A few weeks ago I ended up getting involved with the Open Security Summit 2020, initially with the idea of just running a threat modelling session. Things progressed a bit, and the idea evolved as time went on. We ended up with an interesting approach to an incident response scenario, which I want to document and carry further.
You may have had experience of incident response tabletops, or scenarios, before where there are various injects such as newspaper headlines and similar to help set the scene and get effective responses. If not the idea is to run through some sort of incident scenario to test internal response processes. Usually this involves senior members of an organisation sitting around a table to run through a scripted scenario.
With #OSS2020 we put a slightly different spin on it. Rather than just having one team, we had several, covering different perspectives of an incident – including the attacker team. Red team exercises are familiar to many, and really all we did was bring that concept to a tabletop exercise so that the scenario could shift and alter as events progressed.
The ‘script’ was a basic description of a company and their product, and initial briefing cards for each of the teams, the rest was done by moderators talking across back channels (a private Slack channel) to coordinate between breakout rooms. The experience was entirely different from any similar scenario I’ve run through, with a sense of pressure that’s often missing, and decisions having more dramatic consequences than they might (revoking root certificates to customer environments did stymie the attackers for a while, but also held back the blue team from remediation actions – whether it was the right call or not is something we’ll be discussing in the post-mortem).
It’s an exercise I’d definitely repeat again and encourage others to try. The one big conclusion we came to after the session was that a central point of coordination would be extremely useful to adjudicate on actions taken by teams, rather than relying on discussion by the team moderators. If anyone would like help performing such an exercise, tailored to their organisation, get in touch – the prep work needed is minimal and the output in terms of not only testing responses but increasing awareness and understanding is hard to overstate.
In the spirit of #OSS2020, the videos will be uploaded to YouTube and made available – including the conversations in the different breakout rooms as they occurred – and while they’ll be a long watch I would recommend taking a look when they go up.