Informed Cyber Security Exercises

In another blog post, we shared insights from the cyber security exercises we've delivered. The findings we commonly see - the need to better understand roles and responsibilities, have effective incident response plans and playbooks, and maintain clear communication - are all critical in improving overall incident response readiness (a topic we focus a lot of our research on). However, the process of how these exercises are conceived in the first place deserves attention.

Organisations, regardless of their maturity level, are sometimes swayed by unrelated events, discussions, or suggestions on the scenarios they should exercise against. This can lead to exercises that may not align with their specific situation or the risks they actually face. While we truly believe exercising is crucial, it's important to distinguish between exercising for the sake of it and exercising with clear objectives in mind.

Late last year, we partnered with Mandiant (part of Google Cloud) to deliver a series of cyber security exercise-based workshops. For the exercises participated by current or aspiring Cyber Team Leads, we asked the question:
The Cyber Deference Centre (CDC) will likely take lead on the Tabletop Exercises (TTXs) for determining scenarios, how should scenarios be selected or determined and what considerations does the team lead have for determining appropriate ones?

Here's a summary of their responses:

  • Risk Assessment: Focus on the most likely and most dangerous scenarios. This should target both Crown Jewels Assessment and vulnerable attack surfaces.
  • Intelligence-Led: Scenarios should be based on possible threat actors, trends, and possible CVEs currently in play.
  • Known Vulnerabilities: Select scenarios based on the already known and recent vulnerabilities of the organisation.
  • Range of Scenarios: Selection should range from most likely to least likely, and include responses from various teams.
  • Business Requirements: The team lead should consider the requirements of the business and determine which scenarios is most suitable.
  • Risk Assessment Matrix: Prioritise what is most likely and has the most impact, then what is most likely, and then finally what is most dangerous.
  • Previous Real Incidents: The scenarios should be taken from previous real incidents that have impacted the organisation.
  • High Priority Events: Cover most of the daily high priority events.
  • Current Trends: Request to Cyber Threat Intel team about current trends and behaviours that may influence what we target.

It’s clear that a successful approach requires a combination of risk assessment, intelligence gathering, consideration of known vulnerabilities, and an understanding of business requirements. Additionally, learning from previous incidents and staying informed about current trends can also guide the selection process.

This is the premise of informed cyber security exercising - taking into account YOUR situation, YOUR maturity, and the threat environment YOU operate in.

Through a defined exercise framework, we are helping organisations build their incident management and response capability in an informed manner. We will have more to share on exercise frameworks and on how Gauntlet, our cyber security exercise platform, will be a driving force in planning and delivering worthwhile, meaningful, and informed cyber security exercises.

Back to Blog