Cyber Incident Exercises - Part 3: Scenario Design

This article is the third in a series on cyber incident exercises. This article explores two of the key questions that should be addressed early in the planning of any exercise.

Key points:

• The design of the scenario that forms the basis of a cyber incident exercise is a key stage in the planning process.

• The scenario needs to accurately reflect the threat environment and the organisation’s context, and it must be technically credible.

• Achieving the understanding of the external and internal environment needed to meet these requirements is easier when organisations work with external partners.

Introduction - ensuring a credible and realistic scenario

In the previous article in this series we explored different formats and levels of exercise that an organisation could conduct, based on the objective underlying the exercise. In this article we will look at the design of the scenario for the exercise, emphasising key requirements for organisers.

Broadly, an exercise scenario needs to be realistic in three respects. It must realistically reflect the organisation’s threat environment, it must accurately portray the organisation itself, and it must remain technically credible throughout. As this piece will argue, achieving these three goals is easier when an organisation works with external partners who can provide required capabilities and critical challenge.

Threat environment

A cyber security incident is adversarial - there is an attacker behind the organisation’s woes. The design of the exercise scenario will therefore involve choices about the adversary or adversaries behind the incident. 

A key requirement for the design of the exercise is to ensure that the choice of threat is a realistic one for the organisation and that the chosen threat is realistically modelled in the exercise. Ideally the choice of threat will be intelligence-led, reflecting the actual adversaries assessed to be targeting the organisation and reflecting their known modus operandi. 

This understanding of the threat environment will be derived from multiple sources. More mature organisations may have their own sources of threat intelligence based on collection from their own environment or external collection. Other organisations may procure this information from external providers. 

Smaller or less mature organisations are likely to be reliant on an external partner to develop an exercise scenario that reflects an informed understanding of the threat environment. This is one of the areas where organisations can derive the most benefit from working with an external cyber incident exercise provider.

An often neglected aspect of the threat environment will be an understanding of insider and physical threats. Even in a cyber incident exercise, more mature organisations or those likely to be targeted in hybrid operations may need to consider the integration of cyber-physical threats. Here again organisations may need to work with specialist external partners to ensure an appropriately tailored and realistic depiction of these threats in the exercise.

Organisational context

The understanding of the threat must also be accompanied by a deep understanding of the organisation itself.  This internal understanding covers the ‘who, what, why, and where’ of the organisation, ensuring that the simulated environment of the exercise reflects the reality of the organisation’s people, processes, and technology. A remote-first start-up is going to experience a cyber incident very differently to a retail or manufacturing organisation, for example. This requirement also involves understanding an organisation’s regulatory environment and reporting requirements. 

The NCSC identifies sources including “previous lessons identified, incident response plans and system design documents”. In addition to these documentary sources, understanding the organisation’s context will require engagement with stakeholders at different levels across the organisation. 

This is an area where an ‘insider-outsider’ approach can be helpful. On one hand, an organisation is best placed to understand its own structure and processes and to engage with its own personnel. Yet as anyone who has worked in an organisation of any size knows, it can often take an outsider’s perspective to illuminate how the organisation really functions. Similarly, personnel will often engage more easily with a third party than with other parts of their own organisation. 

However this understanding is achieved, it is important not to underestimate the amount of work involved in this aspect of scenario design. Developing a realistic understanding of how an organisation actually functions and engaging effectively with the whole range of stakeholders are critical requirements for the development of an effective exercise scenario.

Technical credibility

This is particularly important with cyber incident exercises. One of the key risks with an exercise focused on the operations of complex digital technologies and systems is that it will become ungrounded from the technical reality. This risk is most apparent with board- and managerial-level exercises or table-top exercises where the technical details are abstracted. This is where inaccuracies or ‘magical thinking’ can easily creep in. 

For the exercise to be realistic, the situation that the participants encounter, the actions available to them, and the outcomes of those actions must reflect a deep technical understanding of the systems and processes involved. This technical fidelity is crucial to ensuring that the exercise achieves its objective. Worst of all, a lack of technical fidelity risks giving an inaccurate impression of the organisation’s ability to respond to cyber incidents.

Putting it all together

A scenario that aligns with the exercise objectives, is technically credible, reflects the organisation’s state, and describes a realistic threat environment is on track to provide an effective exercise for the organisation. 

Crucially, bringing together these different requirements will involve different forms of research and different skill sets. The ability to engage effectively across an organisation to understand its social and technical context will differ from the technical skills needed to effectively model complex IT systems. In turn this will differ from the kinds of threat intelligence and assessment capability needed to produce a realistic, intelligence-led picture of the threat environment facing an organisation.

This picture gives a sense of the work involved in organising a genuinely effective exercise. Moreover, as it is unlikely that any one organisation will be expert in all these capabilities, it underlines the importance of working with partners to deliver effective exercises.

Learning points:

• The design of the threat in a cyber incident exercise will ideally be intelligence-led, reflecting actual threats to the organisation.

• Achieving this requirement will almost certainly involve the production or use of cyber threat intelligence.

• Ensuring that the scenario accurately reflects an organisation’s context will require an understanding of internal structures and processes, policy, and past exercises, as well as engagement across organisations.

• The exercise scenario must be technically credible throughout - otherwise the exercise risks providing inaccurate or actively harmful outcomes. 

• Developing a credible and realistic scenario involves a wide range of skills and capabilities; most organisations will benefit from working with an external provider.

Tyburn St Raphael is experienced at delivering cyber incident exercises. Whatever your goals, Tyburn St Raphael’s seasoned cyber incident exercisers will work with you to deliver the right exercise for your organisation. You can learn more about our cyber incident exercising offering here [executive TTX] or get in touch with us at info@tyburn-str.com.