Skip to content

What should an incident response exercise look like?

Blog
  • 1631809483834-businesshex.jpg-resized.webp
    This is an extract from a scenario walk-through I conducted (pre COVID-19 of course). I’ve redacted any sensitive information, but thought that this could be useful for others looking to take their first journey down this route.

    Comments / criticisms welcomed !

    Scenario One - Terrorist Attack
    Category - Incident Response
    Severity - CRITICAL
    Classification - An immediate personal safety risk to employees
    

    Verbiage

    “At approximately 11:30am this morning, various news agencies have reported gunfire in the city, and a vehicle mounting the footpath colliding with pedestrians. Breaking news on Twitter details witness accounts of casualties with a variety of injuries - some life threatening. Early information indicates that this is being treated as a terrorist attack, and armed police are presently securing the affected areas and assessing the current situation. The chief of police, the mayor, and government leaders are scheduled to make an announcement live on TV within the hour, although as yet, there is little information in terms of scope and impact. Early intelligence would suggest that up to 10 heavily armed assailants are attacking random targets within the city, with the last reported incident taking place within 2 minutes walking distance of the office. At present, no known terrorist group has claimed responsibility.”

    Assessment Questions

    How are employees within the affected areas accounted for ? How are employees currently travelling into the city notified of this incident ? How are notifications validated ? For example, how do you know that the employee has received the message ? Are key stakeholders defined in the plan fully aware of their responsibilities and requirements ? How readily available is essential information pertaining to any imminent threats for both stakeholders and employees ? Is it necessary to notify counterparties, custodians, or administrators in this instance ? Does the firm have in its possession relevant, up to the minute information about areas in the city that should be avoided ? Should the firm make arrangements for employees to leave the office securely ? How long should the firm monitor the situation for before providing the “all clear” to employees ?

    Noted Observations

    Remediation Suggestions

    Scenario Two - Building Accessibility
    Category - Business Continuity
    Severity - MEDIUM
    Classification - Risk to employee safety, and inability to access office
    

    Verbiage

    “Owing to a recent spate of bad weather, and “Storm Higgins”, the London office is currently inaccessible due to falling debris from the roof, which was ripped open during the storm (lightning strike). The 6th floor is currently flooded - including the main electrical riser, and one of the 4 muses located on the roof of the building has been reported as “moving in the high wind”, which could cause injury to passers-by and pedestrians should it suddenly fall. The area is in the process of being secured, and employees arriving for work will likely be turned away until the area is certified as safe. Currently hazardous weather conditions are causing additional issues and delays on the roads into and out of London”

    Assessment Questions

    How are employees within the affected areas accounted for ? How are employees currently travelling into the city notified of this incident ? How are notifications validated ? For example, how do you know that the employee has received the message ? Are key stakeholders defined in the plan fully aware of their responsibilities and requirements ? How readily available is essential information pertaining to any imminent threats for both stakeholders and employees ? Is it necessary to notify counterparties, custodians, or administrators in this instance ? Does the firm have in it’s possession relevant, up to the minute information about potential weather warnings ? Should the firm make arrangements for employees to leave the office safely ? How long should the firm monitor the situation for before providing the “all clear” to employees ?

    Noted Observations

    Remediation Suggestions

    Scenario Three - Building State - Fire Damage
    Category - Disaster Recovery
    Severity - CRITICAL
    Classification - Structural damage to firm office area rendering access impossible
    

    Verbiage

    “At 2am this morning, the CEO from an adjacent business occupying the same building as the firm received a call from building security alerting them to a fire within their domiciled area. The fire has spread quickly through open areas of the building - including the designated floors belonging to the firm, whom were also notified. The fire crew have been on scene for the last 45 minutes and have managed to get the blaze under control, but have immediately certified the building as unsafe for entry owing to significant structural damage to the lobby area, lifts, and stairwells. Most of the fire damage has been contained by the firewall concrete between floors, although thick black smoke has permeated throughout the entire building, and significant fire damage to the electrical landlord and tenant supplies has rendered the building inoperable. The sprinkler system has been activated within the firm’s floor area and destroyed the PC’s and monitors on the desks. There is also significant damage to the comms room and networking infrastructure.”

    Assessment Questions

    How are employees within the affected areas accounted for ? How are employees currently travelling into the city notified of this incident ? How are notifications validated ? For example, how do you know that the employee has received the message ? Are key stakeholders defined in the plan fully aware of their responsibilities and requirements ? Are all affected employees sufficiently versed in accessing the network remotely ? What changes will IT need to make ? Diversion of critical phone lines ? Is it necessary to notify counterparties, custodians, or administrators in this instance ?

    Noted Observations

    Remediation Suggestions

    Scenario Four - Data Leakage - Blackmail
    Category - Incident Response
    Severity - CRITICAL
    Classification - Significant damage to firm reputation and integrity / security of client information
    

    Verbiage

    "An employee of the firm receives a call from a news agency who informs the employee that the cyber criminal gang known as “Nefarious-X” have alerted them to a substantial leak of client confidential information from the firm - either directly, or via one of it’s administrators or data custodians. Nefarious-X are threatening to dump all of the information they have obtained (which they claim includes names, addresses, passwords, date of birth, email addresses, and various other fund information that can identify the firm’s clients directly) onto the dark web for sale to the highest bidder (in addition, they claim they already have numerous offers) unless the firm immediately pays USD 500,000 in Bitcoin. The time limit for payment has been set at 48 hours, effective immediately. Failure to meet the payment demand will be considered non-compliance, and the implications will be severe.

    The employee who took the call immediately notifies their local Compliance Officer, who then notifies Legal, and the Chief Information Security Officer. The firm’s CISO immediately launches a forensic discovery process to determine the source (if any) of the proposed leak, and attempts to determine what information has been stolen from where. During the search, another user reports that her machine is acting strangely, so she is going to turn it off, and back on again…"

    Assessment Questions

    Why is the last line of the story a critical factor ? How does the firm determine the authenticity of such a claim ? Who does the firm nominate as the spokesperson in a PR capacity ? How does the firm handle inevitable media interest ? How does the firm identify what data has been stolen ? What intelligence is the firm able to leverage about the hacking group ? How does the firm deduce if the information “stolen” is subject to GDPR ? How long does the firm have to notify the SEC and ICO of any potential breach ? Can the firm report the incident to the SEC and ICO immediately ? How soon should the firm begin the process of notifying impacted individuals (provided they can validate the claim) ?

    Noted Observations

    Remediation Suggestions