introduction
Financial institutions are facing a new reality. Cyber resilience has moved from a best practice to a business necessity to a prescriptive regulatory requirement.
Crisis management and tabletop exercises have long been relatively rare in the cybersecurity context, but have become mandatory as a series of regulations, including the EU’s DORA (Digital Operational Resilience Act), have introduced this requirement for FSI organizations in several regions. Australia’s CPS230/CORIE (Cyber Operational Resilience Intelligence-led Exercise). MAS TRM (Monetary Authority of Singapore Technology Risk Management Guidelines). FCA/PRA operational resilience in the UK. FFIEC IT Handbook in the US, SAMA Cybersecurity Framework in Saudi Arabia.
Complicating compliance with these regulatory requirements is cross-functional collaboration between technical and non-technical teams. For example, simulating the technical aspects of a cyber incident, or red teaming, should always be done within the same resilience program, in the same context, and using many of the same inputs and outputs, if not exactly at the same time. This is strongest in regulations based on the TIBER-EU framework, especially CORIE and DORA.
Excel will always be there
As requirements become more prescriptive and best practices become more established, what was once a tabletop exercise with a simple Excel file containing a series of short events, timestamps, personas, and comments has grown into a set of scenarios, scripts, threat landscape analysis, threat actor profiles, TTPs and IOCs, folders of threat reports, hacking tools, injects and reports. All of this must be reviewed, prepared, rehearsed, played, analyzed, and reported on: At least once a year, if not quarterly, if not continuously.
Excel is powerful in the cyber, financial, and GRC realms, but it has its limitations at this level of complexity.
Blending tabletop and red team simulation
Over the past few years, Filigran has evolved OpenAEV to be able to design and execute end-to-end scenarios that blend human communications and technical events. Originally launched as a crisis simulation management platform, breach and attack simulation was later integrated and is now incorporated into holistic management of adversarial exposures, offering unique capabilities to assess both technical and human responses.
Simulations become more realistic if ransomware encryption alerts are followed by emails from confused users
There are many benefits to combining these two features into one tool. First, it greatly simplifies scenario preparation work. Following investigation of the threat landscape in OpenCTI (Threat Intelligence Platform), relevant intelligence reports can be used to generate technical injections based on attacker TTPs, as well as content such as attacker communications, third-party security operations center and managed detection and response communications, and internal leader communications built on intelligence and timing from the same reports.
track your team
Using a single tool also eliminates duplication of logistics before, during, and after the exercise. The “participants” within the exercise’s teams and organizational units can be synchronized with enterprise identity and access management sources, so that the recipients of alerts from technical events during the exercise are the same recipients who receive simulated crisis emails from the tabletop component. The same goes for those who receive an automated feedback survey for a “hot wash” review immediately after exercise. The same applies to those listed in the final report for auditor review.
OpenAEV can synchronize current team participant and analyst details from multiple identity sources
Similarly, if the same exercise is performed again after the lessons learned have been implemented as part of the demonstrable continuous improvement required under DORA and CORIE, this synchronization will maintain up-to-date contact lists for individuals in these roles and, indeed, alternative phone trees and out-of-band crisis communication channels, as well as contact lists for third parties such as MSSPs, MDRs, and upstream supply chain providers, that are kept up-to-date as well.
Similar efficiencies exist for threat landscape tracking, threat report mapping, and other features. As with all business processes, streamlining logistics increases efficiency, reduces preparation time, and allows for more frequent simulations.
Timing selection
Because CORIE and DORA are relatively recent regulations, most organizations are only just beginning to implement tabletop and red team scenarios, and there will be many improvements to the process over time. For these organizations, running a blended simulation may feel like too much of an initial step.
This is fine. OpenAEV allows you to run scenarios in a more unobtrusive manner. Most commonly, this involves running red team simulations on day one to test detective and preventive technical controls and SOC response processes. The tabletop exercise will then be conducted on the second day and may be adjusted to reflect the findings and timing from the technical exercise.
Simulations can be scheduled to repeat over days, weeks, or months.
What’s even more interesting is that simulations can be scheduled to run over much longer periods of time (months). This enables the automation and management of tricky but very real-world scenarios, such as proactively leaving a sign of a compromise on a host, or demonstrating to SOC, IR, and CTI teams the ability to retrieve logs from archives to find Patient 0, the first system to be compromised. Although this can be difficult to realistically model in a one-day simulation, it is a very common requirement in real life.
practice makes perfect
Apart from regulatory requirements, insurance terms, risk management, and other external factors, the ability to streamline attack simulations and tabletop exercises against currently relevant threats, with all the technology integration, scheduling, and automation that makes this possible, means that security, leadership, and crisis management teams develop muscle memory and flow that creates confidence in the organization’s ability to handle a real crisis when the next crisis occurs.
Accessing a tool like OpenAEV, which is freely available to the community and has a library of common ransomware and threat scenarios, technical integration into SIEM and EDR, and an extensible open source integration ecosystem, is one of the many ways you can help improve your cyber defense and resiliency. And we must not forget compliance.
And if your team is well-rehearsed and confident enough to handle a crisis situation, it’s no longer a crisis.
Are you ready to take the next step?
To dive deeper into how organizations can turn regulatory obligations into actionable resilience strategies, join Filigran’s upcoming expert-led sessions.
Operationalizing Incident Response: A Tabletop Exercise for Compliance Using the AEV Platform
Source link
