Chapter 10
The Tabletop Exercise

Dylan, Brent, and Harmony were in the ZTC basement conference room standing in front of the projection screen. The lights in the room were actually working for the first time. The conference table in the center of the room had been replaced with two large desks in an L shape. Shelves of old equipment lined the walls behind the desks. A green couch and three pieces of furniture formed a U shape. An old rug had been placed in the middle of the U shape, with the projection screen at the open end. The desks were covered with stickers. And Dylan noticed a red door on the other side of the room for the first time.

“What's behind that red door?” Dylan asked.

Harmony almost spit out the drink she was taking. “Oh, nothing. It's just a boring old storeroom where we keep our snibbets.”

“What's a snibbet?” Dylan asked.

“It's a kind of plange,” Harmony explained.

“Are you making an IT Crowd reference?” Dylan laughed as he recalled the dialogue from the BBC TV comedy from the 2000s. Brent hadn't gotten the reference.

“Maybe,” Harmony said with just the faintest hint of a smile. “Oh, look, Chris and Peter are joining the call.” Their Zoom video feed popped up and the three of them turned to the screen and began talking.

“I've done a tabletop exercise before, and it seems like a good idea to do one, but is that really a Zero Trust project?” Brent asked the group without looking up from his laptop.

“Part of the monitor and maintain phase means that we need to be regularly evaluating whether our controls are good enough or whether we have any blind spots,” Dylan answered. “A tabletop exercise is a great way of doing that.”

“Isn't this just a clever way of playing Dungeons and Dragons at work?” Harmony asked.

Brent stopped typing the email he was working on and closed his laptop. “Right. Just talking through a scenario might be fun, but will that really change anything?” Brent asked.

“There are several different kinds of tabletop exercise,” Chris explained. “The most basic is pretty similar to a Dungeons and Dragons campaign. You've got a moderator that functions just like a Dungeon Master. The moderator will have developed a guide for how the scenario will evolve.”

“You sound like you've got some experience as a DM,” Harmony observed.

“But we're not just doing a regular campaign. I mean tabletop,” Chris said. “What we're planning is more like a live-fire training exercise. Some people might call it a purple teaming exercise.”

“What's a purple team?” Brent asked.

“In cybersecurity circles, a red team is a group that tries to break into things. A blue team is the group that plays defense. Sometimes we will do exercises that simulate a real-world event, and the red and blue teams don't communicate. A purple team is more of a collaborative approach to a simulation where both sides work together.”

“So, that means the penetration tester and the SOC will be on the call with us and will respond just like they would in real life?” Brent asked.

“Yes, they'll be monitoring in real time. They might actually alert on a real alert or two since they won't know what Peter is doing versus what is real. But we'll also script much of the work that the penetration tester will perform in advance to create the most realistic scenario. He'll be doing some scanning in advance to make sure there are real findings.”

“With all the work with Zero Trust, won't this tabletop scenario be pretty simple? We won't really be able to find anything, right?” Brent asked.

“Trust me—there are always more trusts that you can remove.” Chris laughed for a second, but then he became serious. “I don't know this for sure, but I get the impression that some people think of a penetration test as a kind of CYA. They hope that the tests will show that they don't have any issues or to show off how good the security team is. One of the reasons that I started my company was that I didn't feel like I was getting our money's worth doing a penetration test unless we found something to help make us better. The goal is to always be getting better.”

“Every step matters,” Dylan said.

“Every step matters,” Chris agreed.

“So how do we build this Dungeon Master guide?” Harmony asked.

Chris laughed. “In tabletop exercises, we call it an MSEL, or Master Scenario Events List. The MSEL comes from the NIST standard for developing and running tabletop exercises. It's NIST 800-84 if you want to look it up. But first we need to start with defining our objectives. Those might change based on the audience, but in our case I think we should go with a mix of technical and procedural objectives.”

“One of the most important things that I've heard from Vic and Noor from the last incident is that we can't have another incident shut us down,” Dylan said. “If we were to lose that much revenue again, it might mean going out of business.”

“That's a perfect objective for a live-fire exercise,” Chris said. “The penetration tester will stop before they do anything that could impact operations, of course. The way that I would write that as an objective for the MSEL would be ‘Can the team keep the organization operational during an incident?’”

“Definitely,” Peter said.

“One of the things that I was concerned about are false positives,” Harmony said. “We're always getting notifications from the SOC that sound really scary. Sometimes we have to drop everything to investigate, and it turns out to be a server we didn't know about talking to a new service no one ever heard of. But both are legit.”

“That's definitely something we love testing in a tabletop,” Chris said. “We always want to include red herrings into the scenario to simulate the confusion that can happen in a real incident. We will include some red herrings into the scenario, but for the MSEL, we'll ask whether the team can tell the difference between a real issue and a false positive.”

“I've been working with our business partners in our different departments and I'm a little concerned that they don't know our procedures well enough,” Brent said. “How do we test that?”

“That will definitely come out during the assessment,” Chris said. “We don't just want the IT guys to answer questions. We'll be asking different department heads what they would do in different situations. The objective here will be to identify specific gaps, not just in technology controls but also incident response procedures, resources, or training that could impact the organization if this were a real incident.”

“Holy cow,” Harmony said. “This is really happening!”

Several days later, Dylan felt a little like James Bond dressed in a new black suit. He looked at his watch. Again. Everyone on the Project Zero Trust team was gathered at the bottom of the stairs except for Brent. He had sent a message to the group to all meet at the briefing center early, then walk in as a team. Rose was wearing a vintage black and white dress with a new pair of glasses. Harmony had ditched her usual hoodie for a pair of black slacks and a white shirt and white blazer. Isabelle was in a black suit and crisp white shirt, jacket draped over her shoulder. Even Nigel had donned a white shirt in place of his usual red arsenal jersey.

Noor walked up behind Dylan. “You all wore matching outfits?” she asked.

“We were hoping to coordinate with you,” Rose said. Noor was wearing her traditional black pantsuit, a white shirt, and her trademark black tie.

“Well, now I guess we can all walk in like that scene from Reservoir Dogs,” Noor said. Without waiting to see the stunned looks on their faces, Noor began walking up the stairs. Rose, Harmony, Nigel, and Isabelle took their places alongside Noor. Dylan didn't want to be late, so he followed the group up the stairs, giving one last look to see if Brent was coming.

Brent was already in the briefing center, also wearing a black suit. He was making cappuccinos for the attendees as they trickled in. “Where were you guys?” Brent asked. “I thought we were all meeting here early?”

“We were waiting for you downstairs!” Harmony laughed.

Most of the attendees had already arrived. The executive briefing center tables had been configured in a U shape, with Chris standing at the open end of the U. Each place setting at the table had a binder with a label that read “Situation Manual” and a glass of water. Vic was leaning over discussing something with Kofi and Kim. Boris was laughing loudly at something Agent Smecker had just said. Peter and Luis were both remote, their faces displayed on the video wall along with several members of the IT staff that were watching remotely so they didn't have too many people in the conference room.

Chris cleared his throat and began the meeting. “Good morning! For those of you who don't know me, I'm Chris Grey. I'm the founder of one of your security services partners and I'll be your moderator for this exercise. We've carefully built this scenario in partnership with Dylan and the Project Zero Trust team over the last several months. It was a little challenging coming up with a new scenario for a tabletop exercise, given how much MarchFit has been through over the last six months. What you have in front of you is the situation manual that will provide the background on this exercise and will set the stage for the events that are about to take place. But first, I'd like to ask for a round of applause for all the work that the Project Zero Trust team has put into this exercise and the effort that has gone into making MarchFit's security that much better.”

Everyone in the room began clapping. Vic stood up, and the rest of the room followed suit. Brent leaned over and patted Dylan on the back.

Chris continued. “For this tabletop, we'll be running on scenario time. We'll be going a little faster than real life so that we can focus on specific stages of the incident. The response could take days or weeks, so keep that in mind. Luis is on the line. He's with our SOC. Say hello, Luis.”

“Hello, Luis,” Luis said. The group chuckled at this.

“Peter Liu is MarchFit's penetration tester, and he'll be playing the role of a cybercriminal. Peter will be performing some scripted testing that we've agreed to in advance. If Luis is able to detect Peter's activity, he'll chime in and let us know. Any questions before we start?” Chris paused and looked around the room. “Hearing none. It's 8:35 a.m.,” Chris began. “The manager of the customer support hotline emails Noor that several customers report that their TreadMarch units appear to start but are only displaying a blue screen and will not connect to the network. What do you do?”

Everyone in the room turned to Noor. “It's probably too soon to panic,” she said, which got a huge laugh from the room. “I'd ask the manager for more information about the devices. Is there a common denominator like the locations, firmware, or age of the devices? I'd also want to look at our change control to see if we had made any recent changes.”

“Is there someone we can dispatch to physically go out to see one of the treadmills?” Vic asked.

“Yes, we can dispatch a local third-party technician. They are probably already working on other support tickets, so we'd need to pull them off a job and reroute.”

“How long would it take to dispatch a technician?” Chris asked.

“Probably thirty minutes, best case,” Noor answered. “Maybe forty-five with traffic.”

“Noted,” Chris said. “The technician will provide a report at 9:30. What other information will you need?” He typed several notes into the MSEL guide for the debrief after the tabletop.

“Boris, have you ever seen an error like this before?” Dylan asked.

Boris was seated at the end of the U, nearest to Chris. “No,” Boris answered, turning to talk to the group. “We don't have an error page that displays a blue screen that I know of.”

“Don't we have a monitoring center where we can see the status of all our treadmills?” Vic asked.

“We don't have a real-time view,” Boris said, scratching his head. “We run daily reports on activity and usage, but we've never put together a dashboard where we could do this live. We could probably pull something together in about a week.”

“It's now 8:45,” Luis interrupted. “Hi, Harmony. I'm from the SOC and one of our team members has detected suspicious activity on several user accounts.”

“What do you mean by suspicious?” Harmony asked.

“Our behavioral-based detections indicate that the activities were out of the ordinary for those users,” Luis explained into the camera, his face lit by his computer monitors. “We can provide you the ID numbers of those users, but I don't have any further information at this time.”

“Okay, I'll start looking at the activity for those users,” Harmony said.

Noor was about to speak, but Chris interrupted. “At this point, I should point out that Noor and customer support are aware of the issues with the treadmills, but the team hasn't sent any further communications inside the organization about the issue. So, Harmony, you're not aware that the treadmills are having issues.”

“When do we send notices that something is going wrong?” Vic asked, looking around the room.

“We're almost always troubleshooting an issue,” Noor said, adjusting her tie so that it was straight. “The challenge is knowing when something is systemic. For a single device, that's low priority and our help desk will resolve it. Our incident response plan says that if we reach a threshold of 1 percent of our devices, we raise the issue to a medium-level category, and we'll respond by forming the incident response team. If it's more than 10 percent of devices, that's a high-level event. In practice, all events start out as a low-level notice, and as we investigate the event will go up in priority.”

“It's now 9 a.m.,” Chris said, looking down at his computer for the next injection prompt. “Noor gets another report from the call center. It's nothing urgent, but they're letting her know that the call volume seems higher than normal for a weekday and are asking if it's okay to increase staffing to meet the demand.”

“How much higher is the call volume?” Kim asked, leaning forward.

“It's about fifteen percent higher,” Chris replied.

“Does that make this a high-level incident?” Vic asked.

“This is the Tuesday before Thanksgiving,” Noor said. “It could be that more people are off work and are around to call for support during the day. But in practice, when something like this happens, I will usually send an email to the IT leadership team giving them a heads-up just in case.”

“It's now 9:30 scenario time,” Chris said. “The technician dispatched to look at one of the malfunctioning treadmills has gotten it functional again. He had to reinstall the firmware, but the device is back online. He did note that one of his repairmen reported that the security dongle they use to securely access the treadmills had gotten lost several days ago.”

“Why are we only just now learning about this?” Kim asked, crossing her arms and leaning back in her chair.

“The technician indicates the repairman thought it was only misplaced, and they had been looking for it during their day off. So this was the first day that the technician knew about it.”

“What could someone do with a security dongle?” Kim asked.

“It can give them full access to a treadmill,” Boris answered. “But they can only use it on one treadmill at a time.”

“Is there a way to duplicate the device? Or make it work virtually so they could manipulate multiple treadmills?” Kim asked.

“It's possible. We'd have to look into that,” Boris answered.

“It's now 10:07,” Chris said. “After reviewing the logs, Harmony called one of the users that she happened to know personally. It turns out that the employee is currently on vacation and does not have access to a computer.”

“I think we can definitely bump this up to a medium-level incident now,” Noor said, adjusting the papers in her stack.

Chris cleared his throat. “It's now 10:15. April, your PR department reports that there have been several tweets complaining about working conditions in one of MarchFit's factories overseas. After several reshares of the tweets, people have begun commenting that they are planning a protest outside the MarchFit headquarters later today.”

“How many protesters are we expecting?” Kim asked.

“Unknown at this time,” Chris said.

“I'll put in a call to our security contractor,” Kim said, pretending to pick up her cell phone to make a call. “We may want to bring in some extra personnel in case there's a large group.”

“It's now 10:29,” Chris said. “I'm sorry to report that Noor has gotten a call from her child's school. Her child is sick and since her spouse is out of town, she needs to leave to take her sick child to the doctor. Noor will no longer be available for the scenario.”

“I had expected something like this might happen,” Noor said smiling. “If you guys need anything while I am away, Dylan should be able to help you.” She ceremoniously stood up and walked toward the door, then sat down at one of the chairs at the back of the room.

“It's 11:01,” Chris said.

“Ugh, not the time again,” Boris moaned.

“After reviewing logs, Harmony sees successful two-factor authentications for several of the users who had suspicious activity. It turns out that the user's child had their phone and clicked Accept on the two-factor request.”

“Brent, can we please initiate our compromised user workflow and lock those accounts,” Dylan said.

“You got it, boss,” Brent said, nodding.

“Hi, Harmony, it's Luis again. It's 11:12 and we've detected some port-scanning activity originating from the treadmill firmware update server. We believe this started around 10:30.”

“Do we think that the update server could have been used to compromise the treadmills having issues?” Kim asked, looking between Noor and Boris.

“That's a possibility,” Boris admitted.

“How do we find out?” Kim asked.

“We don't have a dashboard or anything like we talked about. We'd have to run a report manually to see when the last firmware change was made.”

“Should we take the server down, boss?” Harmony asked.

“Let's take it off the network,” Dylan said nodding. “But let's keep it running so we can preserve any evidence that the attacker might have left behind.”

“It's now 11:45 and it appears that protesters have begun to arrive and are gathering near the front gate of the building,” Chris said, turning the page in his notebook and scrolling down the page on his computer.

“How many protesters?” Kim asked.

“Currently there are about twenty-five people gathered, but they are starting to interfere with employees leaving the building coming to and from lunch,” Chris said.

“Should we call the police?” Vic asked. “Don't they need a permit or something?”

“We can call, but I don't think it will look good if the police start arresting protesters,” April said, leaning forward.

“We've gotten an update,” Chris said. “It appears that the media is now onsite setting up satellite trucks outside the building to cover the protest.”

“April, let's prepare a statement for the press,” Vic said, standing up to grab a pitcher of water. He poured another glass of water for himself. “We can invite them inside and tell them we take these allegations seriously and that we will investigate and resolve any issues we find.”

“Yes, I can do that,” April said.

“I'll have some more security staff positioned outside the gate to direct traffic to keep the protesters from blocking traffic,” Kim said.

“It's now 12:25,” Chris said. “In reviewing traffic logs, the network team sees successful connections from the update server to another server … the network vulnerability scanning server.”

“Oh, crud,” Harmony said.

“Let's take the server off the network asap,” Dylan said. “I think we're officially in a high-severity incident. We should send notifications to all IT staff to be on alert. They should review their logs and log off any remote users they can identify. We should bring in our incident response partner.”

“I'll contact them and bring them up to speed,” Rose said.

“We need a list of any network traffic that the vulnerability server has made in the last twenty-four hours.”

“I'll work on that,” Harmony said.

“It's now 12:45,” Chris said. “After receiving the notification to be on high alert, several IT staff reported noticing a drone flying around outside the building. It has now been hovering for several minutes outside the northwest corner of the second floor of the building.

“It is 1 p.m.,” Chris continued. “After Vic gave a briefing to the press, the crowd of about twenty-five people began to disperse. The drone also is seen moving away from the building as the crowd leaves, but it isn't possible to see which person retrieved the drone as they left.”

“I don't understand,” Vic said, folding his arms. “What could the drone have done? Just gotten video from inside the building?”

“It's possible someone had written things on a whiteboard. The drone could have seen passwords or product specifications.” Rose shrugged. The group broke into several smaller conversations as people speculated what data could have been observed by a drone looking into the building.

“It's now 1:05,” Chris said, looking around the room to get everyone's attention. The group quieted down, focusing back on him. “Harmony reports that the scanning server was able to connect to nearly every server and client in the organization during the last three hours. It downloaded some unique malware to one client in particular.”

“Let's get that client off the network, please, Harmony,” Dylan said.

“Already on it,” Harmony reported, tapping the keyboard on her laptop to pretend she was making a change.

“After investigating,” Chris said, “Harmony identifies the specific computer. It is located in the northwest corner of the building on the second floor.”

Dylan was the first to speak up. “Let's get the computer into the hands of our incident response firm to see if they can identify what that ‘unique’ malware actually was and how it got past our EDR tool.”

“It's now the next day,” Chris said. “Your incident response firm reports that the malware was a data exfiltration tool. It used the LED on the computer to flash rapidly. They've only ever seen this used by sophisticated nation-state attackers. They report that it is possible that data could have been transmitted to the drone.” The group gasped at this announcement. Several of the department heads around the table seemed skeptical of this.

“How do we know what data could have been stolen?” Kim asked.

Kofi spoke up for the first time. “We definitely need to know what data was stolen to decide what to do next. We might need to do victim notifications or file a report with the SEC depending on what the answer to that is. How do we tell?”

“Our incident response firm would have made a forensically secure copy of the client drive and can review what data is being stored in memory,” Dylan said. “We can scan the device, but that may take several days.”

“We'll need to notify our cyber insurance carrier to let them know we've had an incident,” Kim said.

“No,” Kofi interrupted. “We don't have enough evidence yet to know that there has been a breach. We aren't required to notify unless there is a breach. And the legal definition of a breach is when data is lost. We aren't required to notify anyone yet.”

“We know there's been an incident,” Dylan said.

“We don't know if anything was stolen,” Kofi countered. This was true, but it still bothered Dylan.

“We'll examine the PC that was in view of the drone,” Dylan said. “If there was any data exfiltrated, it would have had to pass through there. If there was any data on that device, I think we'd have to assume that it was compromised. Same with any other system. We have to assume accounts on those devices were compromised as well.”

“How long do we wait?” Kim asked. “What if that analysis takes a month? Or more?”

“That would be a nightmare,” April said.

“Every step matters,” said a voice from the back of the room. It was Olivia. She had somehow managed to walk in when Dylan wasn't looking. She was standing up now. “Kofi, our response should take that into account. We do right by our customers because it matters.” He sat back in his chair and nodded. Kofi might not have liked it, but Olivia did still have a large ownership stake in the company.

“If we had an incident and we didn't notify our carrier,” Kim calmly explained, “then that could be grounds enough for them to deny a claim against our cyber insurance. Especially if it looks like we didn't have adequate controls in place.”

The group continued to discuss the incident response process for several more hours until they reached the end of the scenario. Vic was the first to speak. “Thank you, Chris, Dylan, Noor, and the Project Zero Trust team. This was certainly eye opening and I think we all learned a tremendous amount today. Now I totally expect that you'll make sure this scenario never plays out again in real life.” Nigel hooted at this, and the group broke into applause. Harmony and Rose high-fived as the meeting started to break apart and the attendees started to leave.

Dylan stood up and announced, “For the folks invited to the hotwash, let's regroup in five. For the folks going to the afterparty, don't start without us!”

Agent Smecker walked to Dylan and firmly shook his hand. “I just wanted to say, that was a real firefight.” Dylan stared as the FBI agent then slipped out the door and made his way down the stairs.

Kofi patted Dylan on the back and took his hand. “Dylan, we've got an opening for our monthly poker tournament. You play?”

“Um, yeah. Yes, I've played a hand or two.”

“Good. We play Texas hold 'em.”

Dylan walked with Kofi to the door. As he came back, Kim was walking back in with a cup of coffee. Noor had taken her jacket off and was discussing something quietly with Rose and Boris. Chris was sitting on the desk scrolling through his phone. Peter was still on the video wall looking offscreen as though he were looking at a second monitor.

“So why do we call this thing a hotwash?” Boris asked.

“It comes from the military,” Kim said. “When I was in the Army, we'd sometimes use really hot water to rinse our weapons to remove the grit and larger particles. This made it easier to clean up later. A lot of folks from the military end up in emergency management and security, so the term stuck. It's just a debrief meeting, but we want to hang on to all the important lessons learned while they're still fresh in our memory.”

“Thanks for staying a bit late today,” Dylan said. “Our goal will be to capture any action items and prioritize issues. We should track and report the issues we found. We still need to report on value back to the business.”

“We also should debrief what went right so we can duplicate our successes,” Noor added.

“I'm going to get PTSD every time I hear someone announce what time it is from now on,” Boris said.

“You all did a terrific job,” Peter said. “You might not have gotten a sense of how challenging it was to move through the network because you only saw when I successfully got into a system, but I'm not kidding when I say it was a real challenge to get around inside the network.”

“You made it look easy,” Boris said.

“Keep in mind that this exercise took months of planning,” Chris said. “Peter had full access to find weaknesses and knew your environment from the ransomware incident. Also, the SOC was able to detect a lot of his activity very quickly after it happened.”

“What are some things that we could have done better?” Noor asked.

“I recommend that you consider using a memory-safe IoT programming language like Rust,” Peter said. “IoT devices typically don't have a lot of horsepower, so they're very susceptible to buffer overflows, for example. From the other penetration testers that I've talked to, this has had a huge impact for their other clients. It's almost eliminated all the most common ways we exploit IoT devices.”

“Excellent suggestion,” Boris said. “We've already programmed the new 360Tread in Rust, but we will definitely prioritize migrating the TreadMarch platform to Rust.”

“I also noticed that a lot of the IoT devices were all open to one another. I didn't have time to pursue it, but I saw there were some printers that were reachable,” Peter said.

“Why is that a big deal?” Kim asked, taking another drink from her coffee.

“Some printers have hard drives built in and store all the files that were printed or scanned by those devices,” Peter explained. “Those should be locked down. It was out of scope for this engagement, but you should also look at your equipment recycling program to make sure you're wiping devices before they leave your control.”

“Zero Trust computer recycling. I like it,” Dylan said.

“I also noticed that after I owned the update server, there were several servers where I could have forced them to downgrade their security to a vulnerable protocol,” Peter said. “This is common where organizations are concerned about backward compatibility, but I'd recommend not allowing downgrade.”

“How do we do that?” Kim asked.

“I'd recommend disabling support for SSL 3.0,” Peter said. “Also, don't allow anything prior to TLS 1.2.”

“That sounds easy,” Kim said.

“We had a project to get rid of TLS 1.1 a couple years ago, but it keeps popping back up as an issue,” Noor said. “We'll get on top of that; that seems like a pretty high priority.”

“I also noticed that there were some vulnerable libraries on the servers I was able to connect to,” Peter said. “I decided not to go that direction in the interest of time since the vulnerability scanner being open was a more surefire route. But you should definitely be able to quickly identify open source software dependencies in your environment.”

“What do we do about the vulnerability scanning server?” Dylan asked.

“Segmentation isn't really a great option for scanners since they need to be able to talk to everything,” Peter said. “When you're using credentialed scans, you don't need all those ports open, so you can just lock them down. But if you're doing uncredentialed scans, only keep those firewall rules open when you're running the scan and remove them when you're done. Or set those rules to only apply during a specific schedule during the week.”

“What's a credentialed scan?” Kim asked.

“There are two ways of scanning,” Chris explained. “You can scan for open ports from the outside, like looking for open windows or doors to a house. This can help simulate what a cybercriminal would see, but there can be a lot of false positives. A credentialed scan means we have the keys to the house and can go inside to make sure the house is locked up tight.”

“What about the request to build a treadmill dashboard from Vic in the beginning?” Dylan asked.

“I think that's an interesting idea,” Boris said. “We will add it to our roadmap, but as far as priorities go it's lower on our list than some of the code improvements we've talked about.”

“Was the drone thing at the end real?” Kim asked.

“Yes. We have seen some clever exfiltration techniques over the years,” Peter said. “Just taking over the flashing LED on a computer can be used to download data at about 4Kbps. The drone needs to be less than one hundred feet from the LED.”

“So we need to install curtains?” Dylan asked.

Peter laughed. “We included the drone to get you thinking about all the alternative ways that data can leave. I saw a demo once where a researcher used the memory bus of a computer as an antenna by amplifying the transmission of data between the motherboard and memory. This was effective at about 1Kbps at over one hundred feet. But a threat actor can always just plant a burner cell phone inside the building to exfiltrate data.”

Dylan and Rose walked down the stairs to the basement. They walked under the banner that read “Abandon All Trusts, Ye Who Enter.” Harmony, Rose, Isabelle, Noor, and Olivia were all seated around the table in front of the projector. Olivia and Harmony were sitting together on the green couch. Brent was in the corner making popcorn in a real live popcorn maker. Nigel bagged the popcorn and began handing it out.

Harmony had placed several additional large monitors around the center projection screen. They were all paused on different news videos from different networks. They were all covering the arrest of 3nc0r3.

As Dylan and Noor entered, Harmony pressed play and all of the streams started playing simultaneously, but only the audio from the main projection screen played.

A man in a suit came on the screen holding a microphone outside the café where Rose had been the day before. He held his finger to his earpiece and nodded before he began speaking. “This is Brian Fantana coming to you live from the scene where authorities have arrested twenty-nine-year-old Richard Greyson, who they believe to be the cybercriminal Encore.”

The screen shifted from the live view of the reporter to some recorded footage as the reporter continued narrating. They showed a man with a jacket over his head being led into the back of a police car. “The FBI had set up a sting for the self-described hacker and were able to trace payments made during the sting to Greyson's bitcoin wallet. Greyson faces felony cybercrime charges in at least three countries.”

The screen shifted to the exterior of the MarchFit headquarters building, focusing on the logo of the building as the reporter continued. “MarchFit confirms that Richard Greyson had actually applied to work for the company several years ago but was turned down for the job. The company declined to comment further.”

The video shifted back to a view of the reporter outside the café where Agent Smecker was standing behind an impromptu lectern where several microphones had been put in place. Just at the very edge of the screen, Rose was standing, arms folded, still looking at where Greyson was locked in the police cruiser. “The FBI would like to thank all of the agencies that came together to make this arrest possible,” Smecker said. “But most of all, we'd like to thank MarchFit for their cooperation. The Bureau relies on information from the community to help stop cybercriminals wherever they are.”

The video changed again to the exterior of the police cruiser as it was pulling away from the café with Greyson inside. The jacket covering his face had fallen away, revealing a thin man with a thick mop of curly hair. The window to the cruiser was down, and as he was being led away, Mr. Greyson could be heard saying, “I can't believe I trusted her.” He said it in perfect English.

“Wait,” Harmony said. “When he Zoom-bombed us, he was faking a European accent to throw us off?”

The news anchor came back on the screen and wondered aloud, “Who is this mysterious woman? We may never know.”

The Project Zero Trust team knew. They cheered, “Rose! Rose! Rose!”

Key Takeaways

Like most things in cybersecurity, the model for how to conduct a successful tabletop exercise can be found in a NIST Standard. For tabletop exercises, the NIST Special Publication is 800-84. This standard defines a number of key considerations when building your own tabletop exercises. To start, you'll need to define the objectives of the exercise before you start building the scenario. You'll also want to take into account the audience for the exercise to ensure that the right people are in the room to accomplish your goals. The Master Scenario Events List (MSEL) will be the guide the moderator uses to keep the tabletop exercise on track. A sample MESL is included as Appendix C.

Tabletop exercises are critical to any good security program. Just like every commercial building in the country is required to conduct a fire drill, businesses should regularly test their incident response plans in a simulated fashion. This helps every team member who may be involved in a real incident to understand what their role is on the team and gives them a safe way to practice. Conducting a tabletop also helps improve the incident response plan by evaluating whether the plan would be effective in different scenarios and whether employees will be able to follow the plan.

There are a number of different ways to conduct a tabletop exercise. In its most basic form, team members from across the organization can be in the room to discuss an organization's response to a breach scenario. Usually a moderator walks the team through a timeline of events, and the group will discuss their collective responses to various moves and injects. In this case, MarchFit decided to perform a more complex type of tabletop, known as a live-fire drill. A live-fire exercise will involve penetration testers performing their own activity in coordination with the moderator.

Typically, tabletop exercises will involve leaders from throughout the business alongside technology professionals. This can help business leaders understand some of the challenges that the organizations face and will help build connections between different departments. Communication during an event is critical, so having trust relationships already created during these exercises is very helpful. Some more technical exercises can include only IT staff. A more technical exercise can help break down barriers inside the IT team by helping everyone see the big picture of what happens during an incident response and the different roles people need to play and what the proper procedures are.

Tabletop exercises are a big part of the Zero Trust design methodology step: monitor and maintain. A tabletop exercise can help make IT teams more efficient during a real event. Sometimes teams will discover that they aren't receiving the right logs or that the technology environment has changed. Tabletop exercises can help test your controls as well, and can help identify when the SOC isn't getting the data they need to be able to respond effectively. The more effective an IT team is, the faster a breach is contained and it will take less time to recover.

Even though MarchFit had nearly completed the initial phase of their Zero Trust journey when they conducted their tabletop exercise, there were still ways for a threat actor to get access to their systems. The first method that the penetration tester used to get into the MarchFit network was to exploit the trust relationship that the company had with their own treadmills. The treadmills are an example of an Internet of Things (IoT) device, and cybercriminals will commonly compromise these types of devices because they don't have all of the protections that other devices may have. Once the tester took over a treadmill, they got access to an internal update server in the MarchFit network and were able to move laterally from there.

The other trust relationship that the penetration tester chose to exploit was in the security team's tools. Many organizations use vulnerability scanners to identify devices that are vulnerable to attack. There are two types of scans that these devices will run. The first is a port scan for each target that is used to probe what applications might be installed on a device, to fingerprint what operating system is running, and to determine if those match any known vulnerabilities. The other type of scan, a credentialed scan, uses real usernames and passwords to log in to a device to directly check what software is running. The credentialed scan yields much more accurate results, but many organizations will open holes in firewalls for these scanners to talk to everything in the network no matter what kind of scan is being run. In effect, this means that a vulnerability scanning server is highly trusted, which makes it an attractive target for attack.

In the exercise, there were also a number of events that didn't have anything to do with the attack that the penetration tester was performing. We called these injects into the scenario red herrings. The term red herring comes from a story where a man distracted dogs chasing a rabbit with some strong-smelling fish. We often find ourselves receiving conflicting information during an incident. Experts call this phenomena the fog of war. Our brains will naturally start to connect the dots to draw conclusions, but often we don't have all the information we need to create a clear picture. The best way to combat the fog of war is to communicate, ask questions, be transparent, but most of all, don't stick with your conclusions when you receive new information.

This exercise reinforced the trust the business leaders put in the team. By practicing, we understand better what our roles should be and how we can best help. Conducting this exercise after their ransomware event gives the team a chance to show how much more prepared they are. This can also help leaders be better advocates for security initiatives since they'll have seen firsthand what it takes to respond to an event. And because these exercises are done in a safe environment, it's okay for people to make mistakes. We want to be able to learn from those mistakes in a controlled environment where there aren't any consequences rather than during a real event.

But don't just do tabletop exercises for executives or IT teams. Many additional departments in an organization can benefit from practicing what might happen for common events like ransomware, business email compromise, or phishing. These conversations can lead to potential improvements when they are combined with a Zero Trust implementation because we can look for potential opportunities to remove trust from digital systems.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.142.194.55