Future-proof attack scenarios: As for the central problem of not knowing what kind of attacks to plan for, Avakian suggests using internal teams or partners to roleplay the most likely attack vectors. To save money, he encourages enterprises to partner with universities for imaginative threat planning and to work with vertical-specific ISACs. Ivan Shefrin, executive director for managed services at Comcast Business, offers specific suggestions on the kinds of attacks where he would encourage exercises to focus.”Traditional training exercises tend to focus on familiar threats or perimeter attacks, but we’re seeing attackers constantly find new ways to breach corporate networks. Take low-effort, drive-by compromises. They require no user interaction beyond visiting a malicious site, bypassing awareness training entirely, which is why technical controls remain mission-critical,” Shefrin says.”Then there are high-speed, short-burst DDoS attacks, which probe and test defenses without setting off alarms. We observed increased use of these attacks, with many lasting fewer than 10 seconds,” he adds. “We also noted a surge in carpet-bombing DDoS, where attackers spread traffic across multiple IP addresses or subnets simultaneously to complicate mitigation. Such attacks can evade defenses that focus on a single IP while overwhelming networks in aggregate.”Brian Levine, a former federal prosecutor who today serves as the executive director of a directory of former government and military specialists called FormerGov, says CISOs need to get comfortable with the fact that these tabletops “are going to be more reactive than proactive because we can speculate what the next thing is going to be, but we might be wrong.”Some specific advice from Levine is to not assume that the enterprise is always going to be the target. Roleplay scenarios where different global partners are attacked, he says. “Your options [with a partner being attacked] may be more limited, but you still have options.”Levine also encourages CISOs to relax and not panic that they can’t test everything. “You’re not going to be able to test every scenario through a tabletop,” he says. “But by testing some, you will build muscle memory.”See also:
Tabletop exercises explained: Definition, examples, and objectivesHow to conduct a tabletop exercise4 tabletop exercises every security team should runTabletop exercise scenarios: 3 real-world examples6 tips for effective tabletop exercisesSecurity simulations: This is only a test
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4071102/cisos-must-rethink-the-tabletop-as-57-of-incidents-have-never-been-rehearsed.html
