War gaming - Digital media company

Background

We were tasked with helping a media company train it’s organization to respond to security incidents. The organization had recently built out it’s security team as well as implementing a crisis response committee. The organization was rapidly expanding  and increasing the areas it operated in, leading to an increasing risk exposure.

"“OK now this has happened…what do you do?” …………..” Fire the CISO?”…………..”Ok that’s not the answer we are looking for”"
Conversation between training team and crisis committee member.

The Challenge

The “business” saw security as a hindrance to the expansion of the organization and saw incident response training as a time suck. Crisis response was only marginally viewed as being more useful, and the overall assumption was that the business would just “deal with it” and really, how bad could a cyber incident be?

The Solution

The OccamSec team constructed an initial profile of the organization which was then supplemented with additional information once the team was onsite. Critical business processes, technical system data, personnel information, and a variety of other data points were collected. The team then constructed a variety of scenarios, including developing some supporting technical “props”. 

Day 1 of the actual training began with the security team, a number of simulations were worked on, with an increasing level of complexity.  Much of this utilized information gained in our other areas of operations, enabling us to include the latest tools, techniques, and practices (TTP’s) in the simulations.

Day 2 saw the larger simulations kicking off. The simulation expanded from the technical arena to now include major business operations being impacted. External parties were also impacted, leading to broader implications. Several groups were operating simultaneously during the simulation and information was being shared as required.

While initially reluctant to the exercise, the business personnel involved became active participants as they saw how events unfolded and how their organization could be impacted. 

Following the simulations OccamSec prepared a report on the simulations. This report included opportunities for improvement, primarily where gaps existed in the process. Recommendations for further business involvement in the process were also made.

Subsequent simulations conducted with the client have further refined the process and where these were being conducted quarterly they have now become annual event. In the interim the client runs their own simulations.