The “business” saw security as a hindrance to the expansion of the organization and saw incident response training as a time suck. Crisis response was only marginally viewed as being more useful, and the overall assumption was that the business would just “deal with it” and really, how bad could a cyber incident be?
The OccamSec team constructed an initial profile of the organization which was then supplemented with additional information once the team was onsite. Critical business processes, technical system data, personnel information, and a variety of other data points were collected. The team then constructed a variety of scenarios, including developing some supporting technical “props”.
Day 1 of the actual training began with the security team, a number of simulations were worked on, with an increasing level of complexity. Much of this utilized information gained in our other areas of operations, enabling us to include the latest tools, techniques, and practices (TTP’s) in the simulations.
Day 2 saw the larger simulations kicking off. The simulation expanded from the technical arena to now include major business operations being impacted. External parties were also impacted, leading to broader implications. Several groups were operating simultaneously during the simulation and information was being shared as required.
While initially reluctant to the exercise, the business personnel involved became active participants as they saw how events unfolded and how their organization could be impacted.
Following the simulations OccamSec prepared a report on the simulations. This report included opportunities for improvement, primarily where gaps existed in the process. Recommendations for further business involvement in the process were also made.
Subsequent simulations conducted with the client have further refined the process and where these were being conducted quarterly they have now become annual event. In the interim the client runs their own simulations.