Just as response plans for dealing with physical threats against transit services must be rehearsed periodically, cyber threat response plans should also be tested to ensure that all the responsible parties know the plan and are capable of carrying out their roles.
A Tabletop Exercise (TTX) is an important crisis response planning activity that should be performed at least once a year for each type of major threat that an organization faces, including ransomware and other cybersecurity events.
This TTX is a supplement to the feature, "New Ransomware Attacks Pose Costly Threat to Transit Agencies."Here are a few guidelines for organizing a ransomware TTX:
• Any cybersecurity TTX should be managed by the appropriate technical lead. This could be an internal source, like the company’s Chief Information Security Officer (CISO) or Chief Security Officer (CSO), or it could be an outside consultant – like an Incident Response (IR) firm your agency has on retainer. If you do not have an IR firm, ask your cyber insurance provider if they have a preferred IR provider that could organize this type of exercise.
• The purpose of a TTX is to reveal gaps in the written response plans for handling crises, so it’s important to develop those plans and distribute them to everyone involved before attempting an exercise.
• Each person who has a stated responsibility in the response plan needs to participate in the TTX. For cybersecurity exercises, this usually includes the executive in charge, the public affairs officer, the head of IT, the head of physical security, the head of logistics/scheduling and possibly a representative of law enforcement.
• It is also helpful to hire an outside expert with direct experience in the type of crisis that you wish to prepare for. This person’s experience will add important real-world elements to the exercise and help to test the thoroughness of the plan by bringing up unexpected but realistic events. Incident Response firms have this expertise when it comes to ransomware and other cyber attacks.
• A typical exercise takes between four to eight hours to complete. Ideally, it should be held on a weekend or outside of normal business hours to properly simulate how easy or difficult it would be to deal with the crisis during off-hours. Ransomware criminals often launch their attacks on Friday night or over the weekend, to take the victim by surprise and maximize the damage.
• These events can be stressful, so it is nice to plan for catering lunch or another way to show everyone involved that they are valued.
Consider the following realistic scenario as a basis for your planning:
• Starting late on a Friday night, transit customers complain that ticket machines aren’t working across the system.
• IT personnel report that they are unable to remotely log in to perform maintenance on any computer system and have to send someone to the server room to investigate.
• All computers are inoperable and display a ransom demand message asking for $15 million USD in bitcoin with a deadline of 48 hours, after which the ransom demand will double.
• An emergency conference call is initiated early Saturday morning and invitations sent via email. Halfway through the conference call, someone realizes that there is an unauthorized person listening to the call. It turns out to be the attacker, who was monitoring all internal email and received the conference call details.
• All personnel move communications to an alternate system using mobile phones and all computers and servers are shut down to prevent further damage from the attackers, who still have remote control of systems.
• IT personnel report that it will take 15 working days to wipe all computer systems and restore from backups and that the most recent backup was from one week ago. Any data created in the last week will be lost. If the ransom is paid, the systems might be restored in two or three days and the last week of data will likely be intact.
• News reporters call constantly for interviews and some begin to ask about whether it was a cyber attack. The attacker begins to post information naming your transit agency as a victim on their website and threatens to publicly release all internal email and details about all customers if the ransom is not paid.
• Transit authorities must decide whether it is legal to pay the ransom and whether it is advisable to do so, how to communicate information to the public, when to call law enforcement, and how to carry on essential services while waiting for the systems to be restored.
• If a ransom is to be paid, who will negotiate the amount and who will obtain the bitcoin cryptocurrency to make the payment? If no ransom will be paid, who will inform the customers whose personal data will be released by the attacker, and what compensation will the transit agency provide to those customers who are harmed?
• Once the systems are restored to operation, decide how to investigate the root cause of the incident to ensure that it does not happen again, with the attackers coming in the same way. Consider how to supplement the IT personnel resources, since they will be exhausted after working so many long hours.
Randy Pargman | senior director of Threat Hunting and Counterintelligence
Randy Pargman is the senior director of Threat Hunting and Counterintelligence at Binary Defense. In this role, Pargman leads the threat hunting team in reverse engineering malware and developing new techniques for detecting signs of emerging threats and attacker behavior that evade or defeat traditional security solutions. He also leads the counterintelligence and intelligence operations teams in researching threat actors, finding threat information on Darknet hidden websites, criminal forums, dump sites and social media platforms. Pargman previously spent 15 years at the FBI as a senior computer scientist with the Cyber Task Force based in Seattle, Wash., as well as the global Cyber Action Team. Pargman has earned the FBI Director’s Award for Excellence in Technical Advancement as well as the FBI Medal of Excellence.