Introduction
Financial institutions are facing a new reality: cyber-resilience has passed from being a best practice, to an operational necessity, to a prescriptive regulatory requirement.
Crisis management or Tabletop exercises, for a long time relatively rare in the context of cybersecurity, have become required as a series of regulations has introduced this requirement to FSI organizations in several regions, including DORA (Digital Operational Resilience Act) in the EU; CPS230 / CORIE (Cyber Operational Resilience Intelligence-led Exercises) in Australia; MAS TRM (Monetary Authority of Singapore Technology Risk Management guidelines); FCA/PRA Operational Resilience in the UK; the FFIEC IT Handbook in the US, and the SAMA Cybersecurity Framework in Saudi Arabia.
What makes complying with these regulatory requirements complex is the cross-functional collaboration between technical and non-technical teams. For example, simulation of the technical aspects of the cyber incident – in other words, red-teaming – is required, if not precisely at the same time, then certainly within the same resilience program, in the same context, and with many of the same inputs and outputs. This is strongest in the regulations based on the TIBER-EU framework, particularly CORIE and DORA.
There’s Always Excel
As requirements become more prescriptive, and best practices become more established, what used to be a tabletop exercise driven by a simple Excel file with a short series of events, timestamps, personas and comments, has grown into a series of scenarios, scripts, threat landscape analyses, threat actor profiles, TTPs and IOCs, folders of threat reports, hacking tools, injects and reports – all of which must be reviewed, prepared, rehearsed, played, analyzed, and reported, at least once per year, if not per quarter, if not continuously.
While Excel is a stalwart in each of the cyber, financial, and GRC domains, even it has its limits at these levels of complexity.
Blending Tabletop and Red Team Simulation
Over the past several years, Filigran has advanced OpenAEV to the point where you can design and execute end-to-end scenarios that blend human communications with technical events. Initially launched as a crisis simulation management platform, it later incorporated breach & attack simulation to now holistic adversarial exposure management, providing a unique capability to assess both technical and human readiness.
 |
| Simulations are more realistic when ransomware encryption alerts are followed by emails from confused users |
There are many advantages to blending these two capabilities into one tool. For a start, it greatly simplifies the preparation work for the scenario. Following threat landscape research in OpenCTI (a threat intelligence platform), a relevant intelligence report can be used to both generate the technical injects based on the Attacker TTPs, but also have content such as attacker communications, third party Security Operations Centre and Managed Detection and Response communications, and internal leadership communications, built off intelligence and timing from the same report.
Keeping Track of the Team
Using a single tool also deduplicates logistics, before, during, and after the exercise. “Players” in the exercise, in their teams and organizational units, can be synchronized with enterprise Identity and Access Management sources, so that recipients of alerts from technical events during the exercise, are the same as those receiving simulated crisis emails from the tabletop components; and the same who receive the automated feedback questionnaires for the ‘hot wash’ review immediately after the exercise; and the same who appear in the final reports for auditor review.
 |
| OpenAEV can synchronise current team participant and analyst details from multiple identity sources |
Similarly, if the same exercise is run again after lessons learnt have been put into place, as part of the demonstrable continual improvement required under DORA and CORIE, then this synchronization will maintain a current contact list for the individuals in these roles, or, indeed, for the alternate phone tree and out-of-band crisis communications channels that are also kept up to date, and for third parties such as MSSP, MDR, and upstream supply chain providers.
Similar efficiencies exist in threat landscape tracking, threat report mapping, and other features. As with all business processes, streamlining logistics makes for greater efficiency, enabling shorter preparation times, and more frequent simulations.
Choosing your timing
With CORIE and DORA being relatively recently enforced regulations, most organizations will be just starting their journey in running tabletop and red team scenarios, with much refinement in the process still to come. For such organizations, running blended simulations may feel too large a first step.
This is fine. Scenarios can be run in OpenAEV in more discreet ways. Most typically, this might involve running a red team simulation on the first day, to test detective and preventative technical controls, and SOC response processes. The tabletop exercise would then be run on the second day, and can potentially be tweaked to reflect findings and timings from the technical exercise.
 |
| Simulations can be scheduled to repeat over days, weeks, or months |
More interestingly, simulations can be scheduled and run over much longer periods of time – even months. This permits automation and management of trickier, but very real scenarios, such as leaving signs of intrusion on hosts in advance, and challenging the SOC, IR and CTI teams to show their ability to retrieve logs from archive in order to search for patient zero, the first system compromised. This can be hard to realistically model in a day’s simulation, but all too common a requirement in reality.
Practice makes Perfect
Aside from the regulatory requirements, insurance conditions, risk management, and other external drivers, the ability to streamline attack simulations and tabletop exercises for current, relevant threats, with all the technical integrations, scheduling, and automation that enable this means that your security, leadership, and crisis management teams, will develop a muscle memory and flow that will engender confidence in your organization’s ability to handle a real crisis, when the next one occurs.
Having access to a tool like OpenAEV, which is free for community use, with a library of common ransomware and threat scenarios, technical integrations to SIEMs and EDRs, and an extensible and open source integration ecosystem, is one of many ways in which we can help improve our cyber defenses and cyber resilience. And, not to forget, our compliance.
And when your team is fully rehearsed and confident at handling crisis situations, then it’s no longer a crisis.
Ready to Take the Next Step?
To dive deeper into how organizations can turn regulatory mandates into actionable resilience strategies, join one of Filigran’s upcoming expert-led sessions:
Operationalizing Incident Response: Compliance-Ready Tabletop Exercises with an AEV Platform