Appendix C
Sample Zero Trust Master Scenario Events List

The Master Scenario Events List (MSEL) comes from the NIST Special Publication 800-84 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. This standard details all of the aspects of creating, running, and debriefing after a tabletop exercise. The most important part of a tabletop will be the planning—identifying the audience, defining the objectives, and creating a realistic scenario will all help maximize the organization's cybersecurity potential by improving their security incident response plans, identifying potential weaknesses or gaps in controls, and preparing individuals for playing their respective roles during an incident.

  • The Master Scenario Events List is a timeline of the scripted events to be injected into exercise play by a moderator to generate participant activity based on the objectives identified by the organizers. This script ensures that necessary events happen to generate discussion of policies, procedures, and plans and to help identify weaknesses based on real-world conditions. The MSEL should be used to track participant responses to injects and deviations from expected behaviors and to help reinforce the learning points associated with those actions.
  • Objective 1—Can the team avoid a disruption to operations during an incident?
  •  Objective 2—Can the team tell the difference between a real issue and a false positive?
  •  Objective 3—Identify any gaps in technology controls, incident response procedures, resources, or training that could impact the organization if this were a real incident.

 

InjectExpected OutcomeLearning PointsMaximum (Minutes) for Each Message
“Injects” are events within the scenario that prompt participants to implement the plans, policies, and/or procedures to be tested during the exercise. Each inject should be considered its own “event” within the timeline of the scenario.Expected outcomes represent management/administration's desired responses or actions to the questions or messages proposed during the delivery of injects.Learning points are the specific takeaways that participants will learn from the inject and discuss afterward.It is necessary to limit the time for the discussion of each inject so that all injects can be addressed during the given exercise time frame.
8:35 a.m.: Several customers report to support services that their TreadMarch units appear to start, but only display a blue screen and will not connect to the network.
  1. Follow/Initiate incident response process with appropriate escalation.
  2. Investigate for further information.
Not all incidents are related to hacking.15 minutes
8:45 a.m.: Security operations center reports suspicious activity on several user accounts. Nothing outside what their accounts are allowed to do.
  1. How is suspicious activity detected?
  2. How do you define suspicious activity?
  3. Review account permissions and recent activity.
Are staff trained to detect suspicious behavior? Is there enough information to correlate events?15 minutes
9:00 a.m.: Call center reports that call volume is higher than normal for a weekday.
  1. Will the team be distracted by the lack of information and jump to the conclusion that a problem is more widespread than it actually is?
Does the organization have operational monitoring of treadmills, operational status, firmware versions, etc. to evaluate trends?10 minutes
9:30 a.m.: Technician reinstalls firmware on malfunctioning treadmill. Reports that a security dongle has been missing for several days.
  1. What is the appropriate reporting process for lost or stolen equipment?
  2. Does identity management allow for fast decommissioning of hardware tokens?
How will incident response team receive communications from impacted teams in real time?10 minutes
10:07 a.m.: After reviewing account activity, security team member personally knew one of the users and texted to see what they were doing. User is on vacation.
  1. Can team communicate with impacted users?
  2. Does the organization have adequate monitoring to review activity logs?
Can the organization detect suspicious or anomalous user activity?15 minutes
10:15 a.m.: PR department indicates social media sources show there may be a protest about labor conditions outside headquarters.
  1. Is there a public information plan in place and has team been trained?
Public messaging is an important part of major exercises and PR personnel need to be in the communication path early on.10 minutes
10:29 a.m.: CIO is removed from the scenario due to unexpected circumstances.
  1. Does the incident response plan account for personnel changes during the response phase?
A streamlined process should include communications “warm handoff” for incident response leaders.10 minutes
11:01 a.m.: Logs show successful two-factor authentications for user with suspicious activity. User mistakenly clicked Approve.
  1. Are users trained to report mistaken MFA approvals?
  2. When does an incident begin to impact business operations?
Mistakes should be something that you prepare for and learn from, not something that you avoid.15 minutes
11:12 a.m.: SOC detects portscanning activity originating from the treadmill firmware update server.
  1. Are IoT networks trusted to talk to anything in the environment?
Many sophisticated attacks begin with or target IoT or OT networks.10 minutes
11:45 a.m.: Protesters gather outside the building to complain about the working conditions in one of the factories where the treadmills are being produced. Media is now onsite.
  1. Is the organization prepared to publicly acknowledge a cyberattack? At what point in the incident response plan is this required?
  2. When is the organization required to notify customers or other partners?
Acknowledging and being transparent about an incident to protect the community is a better PR strategy than concealment.10 minutes
12:25 p.m.: In reviewing traffic logs, the network team sees successful connections from the update server to another server … the network vulnerability scanning server.
  1. Are necessary network logs available to capture lateral movement from server to server?
  2. How long are these logs maintained? Do they contain only metadata or are they full packet captures to view payloads?
Would it have been possible to correlate suspicious activity in real time to have proactively prevented this scenario from escalating?15 minutes
12:45 p.m.: Several staff members report seeing a drone flying close to the building.
  1. Are sensitive areas visible from outside the building?
  2. What protective controls might be available for these areas?
Has the organization performed a physical security audit?10 minutes
1:05 p.m.: Logs show that the scanning server has been sending unknown traffic to nearly every server and client in the organization over the last several hours.
  1. What trust relationships are created to facilitate known security activities?
  2. How can these permissions be limited?
Do security controls and policy apply equally to all departments in the organization? Or have exceptions been made and are they well known and understood?15 minutes
Overnight: Incident response firm worked overnight to determine that malware was installed that had a data exfiltration tool.
  1. How would the organization determine what data may have been stolen?
  2. Does the organization have a retainer with an incident response firm?
  3. When is the appropriate time to notify cyber risk insurers?
How does the organization define a breach and when does data exfiltration necessitate victim notifications?15 minutes
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset