Synopsis

In the series of articles titled “Incident Response Life Cycle in NIST and ISO standards” I reviewed incident response life cycle defined and described in NIST Special Publication (SP) 800-61 – Computer Security Incident Handling Guide.

Before I move on to discuss ISO/IEC 27035 standard, I believe it is interesting to discuss shortly how cybersecurity exercises can help prepare to handle incidents.

Cybersecurity is a battlefield. We should not only take actions to minimize probability of attack and prepare ourselves – with tools and procedures – to react to an attack. The incident response team should devote time to regularly take part in externally organized incident handling exercises.

I had a pleasure of leading the team that came third in Cyber Europe 2016 pan-European cybersecurity exercises. In this two-part article I will review goals, course and benefits of these exercises. I will also review shortly the DHS (Department of Homeland Security) Cyber Storm exercises.

Cyber Europe – pan-European cybersecurity exercises

Cyber Europe exercises are bi-annual pan-European cybersecurity exercises. Cyber Europe 2016 (CE 16) ran from April 2016 until October 2016. These were complex, multi-event, very large exercises. They involved around 700 professionals from 30 countries and 300 public and private organizations.

The exercises had two phases: so called technical phase and so called operational phase.

The first phase lasted for around six months. Teams were given access to information on incidents (more on that below) and their task was to solve the incidents, i.e. provide answers to questions in incident questionnaires. There was no time limit on specific incidents, so the incident analysis was less stressful and could take longer than in real-life conditions.

These incidents were preparation to the operational phase of Cyber Europe 2016 exercises. This phase lasted for two days and simulated real-life incidents that were to be solved in real time.

The goals

The goals of Cyber Europe 2016 exercises were:

  • to test the national (local) incident response cooperation;
  • to test international incident response cooperation;
  • to improve cybersecurity skills and business continuity processes;
  • to improve cooperation between public and private entities.

The scenario

The Cyber Europe 2016 exercises were planned and maintained by ENISA (European Network and Information Security Agency – European Commission entity).

On national level, they were coordinated by national bodies (e.g. ministries) responsible for cybersecurity incident management in civilian sector.

The exercise had complex scenario. It simulated a 6-months long crisis causes by multiple actors attacking various parts of European infrastructure. The “bad guys” performed multiple preparatory attacks and their ultimate goal was to release a newly developed Trojan horse that was designed to be extremely hard to detect and combat, its goal was to take down major elements of European technical infrastructure.

The scenario was designed a.o. to test how European member states are prepared to comply with European NIS Directive.

From technical standpoint, besides “classic” malicious code for personal computers and mobile devices, the exercises featured also IoT attacks, drone usage and other trending technological advances.

Media activity simulation

It is hard to keep secret from media these days. Information on any major incident will quickly leak to media and will be broadcasted by TV or published in electronic media. For real-life incidents this means additional layer of complication, because entities affected by such incident have to deal with media also – answer journalists calls, prepare information and generally take care of incident public relations. Bad PR during and after the incident means additional losses.

The operational phase of Cyber Europe 2016 exercises simulated also this aspect of incident management. It was organized in two ways:

Firstly, the whole simulated media environment was built and maintained for the purpose of the exercises: fake TV station, fake social media sites (named Fakebook and Clickedin, by the way), fake video-sharing website etc. When injects were being made available for exercise participants, at the same time all these media outlets published incident-relevant information. This information needed to be followed, because clues for solving incidents were distributed among different places, also in the (fake) news.

Secondly, the PR teams of exercises participants were called by (fake) journalists with requests for information and comments. This forced PR departments to work on preparing statements on the incidents. They had to coordinate their work with technical and legal departments, which was excellent simulation of how it would look like in real life during an incident.

In my opinion the media part of Cyber Europe 2016 was a great idea, because no entity currently (no matter public or private) operates without external media environment. So testing cybersecurity incident management capabilities without testing PR handling at the same time does not really simulate real-life incident.

Incidents and injects choice by national coordinating bodies

ENISA allowed national coordinating bodies to choose incidents and injects that were later submitted to exercises participants in this member state.

This approach allowed for additional, more granular local planning of the exercises that made sure that e.g. injects dedicated for telecom operators are not sent to e.g. electric power operators.

Events, incidents and injects

The Cyber Europe 2016 exercises had three levels: events, incidents and injects.

The event level was the highest logical level of the exercises. There were seven events:

  • Mass infection campaign;
  • Reconnaissance and exfiltration;
  • Gaining foothold in essential infrastructures and services;
  • Attacks against reputation;
  • Attacks on key customers;
  • Attacks on core infrastructures and services;
  • EU Cooperation.

Each of the events consisted of several incidents. They had some nice names, like: “Ads gone wrong”, “Three unusual suspects”, “Out of the cage”, “Business is business”, “Hit the bull’s eye”.

Each of the incidents consisted of injects that contained information needed to solve the incident. This information might have been made available in diverse forms: files, web pages, images, even scans of employee’s paper notebook.

The following example technical skills were needed to solve the incidents: network forensics, digital forensics, malware analysis, mobile malware analysis.

Besides these skills, an open mind was very helpful 🙂 Sometimes incident solution clues were hidden completely outside e.g. malware source code.

In next part  of this article, I will review example incidents of Cyber Europe 2016 and shortly review DHS Cyber Storm exercises.

References and further reading

ENISA Cyber Europe 2016 cybersecurity exercises
DHS Cyber Storm cybersecurity exercises
Information Sharing Recommendations of NIST SP 800-61
Automated Cybersecurity Information Sharing with DHS AIS system