Cybersecurity is an ever-evolving field where new threats emerge daily, requiring constant vigilance and preparedness. Security leaders often live by the axiom that it is not a matter of if but when they will fall victim to a cybersecurity incident. This inevitability underscores the importance of robust incident response and business continuity plans. However, without running tabletop exercises — dry-run scenarios simulating specific security incidents — organizations can never truly gauge how their plans and teams will hold up against real-world threats.
Tabletop exercises provide a controlled environment for security teams to practice their response to cyber incidents. The US Cybersecurity and Infrastructure Security Agency (CISA) offers detailed Tabletop Exercise Packages (CTEP) that can give security leaders a head start. Here, we will analyze three of CISA’s CTEPs that offer significant value due to their comprehensive and flexible templates: compromised open-source software packages, ransomware attacks, and insider threats.
Compromised Open-Source Software Packages
Software supply chain attacks have become increasingly prevalent as attackers realize they can compromise widely used open-source software (OSS) packages and have a massive downstream impact. These attacks are particularly insidious because they target the very foundations of software development, affecting numerous organizations simultaneously.
Organizations often lack visibility into their full inventory of OSS components, which are integral to modern codebases. According to Synopsys, 70% to 90% of modern codebases contain OSS components, and these components constitute 70% or more of the overall codebase. While OSS offers benefits like cost savings, speed, and efficiency, it also comes with risks such as inadequate maintenance, with 25% of OSS projects having a single maintainer and 94% having fewer than 10 maintainers.
This lack of oversight has led to a dramatic increase in malicious OSS packages. Sonatype reported finding 245,000 malicious packages in the past year, twice the number found in all previous years combined.
CISA’s OSS CTEP: Structure and Objectives
CISA’s OSS CTEP is a 180-minute exercise that involves various activities capped off by a hotwash (a review session). The exercise is structured around the NIST Cybersecurity Framework (CSF) phases of govern, identify, protect, detect, respond, and recover. Key objectives include:
- Discussing organizational resilience and response to threats targeting open-source projects.
- Familiarizing stakeholders with reporting processes and respective roles during a cyber incident stemming from a critical OSS project.
- Identifying areas for improvement in incident reporting processes, policies, and procedures.
- Examining response coordination efforts between public, private, and community stakeholders during a cyber incident.
The CTEP includes scenarios involving the introduction of vulnerabilities into OSS community toolchains, leading to widespread system compromises and delays in patching.
Key Questions Around OSS Risks
The exercise encourages organizations to consider critical questions such as:
- Do we understand what OSS components we are consuming and their locations within our systems?
- How would we follow the incident management lifecycle to respond to and recover from an OSS package compromise?
- What actions can we take to mitigate risks associated with impacted systems and products?
- How can we make more informed decisions about the OSS projects and components we use?
- How do we respond to our vendors to ensure transparency around the components in their products that may introduce risks?
These thought-provoking questions help organizations codify their policies and processes, enhancing their resilience against OSS software supply chain attacks.
The Growing Menace of Ransomware
Ransomware has become one of the most notorious and pervasive cyber threats. In 2023, ransomware attackers are projected to bring in double the 2022 total of $567 million in cryptocurrency payments. These attackers encrypt data or systems and demand payment for their release. High-profile incidents like the 2021 Colonial Pipeline attack highlight the severe societal and financial impacts of ransomware.
The ransomware landscape has evolved to include ransomware-as-a-service (RaaS) models, where ransomware groups sell their code or access to other attackers. Estimates indicate that the average ransomware demand in 2021 was around $6 million.
CISA’s Ransomware CTEP: Building Resilience
CISA’s CTEP for ransomware is also a 180-minute exercise involving various stakeholders and activities based on the NIST CSF. Key objectives include:
- Examining an organization’s response capabilities during a ransomware incident.
- Enhancing the ability to coordinate information sharing.
- Identifying areas for improvement in incident response plans and organizational resilience.
- Exploring and improving plans to recover from incidents and restore mission-critical assets.
The exercise includes scenarios such as an employee being targeted by a phishing email, leading to network compromise and ransomware deployment.
Understanding Threats and Preparedness
The ransomware CTEP prompts organizations to explore aspects of operational resilience, asking questions like:
- How accurate are our inventories of critical assets and data?
- Do we have resources dedicated to mitigating known exploited vulnerabilities on internet-facing systems?
- What is our backup retention period, and how long would it take to restore from backups if necessary?
- How well have we implemented zero-trust architecture to limit attack spread?
- How effective is our cybersecurity awareness training for employees?
The exercise also addresses legal aspects, including compliance with security breach notification laws and the need for communication plans to handle disclosures to regulatory authorities and the public.
The scenario progresses to involve unusual network traffic, ransom messages appearing on screens, and hackers posting about the attack on the dark web. The organization must consider questions around sustaining operations, prioritizing IT restoration, and distinguishing between normal and abnormal traffic. A well-practiced incident response plan (IRP) is crucial.
The Insider Threat Challenge
Insider threats, particularly from disgruntled former employees, pose significant risks. These threats are complicated by third-party access and the integration of various systems via network connections and APIs. The scenario involves a former employee exploiting system vulnerabilities through a third-party vendor.
CISA’s Insider Threat CTEP: Key Questions
The insider threat CTEP scenario begins with an alert about a microprocessor vulnerability and a terminated employee making threats. It prompts organizations to consider:
- How do we handle contentious terminations to mitigate risks?
- What steps do we take to ensure former employees cannot access organizational systems?
- How do we respond to unauthorized administrative activity and identify the extent of the damage?
Mitigating Insider Threats
The exercise forces security teams to think about resource allocation for incident response, necessary processes to mitigate insider threats, and the need to contact law enforcement. It emphasizes the importance of comprehensive plans and processes to halt malicious activities, recover from incidents, and hold insiders accountable.
Conclusion
Tabletop exercises are essential for preparing organizations to handle cyber incidents effectively. CISA’s CTEPs offer valuable frameworks for simulating and responding to real-world threats, enhancing organizational resilience. By addressing compromised open-source software packages, ransomware attacks, and insider threats, organizations can better understand their vulnerabilities, improve their incident response capabilities, and ensure they are prepared for the inevitable cybersecurity incidents that lie ahead.
Leave a Reply