Skip to content

What should an incident response exercise look like?

Blog
  • 1631809483834-businesshex.jpg-resized.webp
    This is an extract from a scenario walk-through I conducted (pre COVID-19 of course). I’ve redacted any sensitive information, but thought that this could be useful for others looking to take their first journey down this route.

    Comments / criticisms welcomed !

    Scenario One - Terrorist Attack
    Category - Incident Response
    Severity - CRITICAL
    Classification - An immediate personal safety risk to employees
    

    Verbiage

    “At approximately 11:30am this morning, various news agencies have reported gunfire in the city, and a vehicle mounting the footpath colliding with pedestrians. Breaking news on Twitter details witness accounts of casualties with a variety of injuries - some life threatening. Early information indicates that this is being treated as a terrorist attack, and armed police are presently securing the affected areas and assessing the current situation. The chief of police, the mayor, and government leaders are scheduled to make an announcement live on TV within the hour, although as yet, there is little information in terms of scope and impact. Early intelligence would suggest that up to 10 heavily armed assailants are attacking random targets within the city, with the last reported incident taking place within 2 minutes walking distance of the office. At present, no known terrorist group has claimed responsibility.”

    Assessment Questions

    How are employees within the affected areas accounted for ? How are employees currently travelling into the city notified of this incident ? How are notifications validated ? For example, how do you know that the employee has received the message ? Are key stakeholders defined in the plan fully aware of their responsibilities and requirements ? How readily available is essential information pertaining to any imminent threats for both stakeholders and employees ? Is it necessary to notify counterparties, custodians, or administrators in this instance ? Does the firm have in its possession relevant, up to the minute information about areas in the city that should be avoided ? Should the firm make arrangements for employees to leave the office securely ? How long should the firm monitor the situation for before providing the “all clear” to employees ?

    Noted Observations

    Remediation Suggestions

    Scenario Two - Building Accessibility
    Category - Business Continuity
    Severity - MEDIUM
    Classification - Risk to employee safety, and inability to access office
    

    Verbiage

    “Owing to a recent spate of bad weather, and “Storm Higgins”, the London office is currently inaccessible due to falling debris from the roof, which was ripped open during the storm (lightning strike). The 6th floor is currently flooded - including the main electrical riser, and one of the 4 muses located on the roof of the building has been reported as “moving in the high wind”, which could cause injury to passers-by and pedestrians should it suddenly fall. The area is in the process of being secured, and employees arriving for work will likely be turned away until the area is certified as safe. Currently hazardous weather conditions are causing additional issues and delays on the roads into and out of London”

    Assessment Questions

    How are employees within the affected areas accounted for ? How are employees currently travelling into the city notified of this incident ? How are notifications validated ? For example, how do you know that the employee has received the message ? Are key stakeholders defined in the plan fully aware of their responsibilities and requirements ? How readily available is essential information pertaining to any imminent threats for both stakeholders and employees ? Is it necessary to notify counterparties, custodians, or administrators in this instance ? Does the firm have in it’s possession relevant, up to the minute information about potential weather warnings ? Should the firm make arrangements for employees to leave the office safely ? How long should the firm monitor the situation for before providing the “all clear” to employees ?

    Noted Observations

    Remediation Suggestions

    Scenario Three - Building State - Fire Damage
    Category - Disaster Recovery
    Severity - CRITICAL
    Classification - Structural damage to firm office area rendering access impossible
    

    Verbiage

    “At 2am this morning, the CEO from an adjacent business occupying the same building as the firm received a call from building security alerting them to a fire within their domiciled area. The fire has spread quickly through open areas of the building - including the designated floors belonging to the firm, whom were also notified. The fire crew have been on scene for the last 45 minutes and have managed to get the blaze under control, but have immediately certified the building as unsafe for entry owing to significant structural damage to the lobby area, lifts, and stairwells. Most of the fire damage has been contained by the firewall concrete between floors, although thick black smoke has permeated throughout the entire building, and significant fire damage to the electrical landlord and tenant supplies has rendered the building inoperable. The sprinkler system has been activated within the firm’s floor area and destroyed the PC’s and monitors on the desks. There is also significant damage to the comms room and networking infrastructure.”

    Assessment Questions

    How are employees within the affected areas accounted for ? How are employees currently travelling into the city notified of this incident ? How are notifications validated ? For example, how do you know that the employee has received the message ? Are key stakeholders defined in the plan fully aware of their responsibilities and requirements ? Are all affected employees sufficiently versed in accessing the network remotely ? What changes will IT need to make ? Diversion of critical phone lines ? Is it necessary to notify counterparties, custodians, or administrators in this instance ?

    Noted Observations

    Remediation Suggestions

    Scenario Four - Data Leakage - Blackmail
    Category - Incident Response
    Severity - CRITICAL
    Classification - Significant damage to firm reputation and integrity / security of client information
    

    Verbiage

    "An employee of the firm receives a call from a news agency who informs the employee that the cyber criminal gang known as “Nefarious-X” have alerted them to a substantial leak of client confidential information from the firm - either directly, or via one of it’s administrators or data custodians. Nefarious-X are threatening to dump all of the information they have obtained (which they claim includes names, addresses, passwords, date of birth, email addresses, and various other fund information that can identify the firm’s clients directly) onto the dark web for sale to the highest bidder (in addition, they claim they already have numerous offers) unless the firm immediately pays USD 500,000 in Bitcoin. The time limit for payment has been set at 48 hours, effective immediately. Failure to meet the payment demand will be considered non-compliance, and the implications will be severe.

    The employee who took the call immediately notifies their local Compliance Officer, who then notifies Legal, and the Chief Information Security Officer. The firm’s CISO immediately launches a forensic discovery process to determine the source (if any) of the proposed leak, and attempts to determine what information has been stolen from where. During the search, another user reports that her machine is acting strangely, so she is going to turn it off, and back on again…"

    Assessment Questions

    Why is the last line of the story a critical factor ? How does the firm determine the authenticity of such a claim ? Who does the firm nominate as the spokesperson in a PR capacity ? How does the firm handle inevitable media interest ? How does the firm identify what data has been stolen ? What intelligence is the firm able to leverage about the hacking group ? How does the firm deduce if the information “stolen” is subject to GDPR ? How long does the firm have to notify the SEC and ICO of any potential breach ? Can the firm report the incident to the SEC and ICO immediately ? How soon should the firm begin the process of notifying impacted individuals (provided they can validate the claim) ?

    Noted Observations

    Remediation Suggestions


Related Topics
  • Why Forums Are Still Relevant in 2024

    Blog
    3
    2 Votes
    3 Posts
    108 Views

    @JAC wow. Thanks for the great comments. They are truly appreciated.

    I tend to agree with the social media comments you’ve made. This is made all the more prominent in relation to recent events in Southport for example, and toxicity is a huge issue. Just look at some of the comments from trolls - they are truly disgusting, and the perpetrators seem to take great delight in the anonymity the Internet affords them.

    forums in general are much more subject focused, easier to moderate and users are less likely to be banned because they are there for a specific interest or reason, not to cause trouble.

    Agreed, although discussions can still get out of hand and quite often, these are left to run riot and quickly spiral out of control. A great example of that is here

    https://sudonix.org/topic/141/how-to-destroy-a-community-before-it-s-even-built

    there’s something much more calming about coming to a specific page at your fancy, posting and taking part in healthy debates over the real mishmash of social media.

    Yes, I personally prefer the atmosphere of a forum against the backdrop of unwanted noise via social media.

  • 2 Votes
    2 Posts
    152 Views

    This is worth listening to

    https://www.bbc.co.uk/sounds/play/w3ct5wmc

  • 3 Votes
    4 Posts
    222 Views

    @phenomlab yeah you have a good point there. Information over lives just doesn’t seem to be worth it. And being the one to release that info and be the one who first put it out there, you may be on the right track about the notoriety.

  • 0 Votes
    2 Posts
    354 Views

    See enclosed article from Sky News

    https://news.sky.com/story/worlds-largest-botnet-taken-down-as-alleged-chinese-mastermind-arrested-and-29m-in-cryptocurrency-seized-13145394

  • Recall to take screenshots every 2 seconds

    Blog
    13
    9 Votes
    13 Posts
    423 Views

    @phenomlab said in Recall to take screenshots every 2 seconds:

    Not that it matters to me - my laptop runs KDE Neon

    That is a really nice distro.

  • Apple, what were you thinking?

    Blog
    15
    14 Votes
    15 Posts
    699 Views

    My daughter needed a new tablet, which was an older Samsung. My wife wanted to get her an Ipad. Fortunately, I was able to talk her out of that and show her how much better an android tablet would be. Preferably the Samsung S9 Ultra tablet. By the way, that thing is outstanding! Great purchase!

  • 3 Votes
    3 Posts
    378 Views

    @crazycells if it does indeed materialise, then this could well be a landmark case that sets a precedent. But, I don’t hold much hope to be honest. I’d like to be wrong.

  • Linux vs Windows - who wins ?

    Blog
    8
    4 Votes
    8 Posts
    350 Views

    @phenomlab LOL ah yes, I remember all of that. The good ole days!