Introduction
Financial institutions are facing a new reality: cyber-resilience has transformed from a best practice to an operational requirement, a prescriptive regulatory requirement.
Crisis management or tabletop exercises, long relatively rare in the context of cybersecurity, have become essential as a series of regulations have introduced this requirement for FSI organizations in a number of areas, including Dora (Digital Operational Resilience Act) in the EU; cps230/corey (Cyber Operational Resilience Intelligence-led Exercises) in Australia; mass trm (Monetary Authority of Singapore Technology Risk Management Guidelines); FCA/PRA Operational Flexibility In Britain; FFIEC IT Handbook in America, and SAMA Cyber Security Framework in Saudi Arabia.
Cross-functional collaboration between technical and non-technical teams complicates compliance with these regulatory requirements. For example, simulating the technical aspects of a cyber incident – in other words, red-teaming – is necessary, if not exactly at the same time, then certainly within the same resilience program, in the same context, and with many of the same inputs and outputs. This is the strongest of the rules based on TIBER-EU The framework, especially Corey and Dora.
there’s always excel
As requirements become more prescriptive, and best practices become more established, what used to be a tabletop exercise driven by a simple Excel file with a small series of events, timestamps, personas, and comments has evolved into a series of scenarios, scripts, threat scenario analyses, threat actor profiles, TTPs and IOCs, folders of threat reports, hacking tools, injections, and reports – all of which have been reviewed, prepared, rehearsed, played, analyzed at least once. And should be reported. Per year, if not per quarter, if not continuously.
Although Excel is a stalwart in each of the cyber, financial, and GRC domains, even at these levels of complexity it has its limitations.
Blending tabletop and raid team simulation
Over the past several years, Filligran has advanced OpenAEV to the point where you can design and execute end-to-end scenarios that blend human communication with technical events. Initially launched as a crisis simulation management platform, it later expanded to include breach and attack simulation for holistic adversarial risk management, providing a unique capability to assess both technical and human readiness.
|
| Simulations are more realistic when emails from confused users arrive after a ransomware encryption alert |
There are many benefits to combining these two capabilities in one device. For starters, it greatly simplifies the preparation work for the scenario. Following threat scenario research in OpenCTI (a threat intelligence platform), a contextual intelligence report can be used to generate technical injections based on the attacker TTP, but also containing content such as attacker communications, third party security operations center and managed investigation and response communications, and internal leadership communications, all built over intelligence and time from the same report.
keep track of team
Using the same equipment also reduces logistics before, during, and after practice. The “players” in the exercise, in their teams and organizational units, can be synchronized with enterprise identity and access management sources, so that those receiving alerts from technical incidents during the exercise are the same as those receiving simulated crisis emails from tabletop components; And the same ones who receive an automated feedback questionnaire for ‘hot wash’ review immediately after the exercise; And those are what appear in the final report for auditor review.
 |
| OpenAEV can synchronize current team participant and analyst details from multiple identity sources |
Similarly, if the same exercise is run again after implementing lessons learned as part of the continuous improvement required under DORA and CORIE, this synchronization will maintain a current contact list for individuals in these roles, or, indeed, for alternative phone trees and out-of-band crisis communication channels that are also kept up to date, and for third parties such as MSSPs, MDRs, and upstream supply chain providers.
Similar capabilities exist across threat landscape tracking, threat report mapping, and other features. Like all business processes, streamlining logistics leads to greater efficiency, less preparation time and more frequent simulations.
choose your time
With the relatively recent implementation of CORIE and DORA regulations, most organizations will begin their journey in running tabletop and red team scenarios, with much still remaining to be refined in the process. For such organizations, running hybrid simulations may seem like a huge first step.
This is okay. Scenarios can be run in more discrete ways in OpenAEV. Typically, this may involve running a red team simulation on day one to test espionage and preventive technical controls and SOC response procedures. The tabletop exercise will then be run on a second day, and can potentially be modified to reflect the findings and timing from the technical exercise.
|
| The simulation can be scheduled to repeat over days, weeks, or months |
More interestingly, simulations can be scheduled and run over very long periods of time – even months. This allows automation and management of tricky, but very real scenarios, such as dropping intrusion signals on hosts in advance, and challenging SOC, IR and CTI teams to show their ability to retrieve logs from the archive to discover patient zero, the first time the system was compromised. This may be difficult to realistically model in a one-day simulation, but in reality it is a very common requirement.
practice makes perfect
The ability to streamline attack simulations and tabletop exercises for current, relevant threats, with all the technical integration, scheduling and automation, in addition to regulatory requirements, insurance conditions, risk management and other external drivers, means your security, leadership and crisis management teams will develop a muscle memory and fluency that will build confidence in your organization’s ability to handle a real crisis when the next crisis comes.
Having access to a tool like OpenAEV, which is free for community use, with a library of common ransomware and threat scenarios, technical integrations for SIEM and EDR, and an extensible and open source integration ecosystem, is one of the many ways in which we can help improve our cybersecurity and cyber resiliency. And, let’s not forget, our compliance.
And when your team is fully trained and confident to handle crisis situations, it is no longer a crisis.
Ready to take the next step?
For a deeper dive into how organizations can turn regulatory mandates into actionable resilience strategies, join one of Filigran’s upcoming expert-led sessions:
Operationalizing Incident Response: Compliance-Ready Tabletop Practices with the AEV Platform
