By | Izzatul Hazirah binti Ishak, Shuaib bin Chantando, Nur Sarah binti Jamaludin, Fathi Kamil bin Mohad Zainuddin & Nur Qurratu 'Aini binti Rohizan
Introduction
Cybersecurity incidents can inevitably occur in any organization. It is thus necessary to carry out early preparation of computer security incident handling response as an alternative after establishing a precaution process for defending the organization. It goes without mentioning that doing cyber drill exercises is the best way to achieve better computer security incident handling response. Cyber drill exercises denote simulations of incidents or attacks on targeted infrastructure as well as analyses of how the simulated responses can resolve the incidents according to appropriate Standard Operating Procedure (SOP).
MyCERT has previously conducted several cyber drill exercises for government agencies, international CERTs and private sectors. The focus of such exercises is mainly on critical sectors, for example financial, public health, transportation, etc. Exercises are structured according to the most common types of attacks. Participants need to identify the type of threat and produce possible solutions to mitigate and rectify the issue accordingly. Since all events are simulated, there is no live system affected in an organization's infrastructure.
Cyber Drill Objectives
The main objective of a cyber drill exercise is to ensure the readiness and feasibility of an organization. Together with evaluating the existing SOP it becomes possible for an organization to rapidly detect and respond to any real-time incidents.
Planning and Preparation
Initially, MyCERT arranges a kick-off discussion with an organization to plan out the cyber drill exercise, with the main emphasis on the planning and development of the drill exercise platform and infrastructure. Training sessions are provided for the participants to enhance their knowledge of incident handling and hands-on skills to be implemented on drill day.
The backend team would meanwhile be working on developing the simulated scenario and infrastructure to ensure every major component of the drill exercise is set up accordingly. Multiple infrastructures are set up to ensure the progress of the cyber drill exercise on drill day is steady, including the e-mail server, ticketing server, chat server, Domain Name Server (DNS) and Exercise Conductor (Excon) helper server. At the same time, scenario preparation is also arranged, whereby each scenario is selected based on the appropriate current and common threat that fits to the cyber drill exercise. Before drill day, multiple tests and dry runs are done to ensure the selected scenarios are suitable for the current infrastructure.
To prepare and preserve the readiness of the participants on drill day, MyCERT provides Incident Handling and Network Security (IHNS) training. Every player and observer from the representative organization is required to attend the training. Here, focus is not only on Incident Handling Training but also on Malware Analysis and Web Security for the players and observers to be prudent before experiencing the drill exercise.
On the day of the drill, a player executes the incident handling process, analyses the threats and mitigates the simulated attacks. At the same time, the observers execute the communication role and assist the players to mitigate the simulated attacks on the provided platform. Lastly, a post-mortem session takes place to discuss the organization’s findings and performance and come up with specific plans of action to strengthen their cybersecurity incident response.
Types of Drill
Two categories of cyber drill exercises have previously been used: technical assessment and policy adherence. Each organization’s SOP in responding to critical incidents is verified through the policy adherence category. The aims of this activity are to familiarize the participants with the process and prepare them based on their SOP for handling real, critical cybersecurity incidents in the future. The organization is encouraged to review and update their SOP after the cyber drill exercise for better cybersecurity incident handling response.
The technical assessment category is to appraise the participants’ performance and technical capability in handling the drill incidents. Rome was not built in a day; thus, technical competence should not only be applied in the cyber drill exercise but also in daily tasks for the organization to gain competence in incident response. Upon first identification of an incident, the incident responder needs to verify and validate the root cause of the incident. Once the cause is found, the incident responder applies a solution by patching, updating some configurations, etc. to essentially prevent the same cybersecurity incident from hitting the organization.
Benefits
Cyber drill exercises are indispensable in the sense of becoming prepared and knowing the techniques and tactics to apply when handling real cybersecurity incidents. Carrying out periodic cyber drill exercises within organizations or particular regions will ensure that cybersecurity incidents are better addressed and remediated. Cyber exercises are also significant as they establish the requirement for proper contingency plans, thus improving familiarity with SOP, tools and other related software. It is important to have adequately trained personnel in place to handle cyber threats once a need for skilled personnel has been identified.
Conclusion
According to previous cyber drills done, such exercises can successfully expose participants to real cybersecurity incidents. Ultimately, each organization reviews their own performance in handling cybersecurity incidents based on the scenarios selected. Moving forward, in line with the identified performance, an organisation is advised to improve their computer security incident handling response by strengthening their policy adherence and technical capability. Reviewing the SOP is recommended as it is relevant and suitable as a reference when handling cybersecurity incidents. It is beneficial to organizations to intensify the technical capability among employees by encouraging them to attend suitable workshops and training.
