How to Organize and Facilitate a Large-Scale Cyber Crisis Exercise

Organizing a cyber crisis exercise is not an easy task. From preparation to D-Day, a lot of unforeseen events can occur, and the organizing team needs to remain a step ahead of the players. This article breaks down the steps to a successful cyber crisis exercise in a large company.

There are many reasons to organize a cyber crisis exercise: evaluating the integration of cybersecurity in the crisis management system; improving interactions between the different teams; and testing the capacity of the security division to make itself understood by top management.

From a simple table-top process test to SOC/CERT training to a large-scale exercise involving dozens of crisis teams and months of preparation, the resources allocated to a crisis simulation vary greatly. This article focuses on the latter.

What’s a typical crisis exercise?

Depending on the size of your organization, large-scale crisis exercises can take one day of activity, mobilize over 150 people, involve 10 to 12 crisis teams in several countries, 30 facilitators, 20 observers, and more than 300 stimuli. Being able to make a success of such an event requires both a high level of preparation and a very solid hosting team on D-Day.

One of the key issues in these types of exercises is that there’s only one take. It is therefore essential that all the actors take part in the game, and that the scenario involves all the participants. Preparation and facilitation are key to make sure the time spent on the simulation is worthwhile.

In the six months leading up

Select the attack scenario

The first months of work should be devoted to the attack scenario. Ransomware, targeted fraud, attacking suppliers… the choice of weapons is large. In ambitious exercises, it is not unusual to combine several attacks in one crisis: smoke screen launched by the attackers, identification of a second group during the investigation, etc.

Whatever the scenario chosen, the key is to be as precise as possible. Consider the following:

• What are the attackers’ motives?
• What path of attack did they take?
• When was the first intrusion?

The exercise is long. Thorough preparation beforehand is needed, especially when 150 players investigate an attack for several hours. Spear-phishing, water holing, code compromise, privilege escalation: the vulnerabilities used by the fictitious attacker are not real, but they must be plausible and “validated” by technical accomplices throughout the preparation.

Similarly, for business impacts, they should be reviewed with business specialists – the level of fraud at which the situation becomes critical, critical activities to be targeted as a priority, most sensitive customers, etc. The choice and involvement of accomplices are essential, and they should be integrated into the coordination team on D-Day.

Build the exercise script

The script should define minute-by-minute the information that will be communicated to the players. The calibration of the exercise rhythm is a complex point. There will be a strong temptation to impose a strict rhythm to “master” the scenario, but attention needs to be given to leave enough space for reflection.

The start of the exercise is another complex point: should the scenario start directly in a crisis situation or on an alert that will test the general mobilization process? More often than not, the second option is favored. That way, the technical teams (e.g. CERT, SOC, IT) can be mobilized for the entire duration of the exercise. ExCom members should have their diary freed up during that day as well.

Prepare the stimuli

Technical reports, fake tweets, messages from worried customers: these are all useful stimuli for the players.

Videos can be used to captivate. Indeed, nothing is more striking than a fake news report relaying the current attack (logo, board, etc. the more realistic the better). For more realism, videos of people “known” in the company (message from the CEO, interview of a factory boss, etc.) can be used.

The same goes for the technical side – the duration of the exercises often does not allow the players to carry out the technical investigations themselves, but they will ask a lot of the facilitators. Everything must be ready to avoid panic: malware analysis reports, application log extracts, IP address lists, etc.

As mentioned in the introduction, the most ambitious exercises may require the creation of 300 stimuli to get through the day and remain credible – it represents a lot of work.

What should you do on D-Day?

On D-Day, early morning, a meeting should be organized with the facilitation team and all observers for the final adjustments. A few hours later, the observers will go to their crisis cells and start the players’ briefing.

Lay the foundations for a good start

For many players, this may be their first exercise. The briefing is therefore essential to avoid confusion between fictional and real-life events and reduce the chances of the following scenarios:

To avoid such situations, it is essential to iron out the rules of the game during the briefing: the players must communicate with each other, but they must go through the facilitation unit to contact external stakeholders. Throughout the day, the facilitators and accomplices in each team will play the roles of a client, a technical expert, a CEO, or a regulator, according to the players’ requests.

Rely on an efficient facilitation team

The sequence of events depends on the efficiency of the facilitation cell. A successful exercise includes a lot of improvisation on the day. Stimuli may have to be readjusted according to the reactions of the players, the score is never fixed, and the facilitation cell will be put to the test on the day of the exercise. The largest crisis exercises have particularly professional crisis management teams, including the head of the facilitators, PMO, technical manager, business manager, call management center, etc.

We suggest not to take any risks on D-Day and to recreate teams that are used to working together and know each other. Doing so is the best way to gain time that will prevent the organization team from going into crisis itself.