• United States



by David Geer

Real-life examples test whether you are prepared for a cyberattack

Aug 26, 20167 mins
CybercrimeData and Information SecurityIT Skills

These tabletop exercises will update your response plan for live action.

checkmate chess
Credit: Thinkstock

Are you ready?

While 83 percent of respondents say cyberattacks are among the top three threats facing organizations, only 38 percent say they are prepared to experience one, according to ISACA’s 2015 Global Cybersecurity Status Report.

Incident response is still largely a human response. Multiply an outdated response plan by the many human errors that can innocently occur during response and you have a recipe for potentially cataclysmic results in the threat event aftermath.

Use the following tabletop exercises based on today’s most disconcerting threats to update your response plan for live action.

Scenario one: blockchain hack

Segment one: With the oversight of an internal blockchain security expert (Scott), the enterprise releases a technology product-service that relies on the use of blockchains and bitcoin. Early one Monday, in the midst of a heavy volume of activity and change including application maintenance, software innovations, and bug fixes on the service, news flies up the chain of command to the CEO that $300,000 in bitcoin has vanished.

Segment two: Log analysis shows that Scott’s secure shell keys accessed the affected server just before the transaction and that the user exited the server a few minutes after the theft was complete.

“This is not necessarily a nefarious act on the part of Scott, as he was part of the triage team and explains that he normally and frequently makes sure the server is functioning properly,” says Gopal Padinjaruveetil, Global Security Thought Leader at Capgemini.

Segment three: Someone soon deletes the same SSH keys. Scott says it wasn’t him, suggesting that the criminal hacker who stole the Bitcoins did it. Shortly thereafter Scott becomes unreachable, last stating that he had to leave due to a familial crisis. Going with the hacker theory, the enterprise rebuilds the server in the cloud with the help of a cloud provider. Just before the new server goes live, more Bitcoins go missing from this new infrastructure.

Segment four: The enterprise follows the bitcoin trail to an email account based in China. Meanwhile, the company finds malware on the new server almost immediately. The company tries again with another cloud provider, and more Bitcoins exit the company’s coffers.


Exercise participants could determine that the mock company should better vet an employee such as the blockchain security expert during the hiring process, especially when the company plans to give him so much responsibility, freedom and authority in an environment where security risks are heightened. They might wonder whether the company could have performed a more thorough risk analysis before entering this kind of business as a startup. Given the possibility of the expert’s criminal involvement, the mock company might have more precisely limited the priviledges of the expert while still enabling him to do his job. Perhaps monitoring and logging the blockchain expert’s activites more closely would have shown everything he did. Maybe the mock company should have immediately detained the expert.

–With suggestions from Gopal Padinjaruveetil, Global Security Thought Leader, Capgemini.

Scenario two: Spear phishing

Segment one: At a company with U.S., EU and Asian locations, the controller opens an email and link in an especially well-crafted spear phishing attack. Seemingly nothing happens. Cybersecurity detects nothing.

Segment two: One year later, the controller follows her semimonthly routine, wiring payroll sums in the millions across each of the global locations to allocate money for paychecks. Her medium is an encrypted spreadsheet containing routing numbers and transfer instructions. Later, one of the foreign offices calls into the U.S. headquarters alarmed that their funds never arrived. Nevertheless, the company’s U.S. account has debited the amounts.

Segment three: The wire went out with the routing numbers, account data, and confirmation contact information from the bank altered. Analysis proves fruitful in determining that upon compromising the controller’s computer, attackers then infected other machines, ultimately substituting genuine payroll documents with infected forgeries. Attackers leveraged complete control of payroll to monitor transfers and change the payroll spreadsheet data.

Segment four: Before the company can act further, ransomware encrypts the company’s most precious intellectual property data. Attorney, insurance, forensic and other investigation fees add to the company’s incurred costs. Due to the compounding distractions and heightened employee stress, company performance suffers.

“The post-mortem exercises should map out the business processes, the points of manual intervention, the use of encryption, and the multiple layers and steps of approvals involved,” says Yong-Gon Chon, board member at Sunera.


No matter who you are in the company, if in doubt, don’t open unproven emails and links no matter how tempting it may be. Check directly with the party the email appears to be coming from. This company needs better cybersecurity tools to detect phishing attacks and ransomware attacks when they happen so that it can stop these much sooner.

–With suggestions from Yong-Gon Chon, Board Member, Sunera.

Scenario three: extortion

Segment one: just before a large holiday sales event, an employee of an e-commerce company receives an email from a known insidious hacker collective stating that if they do not pay 1,000 Bitcoins, the hacker group will stage a coordinated attack on its e-commerce systems, bringing the site down just before the sale and keeping it down throughout. They also warn that the longer the organization delays payment, the higher the price will go, based on a preset schedule.

Segment two: since the employee received the email the night before and did not make the C-levels at the organization aware until 10 a.m. the next morning when he came into work, the company has already lost 14 hours. The leadership pulls up the company extortion policy. Based on the policy, they determine to not pay the money. Based on an investigation into the email and the organization apparently claiming credit, the firm concludes that the extortion and threat are probably real and not a scam.

Segment three: the company purchases anti-DDoS protection from an upstream provider and puts it in effect before the holiday sale weekend. This involves changing the Domain Name System records. The company puts information technology and security on alert.

Segment four: the hacker group launches a three-pronged DDoS attack empowered by a massive botnet of zombie machines including home PCs and various IoT devices. Simultaneous performance issues ensue with the company’s e-commerce site, the site’s popular mobile shopping app, and the enterprise’s third-party payment service provider, which have all come under fire from the hacker collective.

The upstream provider does not have the resources to fully scrub the data for both the site and app that it is protecting. Customers gather that something is amiss and begin jamming customer support with calls and emails. Since the company did not forewarn the third-party payment service, it did not have any additional protections and went down, leaving millions of customers hung up in online shopping carts that never completed their purchases.


Policies should state that emails conveying threats to the company should be immediately forwarded to the appropriate party. The company might have counted the costs of not having more anti-DDoS protection, even if they had to hire it from a second provider. The mock company should have notified its third-party payments provider and worked out plans for it to have anti-DDoS protection as well.

–With suggestions from Bryan Fite, Account CISO, BT Global Services.

MORE REAL-LIFE SITUATIONS: Verizon provides a behind the scenes look at data breaches