Extortion attempts rebuffed: As the exercise moved on, the blue team refuse to pay a ransom after consulting with the authorities, legal teams, and crisis management experts. Instead of upping the ante by threatening to sabotage the water treatment algorithms or chemical pumps, potentially tainting the supply, the attackers decide to leak customer records online until the ransom is paid.News of the ransomware attack leak onto social media, along with some employee and customer data. Media outlets pick up the story, causing widespread panic fuelled by self-proclaimed “experts.”In response, the Springfieldshire council leader holds a press conference demanding action and threatening to launch an investigation. The blue team decides to respond by using social media platforms and media outlets to put out statements reassuring the public that although the water treatment firm is under cyberattack their water supply remains safe.The final stage of the exercise considered resolution and future mitigation. The blue team attempted to develop a plan to make sure that containment was both successful and complete as well as considering steps to ensure long-term resilience against similar attacks.Although their ransomware request was denied, the red team still management to profit from their attack by enterprisingly shorting stock of the publicly traded Springfieldshire Water Treatment prior to the attack. In the scenario, Springfieldshire Water Treatment is the target of a takeover bid by a rival utility.
War games: The “Operation 999″ exercise offered a cybersecurity tabletop simulation designed to allow participants to exercise incident response strategies. The tabletop exercise offered an immersive experience without featuring any hands-on keyboard or analysis of technical data (such as exercise specific log files, or similar).The scenario was designed to hone cyber incident preparedness, through a similar mechanism to how war games train military forces during peacetime.All involved in the two-hour exercise were (or at least appeared) highly engaged. Much of the discussion on the blue team involved identifying critical assets key to keeping the utility up and running and delivering a minimal viable service and liaising with stakeholders.Speaking after the exercise, Semperis’ Rachman acknowledged that although a training exercise can’t fully prepare for the chaos of a real attack it does allow defenders to develop better incident response plans.”Both teams did brilliantly and were quite creative,” Rachman said. “However, I think the blue team’s assumption that get in touch with all their stakeholders when the attack struck, on Christmas Eve, was quite optimistic.”The scenario presented in the exercise, though fictional, is far from implausible.In October 2024, American Water, the largest US water and wastewater utility, detected unauthorised activity in its computer network, disrupting customer service and billing. In the UK, Southern Water suffered a data breach initiated by hacker group Black Basta, who gained access to the company’s server infrastructure and compromised a significant amount of personal data.A survey commissioned by Semperis of 350 UK and US utility providers found that 62% were targeted in the past year, with 54% suffering permanent system damage.The vast majority (90%) of organisations activated cyber crisis plans last year, yet most suffered repeated disruption due to outdated playbooks, cross-team silos and tool sprawl.During a keynote presentation on the history of ransomware at Infosecurity Europe, Mikko Hypponen, chief research officer at WithSecure, charecterised ransomware attackers as relentless, arguing that the threat they pose presents a more challenging risk than fire, accident or natural disaster.”Nobody’s trying to burn down your factory every day, every week, over and over again until they succeed,” Hypponen said. “However, these guys are trying to break into your network every day, every week, over and over and over again and, if they succeed, they will shut down your company just as well as a fire or a flood.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4006349/operation-999-ransomware-tabletop-tests-cyber-execs-response.html
