Last week, I was an observer at a hands-on cyberattack simulation workshop organized by disaster recovery vendor SunGard at its facility just outside of Chicago. Taking part in the exercise were representatives from the local community, including workers or officials from retail, health care and government organizations. Each participant was assigned to one of five teams -- IT, operations, information security, sales and executive management -- within a fictitious $1.2 billion gourmet food manufacturing company. The idea was that a cyberattack would unfold, requiring participants to respond to it in the most effective manner.
As far as I could tell, there appeared to be no clearly defined lines of command, nor any predefined incident-response plans that participants could use. So their responses were pretty ad hoc and no doubt very different from what they would have done in a real-life situation.
Having said that, there still were a few interesting takeaways:
Even in a mock exercise, the security team appeared to be having a hard time explaining what exactly was going on in terms that management executives could understand. Right off the bat, the very first thing that the security team suggested the company do in response to a still-unfolding crisis was to spend money on new technology for dealing with zero-day threats -- even though it wasn't clear even to them how they were being attacked.
The teams almost entirely worked within their own little silos, even though the simulated cyberattack was clearly having a companywide effect. There was little direct communication between the sales and operations teams that were facing the brunt of the crisis and the IT and security groups who were struggling to deal with it. Most of the interaction between the groups was via e-mail. Several times, the executive team members summoned the participants acting as the CIO and the security manager in order to get an update on the situation. But unless I missed it, not once did the CIO and CISO have a face-to-face meeting themselves. And not once did either of them appear to take the initiative to meet the executive teams on their own. All of this was probably the reason why at one point in the exercise, the IT team was informing everybody that all systems had been fixed and restored, even as the attacks apparently were continuing and the sales teams were reporting continuing problems with online operations.
The operations team appeared largely out of the loop and was almost never asked for input or feedback during the entire exercise.
There was across-the-board unanimity that the company would not acquiesce to a ransom demand of $75,000 being asked for by the fictitious perpetrator of the simulated attack. Not one participant felt it was a good idea to pay off the perpetrator to get him/her to stop attacking the company.
No one appeared quite sure how to respond to an inquiry from a fictitious reporter who contacted corporate communications to find out what was going on after running into problems on the company's main Web site. In the end, the executive team decided the best approach would be to respond by saying that the company was aware of the problem and would hold a press conference at some point to discuss the issue as more details became known.
There appeared to be similar uncertainly on when or even whether to involve law enforcement. The biggest concern appeared to be the fact that doing so would result in a loss of direct control over the situation and that it would result in unwanted and premature publicity.