Overview
In this milestone, you will prepare facilitation instructions for an incident management simulation tabletop training exercise based on security issues arising from either the development of the Callego intelligent virtual assistant (IVA) or compliance and privacy protection under the General Data Protection Rule (GDPR).
To complete this assignment, you must play both sides of the chessboard, white and black, by projecting both the attack and defense. Throughout the Cybersecurity Graduate Program, you have worked with scenarios and cases that others have created or provided. Now it is your turn to design a scenario that will read as authentic, as if drawn from real life and that is also written logically and clearly enough to allow others to easily understand it. You will also have to imagine the responses to this incident, including key decisions and their consequences. Additionally, you will need to consider how a threat could evolve to resist or evade mitigation and how a team could contain such a resilient adversary. You will find that this work requires an intriguing mix of analysis and creativity as you imagine a future state and an incident that may not have occurred at an organization but is within the realm of the possible.
Consulting Problem Three: Building Incident Management Capability With a Tabletop Simulation Exercise
The Cybersecurity team at Callego has been instrumental in helping the company to prepare for these new developments, but most employees at Callego have little awareness of the security implications or possible changes to policy or procedure related to the IVA or the GDPR. Even members of the Cybersecurity team and others in IT are not sure that they recognize all the security risks related to these new developments. Team members are also wondering if policies and procedures updated in recent months will be practical in an incident.
This uncertainty worries the Chief Information Officer (CIO), whose favorite quotation comes from the scientist Louis Pasteur: “Chance favors only the prepared mind.” At your last team meeting, she frowned and said, “Chance does not favor us. We are not prepared.” It’s time to change that. In particular, she wants a reconstituted multidisciplinary response team to be ready to manage and mitigate any incident that is likely to arise and to be poised to adapt to unanticipated adversarial tactics.
To help the organization prepare for an incident, rehearse management strategies, and test relevant procedures, you have been charged with developing an incident management simulation tabletop training exercise for an incident response team. Tabletop simulation exercises help organizations identify deficiencies in response procedures and diagnose impacts or consequences that may not have been anticipated. These exercises constitute an abstraction based on the real world, but with a stepwise structure that allows participants to focus on key points in a progression. This allows participants to research their roles while building collective capability by working together. Such exercises allow the group to reflect together on key questions, including: “What have we not thought of?”
Your task is to develop a tabletop simulation exercise that will allow participants at Callego to manage an evolving incident involving one of the two recent developments, either the IVA or the GDPR.
This attack simulation will be presented in stages defined by the incident management team’s decisions and actions, as well as by “injects” that change the business context or present new attack vectors or adversarial tactics.
It is your responsibility to design the adversarial objectives, strategy, and tactics, as well as the defensive measures or protocols you would like to test. Here are some helpful tips:
- Start with the underlying security issues involving your choice of the IVA or GDPR, and design an attack to exploit these issues.
- Emulate a known, categorized attack vector or vectors, adapted to security issues of the IVA or GDPR, in your attack. The “Mitre PRE-ATT&CK Matrix,” located in the Module Six Reading and Resources, is recommended for identifying vectors.
- Recall that while an adversary may be outside the organization, insiders may also present threats through adversarial actions or negligence. An attack may involve multiple parties acting in concert or insiders who are made parties to an attack through means such as social engineering.
- Regarding defense, imagine a future state of security that can meet this attack. What would this entail in procedures or control measures? Now consider the operations of a company such as Callego that has a multitude of customer contacts and handles vast quantities of personal data every day at its core operation. What is a minimally viable defensive posture for the company regarding the IVA or GDPR? In your exercise, put this minimum viability to the test and look for gaps.
- Keep the attack and defense simple, but build in more complexity through a chain of injects and response team actions. Keep in mind, however, that you are not required to simulate all possible attack vectors. This exercise is only a start.
Directions
Develop facilitation instructions for an incident management simulation tabletop exercise for Callego, involving either the IVA or GDPR. These instructions should include sufficient information for a facilitator to lead the simulation and should give any informed reader at Callego a clear awareness of the exercise objectives, rationale, and progression.
You have been allotted five hours: four hours for the exercise and, after a break, about 50 minutes for a group discussion of the exercise and lessons learned. The exercise will occur in a conference room. All participants will have laptop computers or tablets and smartphones equipped with the Callego internal app and the Callego first alert message system, either of which can be used for the exercise. The room is equipped with white boards and a projection system, and you have sufficient easel paper, sticky notes and dots, and other office supplies.
Specifically, you must address the following rubric criteria:
1. Introduction: Introduce the exercise and security issues the exercise will address. Be sure to connect this discussion to your learning about risk and security in the IVA or GDPR.
2. Objectives: Establish practical, clear objectives of the exercise.
A. What do you hope to discover?
B. While objectives are presented near the beginning of the instructions, they may be written near the end of the process of creating the exercise as you align and refine the elements.
3. Team Roles and Responsibilities: Define the key incident management roles and responsibilities for exercise participants.
A. What roles will participate in the exercise as members of the incident management team?
B. List the core incident management responsibilities for each role. Limit this team to no more than seven roles.
4. Elements to Be Tested: Identify appropriate elements to be tested, including the following:
A. A security principle such as layering, least astonishment, modularity, least privilege, or another principle, as implemented at Callego
B. A security policy or procedure such as a particular provision in a larger policy or procedure
C. A technical control measure
D. Another incident response tactic or countermeasure
5. Exercise Timeline: Provide a clear, complete, and logical timeline that includes the following information:
A. Initial attack vector
B. Response frames and measures
i. How will procedures, principles, or control be tested?
ii. What will participants need to decide? For instance, should the facilitator prompt a group discussion or decision on alerts, notifications, or countermeasures?
C. Branching scenarios based on the initial response
i. What are the consequences of choices that the team may make?
ii. How can decisions and consequences prompt further decisions?
D. Up to three injects that shift the attack vector or introduce new information regarding the adversary or the business.
i. For instance, an attack that at first seems aimed at collecting customer information may become an attempt to shut down systems.
6. Visual Representation: Provide a useful visual representation of the exercise that captures its logic or flow, such as a countermeasure table or tree diagram illustrating the branches.
7. Projection of Lessons Learned: Project realistic lessons learned that relate to exercise objectives, tested elements, and the exercise outline.
A. Imagine that the exercise has been completed. What did it reveal? What lessons can be taken from it?
B. Refer back to exercise objectives and elements for testing. Consider discussing the following points:
i. Technical measures assessments and need for improvement
ii. Communication procedure recommendations
iii. Areas that should be covered in other training and user awareness campaigns
iv. Regulatory and legal compliance concerns
v. Documenting risk or exposure for upper management
What to Submit
Your submission should be a single Microsoft Word document 5 to 7 pages in length (plus a cover page and references). Use double spacing, 12-point Times New Roman font, and one-inch margins. Any references should be cited according to APA style. You must include a visual representation of the flow or logic of the exercise within the document. Use a file name that includes the course code, the assignment title, and your name—for example: ISE_690_Milestone_Three_Firstname_Lastname.docx.