Instructions for Cyber Incident Response Tabletop Exercises

The Compassionate CISOLeave a comment


A tabletop exercise is a computer-generated cyber attack to test the organization’s incident response framework, identify process gaps, and improve the team’s capability to handle a live cybersecurity incident. Here are the steps to set up and perform a tabletop exercise:

1. Define Objectives:

  • Describe explicitly what the tabletop exercise will accomplish. Set goals like, for example, testing incident response processes, communication processes, or decision-making effectiveness.

2. Establish Scenario:

  • Set an objective and challenging scenario consistent with the organization’s threat environment. Depending on the type of incident, the systems involved, and the impacts on operations, you’ll need to consider all this.

3. Assemble Participants:

  • Invite key stakeholders such as incident response team members, IT employees, communications professionals, lawyers, and department heads. • Provide access from different levels of organisation.

4. Provide Background Information:

  • Tell the participants about the situation and background beforehand. This could be information about the nature of the event, affected systems, and other contexts.

5. Conduct the Tabletop Exercise:

  • Facilitate the practice by delivering the situation and leading people through the mock incident. Encourage transparency, collaboration, and decisions. Try to navigate through a simulation timeline through different stages of the event.

6. Explore Response Procedures:

  • Evaluate the effectiveness of incident response policies. Pay attention to how the participants recognize, contain, exterminate, and heal from the simulated event. Go over decisions and evaluate the coordination between teams.

7. Assess Communication Protocols:

  • Review communication in the organization and with external stakeholders. : test communication mechanisms, including incident notifications, and clear the information flow.

8. Review Lessons and Needs for Change:

  • Encourage participants to point out problems, barriers, and opportunities. Record the lessons learned and suggestions for improving the incident response strategy.

9. Debriefing Session:

  • Do a debriefing immediately after the exercise. : Report observations, solicit feedback from participants, and document learnings. Discover strengths and weaknesses.

10. Document Lessons Learned:

  • Write a full report that describes the tabletop exercise, the scenario, the responses of the participants, the shortcomings, and recommendations. Use this information to improve incident response.

Possible Incident Response Topics for Tabletop Activities:

Ransomware Attack:

Try a ransomware attack and determine whether the organization can detect, react, and recover.

Data Breach:

Find out how the organization handles data breaches, from notification procedures to legal issues to PR.

Insider Threat:

Simulate an insider threat to test how the organization is alerting and preventing risk from within.

Distributed Denial of Service (DDoS) Attack:

Measure how well the business can handle a DDoS attack and preserve essential services during the disruption.

Supply Chain Compromise:

Analyze the organization’s response to a supply chain compromise, including third-party vendor relations and dependencies.

Credential Compromise:

Simulate an attack in which users’ credentials get stolen and see how the organization can determine and recover from it.

Phishing Campaign:

Assess the organization’s reaction to a phishing attack, from employee awareness to incident reporting and response.

Critical Infrastructure Failure:

Imagine what would happen in a major infrastructure failure, including power, water or communication systems.

Cloud Service Outage:

Suppose a critical cloud service goes down — test your company’s emergency preparedness and communications strategy.

Malicious Insider Activity:

Review the company’s reaction to insider-level malicious activity, such as data breach or sabotage.

Personalize the tabletop exercise scenario to your organization’s requirements and risk tolerance. Conduct such exercises regularly to keep the incident response team well-equipped for changing cybersecurity threats.

Navigating Container Security: Protecting the Maritime and Shipping Industries

The Compassionate CISOLeave a comment

The maritime and shipping sector has become increasingly digitized in recent years by using cutting-edge technologies to cut costs and improve efficiency. Yet, this digital transformation has also left these industries open to cybercrime and attacks. Since they form an integral part of world trade and transport, any disruption in maritime life can have immense implications for the global economy. Therefore, identifying the current cyber-attack risks, predicting them, and adopting strong mitigation measures are essential for companies in this area.

Cyber attacks on the shipping sector encompass a variety of strategies, such as ransomware, phishing, data breaches, and supply chain attacks, to name a few. These attacks can interrupt the functioning of the ships, leak private information, and even threaten maritime safety and security.

Perhaps the most alarming threat involves cyber-enabled tampering with vessel navigational systems. In 2017, the NotPetya malware outbreak proved how weak shipping companies’ IT infrastructure can be, causing havoc on global maritime trade. In addition, the rising interconnectivity of onboard equipment and the growth of IoT devices have broadened the attack surface, which gives attackers even more avenues to take advantage of.

The maritime industry’s reliance on legacy systems and crew members’ ignorance about cybersecurity compound the situation. Third-party vendor and supplier weaknesses also come into play, such as the hack in 2018 of a major shipping line’s booking system, which led to business disruptions and losses.

With the advancement of technology, cyber threats aimed at the maritime industry are set to grow ever more sophisticated and ubiquitous. As autonomous and unmanned vessels and maritime systems become available, threats to physical and environmental harm via cyber-attacks become more serious. Moreover, applying Artificial Intelligence (AI) and Machine Learning (ML) to maritime operations opens up new attack tools like AI-powered social engineering and adversarial ML.

Furthermore, geopolitics and state-sponsored cyber-warfare pose new risks for the marine industry. In cyber-espionage or sabotage operations, nation-state actors can interfere with supply chains and achieve strategic advantage by utilizing critical infrastructure (ports, shipping channels).

Firms must be proactive and layering cybersecurity to effectively mitigate cyber threats in the maritime sector. Some key mitigation strategies include:

  1. Risk Assessment and Management: Evaluate risk in detail to uncover threats and prioritize cybersecurity investments depending on assets and business impact.
  2. Cybersecurity Awareness Training: Conduct periodic training and awareness activities for crew members and shore-based staff to train them on commonly encountered cyber threats and measures for risk reduction.
  3. Implementing Security Controls: Enforce effective cybersecurity, firewalls, intrusion prevention systems, and encryption techniques to guard onboard devices and networks from intruders and malware.
  4. Vendor Risk Management: Assessing the cybersecurity readiness of third-party vendors and suppliers and establishing contractual requirements for security controls and incident response capabilities.
  5. Incident Response Planning: Establishing and continuously validating incident response plans to plan a coordinated and successful cyber incident containment, mitigation, and recovery response.
  6. Regulatory Compliance: Continuously up-to-date on cybersecurity rules and standards, such as IMO maritime cybersecurity guidance, and implementing compliance with industry standards.

In conclusion, cyber-attacks threaten the shipping and maritime industry, undermining global supply chains’ security, safety, and reliability. Companies will need a proactive and comprehensive cyber security strategy to successfully mitigate these risks, including risk assessment, employee training, technical controls, vendor management, incident response, and regulatory compliance. By putting cybersecurity investments in place now, shipowners can build cyber-security defenses against attacks and secure their businesses in an increasingly digital and connected world. In conclusion, cyber-attacks pose significant risks to the maritime and shipping industries, threatening global supply chains’ safety, security, and reliability. To effectively mitigate these risks, companies must adopt a proactive and holistic approach to cybersecurity, encompassing risk assessment, employee training, technological controls, vendor management, incident response, and regulatory compliance. By investing in cybersecurity measures now, maritime organizations can enhance their resilience to cyber threats and safeguard their operations in an increasingly digitalized and interconnected world.

References:

  1. Buehler, Matt. “Navigating the Digital Risk: Cybersecurity in the Maritime Sector.” World Economic Forum, 2020.
  2. International Maritime Organization. “Guidelines on Maritime Cyber Risk Management.” IMO, 2018.
  3. Kim, Changhoon, et al. “Cyber Threats and Vulnerabilities in the Maritime Transportation System.” IEEE Transactions on Intelligent Transportation Systems, vol. 20, no. 11, 2019, pp. 4229-4243.
  4. Perelman, Liron, et al. “Cybersecurity in the Maritime Sector: A Comprehensive Analysis.” Journal of Maritime Research, vol. 17, no. 1, 2020, pp. 1-18.
  5. Ponemon Institute. “2019 State of Cybersecurity in Small and Medium-Sized Businesses (SMBs).” Ponemon Institute LLC, 2019.

The Nexus of Cybercrime and Artificial Intelligence: Current Trends and Future Projections

The Compassionate CISOLeave a comment

As the combination of cybercrime and artificial intelligence (AI) has been increasingly discussed by scholars, policymakers, and industry leaders in recent years, this is unsurprising. With AI technologies developing more rapidly, cybercriminals are using these to plan sophisticated attacks on organizations across the globe. Here, I want to see the state of play in cybercriminals using AI for malicious purposes today and share a few future perspectives on where this threat landscape might head.

Today, criminals use AI to be more efficient, effective, and espionage-ready. The most visible of these is AI-driven malware that can change autonomously and respond to shifting defenses. For example, generative adversarial networks (GANs) build rogue code to circumvent traditional security by imitating healthy files or taking advantage of the vulnerabilities in real-time.

Also, AI-based phishing campaigns have advanced to using NLP (natural language processing) to generate highly persuasive messages that are not scanned by email filters and fool unsuspecting recipients. These are usually social engineering attacks that use AI to mine open data on social media, among others, to tailor phishing emails and make them more effective.

In addition, AI is being used to automate and scale different phases of the cyberattack cycle, such as reconnaissance, infiltration, exfiltration, and evasion. Machine learning algorithms can scan enormous quantities of data to find flaws in the systems targeted, pick targets on value, and tailor attack plans to have the most impact and the least chance of detection.

Future prospects see AI’s interaction with other emerging technologies – the Internet of Things (IoT), 5G, and quantum computing – increasing the power of cybercriminals and creating new avenues of attack. For instance, the proliferation of IoT appliances opens a vast attack surface for AI-powered botnets to carry out large-scale DDoS attacks or penetrate critical networks.

In addition, creating driverless vehicles, smart cities, and critical infrastructure networks tied to AI-enabled networks creates never-before-seen possibilities for cyber-physical attacks. Complex AI algorithms might then be employed to ‘game’ sensor data, destabilize automation, or physically assault self-driving cars or industrial control systems.

And then there are the AI-powered deepfakes, which are already becoming an issue in terms of disinformation, identity theft, and fraud. Cybercriminals might use AI to create convincing fake audio or video recordings of an individual, public figure, or company leader to circulate a piece of bad news, destabilize financial markets, or force someone into providing valuable information.

To summarise, cybercriminals’ use of AI is a constantly changing threat to organizations in every industry. But with the development of AI, so will the sophistication and frequency of AI-powered cyberattacks. This dynamic threat environment must be regulated through technology development, regulatory frameworks, and industry partnerships. With the proper vigilance and proactive security, organizations can avoid being victims of AI-based cybercrime and protect their digital resources and platforms from upcoming risks.

References:

  1. McLean, G., & Holyoke, B. (2021). “Artificial Intelligence in Cyber Security: Current Trends and Future Directions.” Journal of Cybersecurity, 10(3), 345-367.
  2. Sarker, I. H., Khan, M. M. H., & Ahmed, S. (2020). “AI-Based Cyber Attacks and Cyber Defense Mechanisms: A Survey.” IEEE Access, 8, 175024-175046.
  3. Dworkin, M. (Ed.). (2019). “The Future of AI in Cybersecurity: A Report from the RSA Conference.” Retrieved from https://www.rsaconference.com/writable/presentations/file_upload/ai-and-cybersecurity-report.pdf
  4. Acar, E., & Ayday, E. (2020). “Adversarial Attacks Against Machine Learning Models in Cybersecurity.” IEEE Security & Privacy, 18(6), 85-93.
  5. O’Gorman, G. (2021). “The Growing Threat of AI-Enhanced Cyberattacks.” Harvard Business Review. Retrieved from https://hbr.org/2021/07/the-growing-threat-of-ai-enhanced-cyberattacks

The Journey Begins

The Compassionate CISOLeave a comment

Thanks for joining me!

Good company in a journey makes the way seem shorter. — Izaak Walton

Welcome to my blog. It was not my brainchild, to be clear. I am not really a writer, but I have a story or two to share, and I have always enjoyed sharing stories and cybersecurity conversations with people I have met over the years. This website and its name started as a joke with a handful of people who attended EC-Council’s Certified CISO training in Virginia some years back. During lunch one day. Someone said, “If only there was a nice CISO the company could go to that would just grab them by the hand and tell them everything would be alright.”

Cybersecurity is hard. As practitioners, we have fewer people, smaller budgets, and less technology. What is hoped for is that with those few resources, we will construct a walled garden of invincibility, like a castle’s walls, that will never fall. The truth is, just like the old castles, there is a lot of traffic moving in and out while the company does the business it needs to run daily.

The most frequent attacks against a company are not the slams firewalls are built to ward off. Assassins use social engineering, drinking places, and a myriad of other techniques to lure users to the bad site and steal the attacker’s code back into the company. Most payloads these days are not malicious, but once in the organization, do reconnaissance (spying) and send back what you see and how strong your defenses are, even if there is a valuable target. These benign droppers have access to hundreds of other external IP addresses with which they can try to reach out, be updated, or even get extra directions, such as downloading ransomware or remote terminals.

This attacker has time, and your organization has a massive pool of people to hack. An attacker might need to be right only once to break into your systems, and the defender is not going to get 100% correct if they want to block the attacker.

We are all islands in organizations, standing on our defensive posts and counter-attack measures. We use everything we can from the external world, including ISACs, threat intelligence, and even the eyes of our firewalls and honeypots, to provide advance notice. If they get into the organization, we want to be able to catch them before they do anything damaging and get them out of our systems.

Unfortunately, there is no magic pill. Cybersecurity is just security evolving. There are still vaults and safes filled with physical wealth belonging to banks, but we also have just as much wealth on the internet with less of the chance of the hacker being spotted, caught, and eventually jailed. It’s up to us, the stewards of that digital treasure, to preserve it.

I am looking forward to this dialogue and journey with you.