Author: TrustPeers team| 10 minutes read | September 09, 2021
Following the 2020 massive rise in cyber-attack numbers and their increased complexity, CDN Network states in its annual report that “the time has come to fundamentally rethink strategy and embrace a layered defense to gain a tactical edge and achieve superiority on the battlefield in both conventional conflicts and asymmetric cyber-warfare.”
This report is one amongst many that convey the same general idea, as consensus about the rising level of cyber-threat is spreading across all cyber-related industries.
Tactically, this means:
To further complicate matters, cyber-attacks affect all targeted organizations’ aspects, not only the IT department. This means every attack response needs to be coordinated across all departments from IT to operations, legal, finance, PR, marketing, and so forth.
In other words, when talking about cyberwar, the enemy is everywhere, frontlines are civilians’ organizations, and battles are waged both on the tech and on the operational fronts.
The concept of a secure perimeter became obsolete with the advent of cloud and hybrid architecture and was replaced by the zero-trust approach. Yet, with the growing availability of advanced APT offensive tools and the growing reliance on AI and ML to develop ever more complex offensive tools, the zero-trust approach needs to be complemented with a robust Incident response playbooks framework capable of responding on many fronts and of bringing the cyber-battle to the enemy’s territory.
Even organizations fully implementing a zero-trust approach and software-defined perimeter are at risk. All these defensive measures do is reduce the attack surface, segment the environment to prevent escalation, strengthen user and device authentication, among other defensive measures.
Those are all valid and indispensable measures which can indeed minimize or slow the spread of the damage in case of a breach, but they are all defensive measures that fail to provide offensive tools when an attacker successfully penetrates the perimeter.
Julius Cesar is reported to have said that “there is no fate worse than being continuously under guard, for it means you are always afraid.”
So this is where having instant access to multiple war rooms comes into play.
Like in every other context, war rooms are spaces where key people get together to solve a complex problem requiring immediate attention.
Advanced cyber war rooms are virtual, which enables them to benefit from additional attributes:
For large organizations where each of these departments includes numerous people, having a dedicated war room for each department and a single representative reporting to the GHQ war room which centralizes the overall response strategy makes the difference between chaos and efficiency.
In today’s cyber reality, any organization can face more than one attack at the same time, whether from a single attacker or from multiple ones. Managing the response to multiple attacks from a single war room is bound to generate confusion and negatively impact the response efficacy. On the other hand, opening a dedicated war room for each separate attack ensures that the response team or teams optimally tackle each attack.
A centralized war room can be added to manage tasks that need to be performed once and update all other war rooms’ corresponding tasks to accelerate each room resolution time.
However, running multiple cyber war rooms concomitantly requires access to a technology enabling rapid war room creation in minimal time.
The first function of a war room is to enable secure communication between all people involved in an incident response.
TrustPeers war rooms provide a 3FA secure communication hub, complete with encrypted channels including email, chat, audio, and video, all in a single unified interface.
All communication can be recorded as required and replayed as needed. Activating the recording or replay just requires a single manipulation for all communication channels.
Customizable automatically generated reports facilitate communication between war rooms and with external authorities and other relevant bodies.
Often the forgotten element is the time it takes to onboard the people who will have to respond to the incident. On TrustPeers, teams are created during the planning stage, each member assigned a role and approved for duty. When the incident occurs, summoning an entire team is done at a single click. Adding or removing individual team members is always possible, but the bulk of the onboarding is already done before the onset of an incident, gaining precious time.
As each team member is granted access to specific resources during the planning stage, no time is lost by team members needing to access those resources during the incident response.
As all information is centralized in a single pane of glass interface, onboarding newcomers and additional team members is considerably facilitated.
TrustPeers incident-specific playbooks are updated in real-time with data collected both from external sources such as Mitre ATT&CK, NIST, SANS, MISP, etc., and from internal data collected and processed by TrustPeers’ ML.
TrustPeers ML integrates the latest information collected from all responses taking place on the platform as well as intelligence collected on surface and dark web. Armed with this information, it updates the playbooks with the most efficient latest tactics applicable to each attack type.
At the planning stage, an organization already sets up the environment, integrating with its SaaS and apps, inventorying log auditing and repositories, and selecting applicable compliance regulations.
This means that access to each resource is already pre-authorized for the relevant team members who can access it directly from the war room without any waste of time.
Each war room is built with the same core functionalities and can be customized to organizations’ needs or to the room’s function.
For example, a Management Room will have dedicated access to some operational function that might be unnecessary for a war room designed for the IT or the PR department.
This user-friendly ability to be customized at will enables TrustPeers users to create dedicated war rooms at will with the exact specification required.
Any TrustPeers war room can be duplicated at a click and then customized to fit the war room’s target use. This eliminates the need to repeat the setting-up stage and invest time in integrating the organization environments, data sources, etc.
Every element of the source war room, including team and team member role definition and access whitelisting, is duplicated, and each element can either be left as is, deleted or modified as needed.
TrustPeers Cyber Crisis Management platform is designed to accommodate and manage multiple war rooms simultaneously with maximum ease and optimal MTTR across attack types.
Contact us for a demo or to run a practice in a war room with no obligation.
TrustPeers is an Incident Response technology company. It develops an innovative Cyber Crisis Management platform that saves organizations in real time, by allowing them to prepare for attacks and take control over cyber emergencies.
Our proprietary crisis management SaaS platform is based on a unique PPRP (Planning, Practice, Response, Post) methodology that revolutionizes existing Incident Response (IR) solutions by handling the entire incident lifecycle.For more information contact us.
Incident response tabletop exercises are designed to increase the response teams’ preparedness. As far as preparedness is concerned, a cyber incident response tabletop exercise is to cybersecurity what a fire drill is to firemen.
An incident response tabletop exercise program should be a holistic one involving all parties potentially affected and covering all aspects of every potential incident in maximum detail. Yet, that lofty goal is not always an applicable option, so there are intermediate approaches to consider.
The main goals of any Incident Response (IR) tabletop exercise are to minimize MTTR (Mean Time to Resolution) and increase the IR team members’ level of preparedness. When planning an online tabletop exercise, there are a few things to keep in mind to organize it optimally and reap maximal results.
Applying the TTE principles delineated might be easy to achieve with a small team, but, when running Incident Response (IR) Tabletop Exercises (TTEs) for large organizations spread across continents and with thousands of employees, scaling up might seem insurmountable.