Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 PM
Connect Directly

Cyber War Games: Top 3 Lessons Learned About Incident Response

Deloitte Cyber Risk Service stages executive war games to show what might happen in the C-Suite after a breach.

NEW YORK -- During a crisis, collaboration may have to give way to command: one key takeaway from a cyber incident response "war gaming" simulation staged here today by Deloitte Cyber Risk Services.

Deloitte leads client organizations in war game exercises like these to "stress test" their incident response plans, and identify the strengths and weaknesses of their communications, protocols, and cyber disaster preparedness.


War Game Scenario

For the purposes of today's exercise, Deloitte cast six real corporate executives in the roles of a fictional incident response team: the CISO, CIO, CEO, CFO, COO, CMO, and General Counsel of YouLiving (YLV), a fictional publicly traded, global retail company planning further global expansion.

According to the simulation: an attacker obtained a 12-month purchase history for millions of US consumers, including names, addresses, and what they bought. This morning at 6 a.m., an unknown entity in another country created a searchable website with all of that data.

By noon, the site had gone viral and news reports were saying that a breach at YLV, and/or at its application developer Mobile Analytics Solutions (MAS), was to blame.

The execs were given a data breach scenario, and were periodically hit with new situations and information -- news reports, public statements by competitors, responses from the public via social media, messages from law enforcement investigators and forensics investigators, requests from the chairman of the board, etc.

The pace was quick. The information was insufficient and difficult to verify. At first it appeared the breach was at MAS. Then MAS flatly denied it in the media. Then it looked like a zero-day attack on a variety of companies. Then they discovered that YLV admin credentials were used to steal data from MAS systems.

Later, a report surfaced that the YLV computer systems may have contained data from a competing company, prompting the competitor to publicly insinuate corporate espionage. 

Ultimately, a cyber terror group accepted responsibility for the attack, saying it was in protest of one of YLV's planned acquisitions. 


Designate a Crisis Officer

In the war game simulation, the CEO ended up taking the role of de facto "crisis officer," directing the response decisions. While those involved in today's exercise agreed that someone has to fill that role, they did not necessarily think the CEO is the right one for the job. 

At Deloitte, there is a full-time Crisis Officer designated to this exclusive purpose. Chuck Saia, Chief Risk, Reputation and Regulatory Officer -- who also played the CMO role in the war game simlulation -- said they call the Crisis Officer "the cicada," because he shows up once in a while, makes a lot of noise, and then disappears again.

This crisis officer, who reports into the risk office, is vested with all the authority necessary to "run the crisis," and thereby avoids much of the usual corporate politics.

Of course, not all companies can afford to have someone on staff for that exclusive purpose. In other situations, the appointed crisis leader may vary from company to company, or from incident to incident. But whoever they are, they have to be given the authority, and it has to be clear.

After the war game, Deloitte & Touche LLP director and retired Navy Captain John Gelinne explained the value of "clear, concise, unambiguous control" in military conflict situations; Gelinne retired from the Navy in June as Chief of Staff for Vice Adm. Mike Rogers, who is now director of the National Security Agency.

"How do you adjudicate friction?" said Gelinne, in an interview. "That was not a problem in the Navy. Everyone knows the plan."

He explained that the in the Navy, they create task forces -- usually the most senior official who is closest to the conflict is declared the "supported commander," with everyone else providing supporting roles. However, Gelinne also provides the example of when a Navy Marine Corps Intranet was breached in 2013, and Admiral Rogers was made "supported commander" of the incident, with four-star admirals who technically outranked him providing supporting roles. 

A CEO may not be the right person to "run the crisis," so to speak, because they someone needs to run the business. The CEO might appoint someone to run the crisis, and make sure everyone follows their instructions -- even if those instructions are "stay out of it."

Mary Galligan, director of Deloitte & Touche LLP Cyber Risk Services, explained how the collaborative, innovative culture that's so productive in day-to-day operations is the instinct that organizations must fight against in a crisis.

"It's human nature for someone to want to get involved," says Galligan. She says that in most situations people will be "like 5-year-olds playing soccer" -- you might try to give them their own specific position to play, but they'll all just chase the ball anyway. The war game exercise, she says, "gives them an appreciation of why they have to be disciplined." 

Without that discipline, there might be no business to return to once the crisis has passed.


Be Skeptical About The Information You're Receiving

During the simulation, the information and intelligence the team had to base their decisions upon changed constantly -- putting them always on the defensive.  

If they had come out too strongly against their app provider, before learning that their own user credentials had been stolen, it certainly would have made them look bad. The CIO in the simulation expressed that the report that a competing company's data was found on YLV's system might have been a fabrication.

Throughout the simulation, questions arose: was the breach at a partner company or at theirs? Did the attacker come from them or just through them? Could it be a nation-state? A competitor? A disgruntled insider? 

"[The private sector doesn't] have the exquisite intelligence," the military enjoys, says Gelinne. The benefit of that intel is "it allows you to minimize the fog of war."

Complicating matters, said Christopher Novak, managing principal of Verizon Global Investigative Reponse in a panel discussion after the war game, is that "a lot of times we find people within the organization will leak information," to the media or elsewhere. And that information is not always accurate. 

"There needs to be more skepticism about the information you're getting," says Galligan.


Resist Finger Pointing In Any Direction

Overall, the people in this war game simulation were very careful to not point fingers -- not at one another or at anyone outside the organization. A real-life incident might not be quite as fair-minded and cordial.

However, there were some moments when the blame impulses kicked in.

The CISO's first impulse was to state that the breach was at the app developer. But the CEO noted that the relationship with the vendor was important -- not just the relationship with the customers -- and pointing the finger at them early in the process might not be the right move. He recommended they "rather approach it with them in partnership, as opposed to adversarial."

However, the CEO was less gracious later. When a competitor essentially accused them of corporate espionage, the CEO wanted to respond, saying "if he can allege it, why can't we deny it."

The other members of the team cautioned against a vocal denial, particularly because they couldn't be sure that the attack did not derive from within YLV. The CMO warned that denying responsibility, then later having to retract that denial, could cause even worse reputational damage. The CISO concurred, saying that it's impossible to provide attribution with 100 percent certainty, even in the best circumstances.

The CEO also cautioned the CIO and CISO against finger pointing, saying that their teams are particularly prone to it, and asking them to "please set the right example."

Novak says that, if it is a fair assessment, it could be because CIOs and CISOs are feeling defensive, worried about losing their jobs. He also says that cyber incident response has historically been a lot like a Ouija board -- everybody puts their hands on and just waits to see where it lands. 


Other Lessons

Those were the big takeaways, but there are a few other lessons from the war gaming experience:

You'll never have enough time. Galligan says that even top executives with lots of experience with managing emergencies aren't always equipped to handle cyber incidents. "It's not that they can't handle crisis," she says. "They've just never seen anything at this pace with such little information."

Bring in help. The CFO and CMO wanted to hire a crisis communications specialist. The CISO wanted to hire a forensics expert and invest in new network monitoring and behavioral analytics tools. The CEO said to ignore the usual procurement procedures to obtain whatever they needed in the crisis circumstance.

Don't forget about your employees. While the media, the regulators, and the customers are usually top of mind, many companies tend to forget about how they need to communicate about a security incident to their own employees. In the simulation, the chief operating officer was the one who brought it up first.

Don't just do this once. Staff come and go, plans change, practice makes perfect. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/15/2015 | 9:50:15 AM
Realism and Cyber Range
Great article and all of the points are very valid. There is a term we use called FoW (fog of war), where the focus gets very narrow. I teach classes where we realistic application and security traffic to put the attendees through these events where they can practice their incident response skills.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/8/2015 | 9:27:55 AM
How close to reality?
Fascinating post,Sara. I suspect that a simulation never can truly capture the real world experience. But what did the participants say they was the biggest gotcha moment they left with?
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
10 Notable Security Acquisitions of 2019 (So Far)
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This device acts as an Endoscope camera that allows it...