Facebook Image TrustPeers Resource - How To Wage Cyber Battle On Multiple Fronts TrustPeers Description Image
ARTICLE

How to Wage Cyber-Battle on Multiple Fronts?

This report is one amongst many that convey the same general idea, as consensus about the rising level of cyber-threat is spreading across all cyber-related industries.

Author: TrustPeers team| 10 minutes read | September 09, 2021

Following the 2020 massive rise in cyber-attack numbers and their increased complexity, CDN Network states in its annual report that “the time has come to fundamentally rethink strategy and embrace a layered defense to gain a tactical edge and achieve superiority on the battlefield in both conventional conflicts and asymmetric cyber-warfare.”

Multiple Rooms DesktopMultiple Rooms Mobile

This report is one amongst many that convey the same general idea, as consensus about the rising level of cyber-threat is spreading across all cyber-related industries.

Tactically, this means:

  • If your activity is in any way dependent on a connection to the Internet, you will be hacked.
  • Current Incident Response plans and cyber-defenses need to be able to withstand both simultaneous and multi-pronged attacks from a single attacker.

To further complicate matters, cyber-attacks affect all targeted organizations’ aspects, not only the IT department. This means every attack response needs to be coordinated across all departments from IT to operations, legal, finance, PR, marketing, and so forth.

In other words, when talking about cyberwar, the enemy is everywhere, frontlines are civilians’ organizations, and battles are waged both on the tech and on the operational fronts.

The concept of a secure perimeter became obsolete with the advent of cloud and hybrid architecture and was replaced by the zero-trust approach. Yet, with the growing availability of advanced APT offensive tools and the growing reliance on AI and ML to develop ever more complex offensive tools, the zero-trust approach needs to be complemented with a robust Incident response playbooks framework capable of responding on many fronts and of bringing the cyber-battle to the enemy’s territory.

Even organizations fully implementing a zero-trust approach and software-defined perimeter are at risk. All these defensive measures do is reduce the attack surface, segment the environment to prevent escalation, strengthen user and device authentication, among other defensive measures.

Those are all valid and indispensable measures which can indeed minimize or slow the spread of the damage in case of a breach, but they are all defensive measures that fail to provide offensive tools when an attacker successfully penetrates the perimeter.

Julius Cesar is reported to have said that “there is no fate worse than being continuously under guard, for it means you are always afraid.”

The opposite of being afraid is being prepared

So this is where having instant access to multiple war rooms comes into play.

What are “war rooms” in a cyberwar and in cyber tabletop exercises context?

Like in every other context, war rooms are spaces where key people get together to solve a complex problem requiring immediate attention.

Advanced cyber war rooms are virtual, which enables them to benefit from additional attributes:

  1. They are entirely virtual to enable instant communication between stakeholders located anywhere on the planet. That requires secured, encrypted communication channels and verified access only.
  2. Due to their virtual nature, they can accommodate numerous virtual resources, from cyber tools to databases, including actual crisis management tools and much more. The easiest way to understand what a well-designed cyber war room should provide is to draw a parallel with the Oval Office situation room often featured in the news and in movies. Like the situation room, a virtual cyber war room provides stakeholders with:
    • Instant access to all the relevant material, centralized in a single hub and easily accessible.
    • Priority and secure communication channels with all personnel required to tackle the active crisis. Ideally, all potential participants will be parts of specific teams defined beforehand and whitelisted, so calling on is swift, and each team member will have a defined specific role in the team.
    • Connection with external intelligence gathering sources.
    • Recording facilities for all interactions between participants
  3. They include a library of up-to-date offensive strategies tailored to respond to an exhaustive range of attack scenarios.
    • Ideally, these tactics and strategies will be organized in interactive playbook formats to facilitate response management, ensure no critical step is overlooked and provide the response management leader with an instant appreciation of the progress of the response team.
  4. They can automatically generate reports, complete with required documentation.
  5. They are not dependent on a physical location, so multiple war rooms can be activated simultaneously.

Why are multi war-rooms necessary in Incident Response and in tabletop exercises?

There are several situations were having access to multiple cyber war rooms simultaneously offers a distinct advantage:

When a large organization is under a single attack:

Large organizations suffer from two potential weaknesses:
  • Their size might make them particularly attractive for attackers with access to advanced tools.
  • Their response time might be impeded by the number of people involved in all aspects of the response.
If, for example, a large organization is facing a ransomware attack, they will need to tackle numerous aspects rapidly:
  • Identify the attack vector
  • Isolate not yet infected endpoint and resources
  • Isolate and verifying the latest clean backups
  • Check if data has been extracted during the attack
  • Attempt to Identify and locate the attacker
The finance department needs to:
  • Evaluate the economic rationality of paying the ransom
  • Establish how to secure the required amount
  • Assemble the funds
  • Translate the funds into the required crypto currency
The legal department needs to:
  • Evaluate the legal implications of the potential data loss
  • Liaise with compliance officers
  • Collect data and activities
The operation department needs to:
  • Evaluate the impact on operations
  • Take steps to reduce interruption of services
The PR department needs to:
  • Evaluate the need to issue a statement
  • Liaise with all communication channels
  • Devise a message to limit brand reputation damage
  • Communicate with media outlets
  • Monitor media and respond to negative press and messages
  • And the list goes on.

For large organizations where each of these departments includes numerous people, having a dedicated war room for each department and a single representative reporting to the GHQ war room which centralizes the overall response strategy makes the difference between chaos and efficiency.

When an organization is facing simultaneous attacks

In today’s cyber reality, any organization can face more than one attack at the same time, whether from a single attacker or from multiple ones. Managing the response to multiple attacks from a single war room is bound to generate confusion and negatively impact the response efficacy. On the other hand, opening a dedicated war room for each separate attack ensures that the response team or teams optimally tackle each attack.

A centralized war room can be added to manage tasks that need to be performed once and update all other war rooms’ corresponding tasks to accelerate each room resolution time.

To accelerate resolution
When an attack is particularly egregious, opening multiple war rooms to try a range of strategies simultaneously. Assigning different response teams to the same incident but each with a different tactic has multiple benefits:
  • It accelerates the incident’s resolution as for each attack scenario, some tactics will be more efficient than others
  • It improves future response time by identifying the best performing tactic for a given attack type in that organization
  • It provides real-time training to all teams
  • It enables evaluating each team member's performance under fire

However, running multiple cyber war rooms concomitantly requires access to a technology enabling rapid war room creation in minimal time.

How do TrustPeers war rooms measure up?

Let’s examine the structure of TrustPeers war rooms from different angles:

Communication

The first function of a war room is to enable secure communication between all people involved in an incident response.

TrustPeers war rooms provide a 3FA secure communication hub, complete with encrypted channels including email, chat, audio, and video, all in a single unified interface.

All communication can be recorded as required and replayed as needed. Activating the recording or replay just requires a single manipulation for all communication channels.

Customizable automatically generated reports facilitate communication between war rooms and with external authorities and other relevant bodies.

Onboarding

Often the forgotten element is the time it takes to onboard the people who will have to respond to the incident. On TrustPeers, teams are created during the planning stage, each member assigned a role and approved for duty. When the incident occurs, summoning an entire team is done at a single click. Adding or removing individual team members is always possible, but the bulk of the onboarding is already done before the onset of an incident, gaining precious time.

As each team member is granted access to specific resources during the planning stage, no time is lost by team members needing to access those resources during the incident response.

As all information is centralized in a single pane of glass interface, onboarding newcomers and additional team members is considerably facilitated.

Strategizing

TrustPeers incident-specific playbooks are updated in real-time with data collected both from external sources such as Mitre ATT&CK, NIST, SANS, MISP, etc., and from internal data collected and processed by TrustPeers’ ML.

TrustPeers ML integrates the latest information collected from all responses taking place on the platform as well as intelligence collected on surface and dark web. Armed with this information, it updates the playbooks with the most efficient latest tactics applicable to each attack type.

Centralizing Information & Resources

At the planning stage, an organization already sets up the environment, integrating with its SaaS and apps, inventorying log auditing and repositories, and selecting applicable compliance regulations.

This means that access to each resource is already pre-authorized for the relevant team members who can access it directly from the war room without any waste of time.

Modularity

Each war room is built with the same core functionalities and can be customized to organizations’ needs or to the room’s function.

For example, a Management Room will have dedicated access to some operational function that might be unnecessary for a war room designed for the IT or the PR department.

This user-friendly ability to be customized at will enables TrustPeers users to create dedicated war rooms at will with the exact specification required.

Duplicability

Any TrustPeers war room can be duplicated at a click and then customized to fit the war room’s target use. This eliminates the need to repeat the setting-up stage and invest time in integrating the organization environments, data sources, etc.

Every element of the source war room, including team and team member role definition and access whitelisting, is duplicated, and each element can either be left as is, deleted or modified as needed.

TrustPeers Cyber Crisis Management platform is designed to accommodate and manage multiple war rooms simultaneously with maximum ease and optimal MTTR across attack types.

Contact us for a demo or to run a practice in a war room with no obligation.


SOURCE MATERIALS


Meet TrustPeers

TrustPeers is an Incident Response technology company. It develops an innovative Cyber Crisis Management platform that saves organizations in real time, by allowing them to prepare for attacks and take control over cyber emergencies.

Our proprietary crisis management SaaS platform is based on a unique PPRP (Planning, Practice, Response, Post) methodology that revolutionizes existing Incident Response (IR) solutions by handling the entire incident lifecycle.

For more information contact us.

More Resources