Cybersecurity Tabletop Exercise 2015 Overview

Explore cybersecurity challenges, increase awareness, assess preparedness integration, examine management structures, incident sharing, and identify cyber-attack impacts. Roles include Players, Observers, Facilitators, and Evaluators to respond, support, moderate, and observe during the exercise.

• Cybersecurity
• Tabletop Exercise
• Preparedness Integration
• Incident Management
• Stakeholders

jul_rey Follow

Uploaded on Sep 30, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Host/Sponsor Exercise Name 2015 Tabletop Exercise Host Logo / Seal Month DD, YYYY

2. Welcome and Opening Remarks Host/Sponsor POC Name Position Organization Host Logo / Seal 2

3. Exercise Overview and Facilitator Facilitator Name Organization / Department / Office Division Sub Office Host Logo / Seal 3

4. Exercise Structure This exercise will be a multimedia, facilitated tabletop exercise Players will participate in the following three modules: <Module, Phase, or Other> <1>: < Insert Name > <Module, Phase, or Other> <2>: < Insert Name > <Module, Phase, or Other> <3>: < Insert Name > Scenario updates will be provided at the beginning of each Module Exercise will conclude with a brief Hot Wash Host Logo / Seal 4

5. Exercise Schedule ADJUST TIMES AS NEEDED Time Allotted Event 8:00 a.m. 8:30 a.m. Registration/Sign-In 8:30 a.m. 8:45 a.m. Introductions / Exercise Overview 8:45 a.m. 9:20 a.m. Module 1 <Name> 9:20 a.m. 9:30 a.m. Break 9:30 a.m. 10:30 a.m. Module 2 <Name> 10:30 a.m. 11:30 a.m. Module 3 <Name> 11:30 a.m. 12:00 p.m. Hot Wash Closing Remarks 12:00 p.m. Closing Comments Host Logo / Seal 5

6. Exercise Objectives Create an opportunity for stakeholders to explore and address cybersecurity challenges and increase cybersecurity awareness. Assess the integration of cybersecurity into <Organization s> all-hazards preparedness. Examine cybersecurity management structures, incident information sharing, escalation criteria, and related courses of action. Identify cascading impacts of a cyber-attack to critical systems <Insert additional/other organization specific objectives> Host Logo / Seal 6

7. Participant Roles and Responsibilities Players: Respond to situation presented based on current plans, policies, and procedures Observers: Support players in developing responses, but do not directly participate Facilitators. Facilitators provide situation updates and moderate discussions. They also provide additional information or resolve questions as required Evaluators. Evaluators are assigned to observe and document key findings during the exercise Host Logo / Seal 7

8. Exercise Guidelines This is an open, low-stress environment. Varying viewpoints, even disagreements, are expected Respond to the scenario using your knowledge of current plans and capabilities (i.e., you may use only existing assets) and insights derived from your experience and training Decisions are not precedent setting and may not reflect your organization s final position on a given issue. This exercise is an opportunity to discuss and present multiple options and possible solutions Be an active participant! Host Logo / Seal 8

9. Assumptions and Artificialities The exercise is conducted in a no-fault learning environment wherein capabilities, plans, systems, and processes will not be evaluated There is no hidden agenda nor are there any trick questions The exercise scenario is plausible, and events occur as they are presented All players receive information at the same time The scenario is not derived from current intelligence Host Logo / Seal 9

10. Module 1: <Name> Host Logo / Seal 10

11. T 2 Years: Initiation According to an autopsy report, the sudden death of a 15- year-old girl who was treated at [hospital name here], was ruled to be the result of a severe type of pneumonia Patient s family suspects improper care as the true leading cause of death and blames the [hospital name] Soon after the release of the autopsy report, the family of the girl begins to demand the medical center be held accountable and files a wrongful death lawsuit against [hospital name] Host Logo / Seal 11

12. T 6 Months: Motivation Upon presentation and litigation of the wrongful death lawsuit, the court rules in favor of [hospital name] The family remains unconvinced, distraught, and angry over the verdict Host Logo / Seal 12

13. T 5 Months: Advisory The Multi-State Information Sharing and Analysis Center (MS-ISAC) in partnership with the National Health Information Sharing and Analysis Center (NH-ISAC) releases a joint advisory Highlights several recent attacks against state health information exchanges Host Logo / Seal 13

14. T 10 Days: Indication The [hospital name] begins to notice an increase in scans and phishing campaigns, similar to those that were reported at other medical providers throughout the country, including a 25% increase in attempted attacks against their networks Host Logo / Seal 14

15. T 2 Days: Slow Motion Employees begin to report internal network latency Members of the public report they cannot access [hospital name] s website Host Logo / Seal 15

16. T 1 Day: Degradation [hospital name] systems performance continues to degrade, exacerbated by suspected data loss Several nurses begin to report records that were available only a short time earlier are now completely unavailable Host Logo / Seal 16

17. Module 1 Discussion Host Logo / Seal 17

18. Consider the following during discussion Information sharing by various constituents, to include government sources of indicators and warnings Information sharing mechanism limitations and challenges within [hospital name] Internal cyber threat information requirements and thresholds for reporting credible threats and incidents to organizational executive leadership What types of security-related industry alerts does the [hospital name] receive? Those from NH-ISAC? US-CERT? Others? Host Logo / Seal 18

19. Module 2: <Name> Host Logo / Seal 19

20. T Day: Investigation In response to the extreme latency and unavailable medical records, [hospital name] begins to field an increase in help desk calls related to the EMR problems During this period, technicians confirm that records are actually missing and notice unusual patterns in access logs, including unauthorized access to the EMR system Host Logo / Seal 20

21. T Day: Escalation The News and Info section of the [hospital name] s public web site, including one of its social media platforms, is defaced Defacement contains threats and a warning to the public about the [hospital name] s level of care Hospital THIS HOSPITAL WILL DECEIVE YOU THEY CANNOT BE TRUSTED WITH YOUR INFORMATION, OR YOUR LIFE!!! Host Logo / Seal 21

22. T + 1 Day: Communication A local media affiliate of Global Network News and other local media outlets start reporting on the defacement of the [hospital name] homepage Host Logo / Seal 22

23. T + 1 Day: Elevated MS-ISAC and NH-ISAC issue an update to their recent joint advisory Updated advisory indicates an increase in attacks to both public and private medical facilities, with significant impacts to ICS and SCADA systems Both MS-ISAC and NH-ISAC raise their threat alert level to ELEVATED Host Logo / Seal 23

24. Module 2 Discussion Host Logo / Seal 24

25. Consider the following during discussion Initial response measures and triggers for external incident response coordination Existing incident response coordination, investigation, and mitigation efforts, and identification of impediments to timely response Cyber incident escalation criteria and planned notifications What is your planned cyber incident management structure? How would external resources be requested and integrated? Would legal department(s) be involved to address potential liability issues? How are they brought in appropriately? Host Logo / Seal 25

26. Module 3: <Name> Host Logo / Seal 26

27. T + 1 Day: Explanation Further investigation indicates that malware infected [hospital name] via a spearphishing e-mail opened by a [hospital name] employee with privileged access / administrator rights several weeks ago This malware was used to alter supply inventory records and exfiltrate more than 50,000 personally identifiable information (PII) and electronic protected health information (ePHI) records Host Logo / Seal 27

28. T + 1 Day: Intensification Patients and staff report an extreme change in temperature in the medical facility, complaining it is too hot As a result of the complaints, [hospital name] suspects a potential malfunction to SCADA-enabled devices within HVAC and building management systems Host Logo / Seal 28

29. T + 1 Day: Expansion Building Operations reports that a facilities technician tasked to inspect the HVAC and BMS is unable to login to the server that controls the HVAC system The technician entered his credentials as usual, but received an access denied message Host Logo / Seal 29

30. T + 1 Day: Exhaustion [hospital name] has quickly exhausted all available resources to investigate the extent of the problem and restore affected systems, resulting in significant impacts to patient care and life safety concerns Host Logo / Seal 30

31. T + 2 Day: Attention National media outlets begin reporting on the situation at [hospital name] In particular, the media outlets are covering the messages posted on the [hospital name] website and social media platform Host Logo / Seal 31

32. T + 4 Day: Ramifications During an in-depth log review, the [hospital name] discovers that 65 days ago, [insert exercise malware name] was implanted on the medical facility s network, resulting in the creation of a super user with admin rights Investigators strongly suspect that the infection vector is linked to the spearphishing and network scanning, which eventually exploited a vulnerability in the [hospital name] s network Both the [hospital name] and the investigation team continue the systematic process of malware remediation, removal, and patch updates Host Logo / Seal 32

33. Module 3 Discussion Host Logo / Seal 33

34. Consider the following during discussion Identification of available response, investigation, and mitigation resources and capabilities Identification of resource request coordination pathways Cyber incident management structure Role of public information during a cyber incident Challenges when coordinating public communications Public affairs playbook or pre-scripted statements Processes or protocols when contacting and/or working with law enforcement Processes and resources in place for evidence preservation and collection Host Logo / Seal 34

35. Exercise Hot Wash Host Logo / Seal 35

36. Hot Wash Strengths Areas for Improvement Host Logo / Seal 36

37. Points of Contact For questions about this exercise or recommendations for improvement, contact: Name of Facilitator Dept / Div / Office email Host Logo / Seal 37