecting thousands of customers and putting increasing pressure on the rest of the network
SCENARIO 5: At the airport, the customer management system has been hacked and there is no data available at this stage
SCENARIO 6: One of the team has accidentally provided the password for a database of customer information and several unauthorized access attempts have been made
SCENARIO 7: The CFOs laptop has been stolen from the organisation and despite being password-encrypted, the security settings are not that high and it contains very sensitive business data
SCENARIO 8: One of your executive team members has been threatened and has provided a team of unknown hackers with detailed information of your cyber security
SCENARIO 9: A few of your PCs infected by a ransomware attack, how can you prevent it from spreading?
SCENARIO 10: Reports of multiple, seemingly unrelated, cyber incidents are occurring at the same time including phishing attempts and a Distributed Denial of Service (DDoS) attack, how do you respond?