The impacts of a cyberattack are long-lasting and extend well beyond technology. In this cyber-wargame, participants will test their assumptions and incident response know-how against a cyberattack scenario with complex business impacts that unfolds over a simulated year. (Source: RSA Conference USA 2017)

1. SESSION ID:SESSION ID:
#RSAC
Daniel Soo
Deep Impact: Explore the Wide-
Reaching Impact of a Cyberattack
LAB4-R04
Principal
Deloitte & Touche LLP
Mary Galligan
Managing Director
Deloitte & Touche LLP

2. #RSAC
Cyber security needs are evolving
2
Business leaders are responsible for guiding response and recovery
from a risk perspective
Rehearsing builds threat awareness and creates “muscle memory” for
adaptive response
SECURE
Establish risk-prioritized controls
to protect against known and
emerging threats, and comply with
standards and regulations
VIGILANT
Establish situational risk and threat
awareness across the environment
to detect violations and anomalies
RESILIENT
Establish the ability to handle
critical incidents, quickly return to
normal operations, and repair
damage to the business
Organizations need to transform legacy IT security programs into cyber risk programs

3. #RSAC
Introduction to cyber wargaming
3
Cyber wargaming is an interactive technique that
immerses potential cyber-incident responders in
a simulated cyber scenario to help organizations evaluate
their cyber incident response preparedness

4. #RSAC
Cyber resilience
4
Cyber wargames drive improvements in cyber resilience, including:
Better identification of gaps in cyber incident
response people, processes, and tools
Broader consensus on the appropriate
strategies and activities to execute cyber
incident response
Stronger response capabilities aligned towards
mitigating the highest impact risks of a cyber
incident
Improved understanding of the people,
processes, data, and tools needed to respond
to a cyber incident
Tighter integration between parties likely to
be collectively involved in the response to a
cyber incident
Enhanced awareness of the downstream
impacts of cyber incident response decisions
and actions
Reduced time-to-response through the
development of cyber incident response
“muscle memory”
Improved clarity regarding ownership of
authority related to certain key cyber incident
response decisions

5. #RSAC
Session logistics
5
Today’s session will consists of three parts…
Simulation
90 minutes
Pre-Brief
10 minutes
Debrief
20 minutes

6. #RSAC
Company profile
6
YouKnight Bank (YKB)
The 6th largest diversified financial services company in the
United States, primarily operating in four core segments –
retail banking, corporate and institutional banking, asset
management, and residential mortgage banking.
Locations: 2,704
Employees: 50,492
Headquarters: New York City, NY
Founded: April 2, 1923

7. #RSAC
Company profile (cont’d)
7
Technology environment
Employees perform daily computing with traditional desktops and
laptops
Cloud computing has not been widely deployed – plans for the
capability have been proposed
Marketing and supply chain systems are managed by third parties
Transaction monitoring and the IT customer service help desk
have been outsourced to India

8. #RSAC
Participant roles
8
Players will assume the following roles within YouKnight Bank:
Chief Executive Officer
Chief Financial Officer
Chief Operating Officer
Chief Information Officer
General Counsel
Head of Communications & Public
Relations
Chief Risk Officer
Chief Security Officer
Chief Customer Experience Officer

9. #RSAC
Objectives
9
Understand the role of executive leadership in cyber incident
response
Identify the types of information, tools, and capabilities
needed to effectively support cyber incident response
Explore the interaction model for third parties (e.g., law
enforcement, regulators)

10. #RSAC
How to play
10
Review injects.
Review inject content in its entirety
Determine actions you will take and / or decisions you will make
Make decisions.
Describe your thought process, including your assumptions, out loud
Articulate how the decision will be executed
Consult others.
Engage directly with other players
Inform the facilitator if you want to speak to a non-player

11. #RSAC
Leading practices
11
Act decisively – have a clear, ongoing decision-making process
Focus on the emerging crisis over the symptoms of the incident
Prioritize decision-making based on impact
1
2
3

12. We are about to begin…

13. [ YKB Commercial ]

14. It is now 9:15 AM on April 19th
Update Clock

15. [ Incoming Ransom Video ]

16. [ Hackme Video ]

17. 10 hours until 8:00 PM deadline
Text Spacing

18. 2 hours until 8:00 PM deadline
Text Spacing

19. It is now 8:00 PM on April 19th

20. It is now 9:00 AM on April 20thMoving forward to the next morning…
Update Anim.

21. [ Boardroom Video ]

22. Heads up – XChange has now been offline for 2 hours. Until it comes back up, interbank transaction clearing and settlement
will not be functional across the bank.
We have all hands on deck investigating the cause, but haven’t found anything yet. Per our continuity plan, the incident
response team has been invoked; but it’s really not clear what we should be doing. Like many of our other systems, XChange
appears to be operating within parameters – except that it’s not working…
As you know, XChange is a Tier-1 application and we need it to complete our end-of-day transactions. But, given how
everything looks, I am looking for your input on how to proceed. Should we:
 Continue our investigations and hope that we find the cause of the outage and a solution; or
 Initiate disaster recovery right away. If we go down this path, we should be back online in 36 hours, but most critical
systems would be offline until then (we have to fail over everything at the same time, we can’t do it in pieces).
Also, as you know, we haven’t been able to renew our incident response retainer due to the vendor’s push for indemnification.
Still, we need more skilled resources to perform detailed technical investigation... Can we push through ASAP?
Tyler
Search all messages…<Ctrl+K>
Logout
COO
youknightbank.com
This message was sent with High importance.i
File Edit View Go Message Tools Help
Get Mail Write Tag
Inbox
Drafts
Sent
Follow Up
All Documents
Junk
Trash
Views
Folders
Archive
Tools
Other Mail
Reply Reply To All Forward Mark As More
From: Rice, Tyler (Director, Enterprise Applications) To: Chief Operations Officer
Subject: URGENT: XChange offline Cc:
Sender Subject Date Size
Diana Carter Lunch today? Thurs 04/20/2017 7:45AM 1K
Tyler Rice URGENT: FastFill offline Thurs 04/20/2017 8:15AM 2K

23. It is now 10:00 AM on April 20thMoving forward 1 hour…

24. Secure Sign-in
Save Online ID Security & Help
Forgot ID Forgot Passcode Enroll
Online ID Passcode Sign In
Lose more than just your
interest payments when you
accept a loan from YouKnight…
YouKnight Bank bet on your American Dream and won. They profited billions
on the subprime mortgages they sold to their NINJA customers, and what
did you get? You got EVICTED.
Open an Account Español
YouKnight
Bank
Retail / Personal Corporate Asset Management Mortgage
We gave you a chance, you didn’t take it. Now you’ve been served. Repent or more will come.
YouKnight.com/ YouKnight Bank
#Hackme
Get a loan, lose a house!
MORAL FAILURE

25. It is now 12:00 PM on April 20thMoving forward 2 hours…

26. [ News Video ]

27. [ Revolving Logo ]

28. It is now 6:00 PM on April 20thMoving forward 6 hours…

29. Valued employee,
At approximately 5:00 p.m. today, there was a water main break near your location. Because the water main break is so close
to power gridlines, access to your location will be prohibited until further notice.
We will provide further instructions when access to the building is reinstated.
Thank you for your patience and cooperation.
- Physical Security
Search all messages…<Ctrl+K>
Logout
All Personnel
youknightbank.com
This message was sent with High importance.i
File Edit View Go Message Tools Help
Get Mail Write Tag
Inbox
Drafts
Sent
Follow Up
All Documents
Junk
Trash
Views
Folders
Archive
Tools
Other Mail
Reply Reply To All Forward Mark As More
From: Physical Security To: All Personnel
Subject: URGENT: Location closed due to water main breakage Cc:
Public Relations Marketing campaign update Thurs 04/20/2017 8:15AM 3K
Physical Security URGENT: Location closed due to water main breakage Thurs 04/20/2017 5:30PM 2K
Sender Subject Date Size

30. It is now 11:00 AM on April 21stMoving forward to the next day…

31. Home About Photos Events More
Company
Invite friends to subscribe
450,916 people have been here
What are you saving up for? A new car? A summer vacation? Stop by today to learn
how you could be earning more on your savings! #moneyinthebank #savingisgaining
20 hrs Edited
+357,937 votes
79,526 Reshares
Roberta Landry How can you provide tips when your employees don’t
even bother to show up and you can’t open your stores? #YouNotThere
+21 votes Comments 19,203 1 hrs
Dave Hestle I’m saving for a new house since they took mine!
You’re better off not being able to get in… #YouKnightYouNever
YouKnight
YouKnight YouKnight Home
Sign Up
57,821 people commented
Connectin
Shop Now
Vote
Message
Watch videoSubscribe
351,102 people subscribed to this
Search for posts on this Page
..
ouKnight Bank
ouKnight Bank
ouKnight Bank

32. 1642 new hollers
New to CHATNHOLLER?
Sign up now to get your own
personalized timeline!
Sign up
#YouNotYouKnighted MarcoCHATNHOLLER
Top Live Accounts Photos Videos More options
Trends
Venus Williams
115K Hollers
#SCOTUS
305K Hollers
#MyOneWordDistraction
Just started trending
#GilmoreGirls
89K Hollers
#OITNB
264K Hollers
Katie Lane @musicmantra_KL89 • 8m
Glad you decided to give yourself a “holiday,” but I cant afford a vacation cuz you still haven’t processed
the check I deposited DAYS ago! @YouKnight, get back to work! #YouNotYouKnighted #YouClosed
Polo Echo Heart Expand
James Arden @Arden_James • 29m
Hey, @YouKnight whether you cash my paychecks or not, I still have to pay rent. Waive the fee for
overdrawing on my account or I’m taking my money elsewhere! #YouPay #YouNotYouKnighted
Polo Echo Heart Expand
Ben Lee @bikerben003 • 42m
OMG some guy is going irate at YouKnight Bank right now – only one lady working the front desk and a
line almost out the door. Guy’s at the back obvi. #YouLast #YouWait #YouMad #YouNotYouKnighted
Polo Echo Heart Expand
Jeremy Jones MD @DrJeremyJones• 55m
Technology outage, crashing applications, website defacement… You about to go knight knight forever if
you don’t get your ducks in a row. #YouFailing #YouNotYouKnighted #ClosingTime
Polo Echo Heart Expand
Whitney Swift @Witty_Whitney82 • 1h
If you can’t keep your site safe, why should I believe you can keep my money safe!? These days, if the
hackers aren’t stealing from you, the banks are. #KnightInTinfoil #YouNoHero #YouNotYouKnighted
Polo Echo Heart Expand
Jacob Andrews @J_Andrew92 • 2h
@YouKnight - I understand that you may be experiencing “technical difficulties” but there is no excuse
for treating your customers poorly #YouRude #YouNotYouKnighted #PoorCustomerService
Polo Echo Heart Expand

33. It is now 1:00 PM on April 21stMoving forward 2 hours…

34. Greeting Voicemail Edit
Doug Dominose
New York City, New York
April 21, 2017 at 1:00 PM
Jane Finley
work
Tuesday
0:33
Richard Gilmore
home
Monday
0:48
George Stephens
home
04/14/17
0:21
+1 (347) 634-2012
New York City, NY
04/11/17
0:12
+1 (872) 657-8929
Chicago, IL
11/29/16
0:12
i
Call BackSpeaker Delete
CM&H LTE
i
i
i
i
i
0:03 -0:20
1
1:00 PM
“This is Special Agent Doug Dominose
with the FBI. I’m headed to YouKnight
headquarters now - should arrive within
the hour. Can you see to it that
someone is available to meet with me?”

35. It is now 4:00 PM on April 21stMoving forward 3 hours…

36. As you are likely aware, the media is reporting that YouKnight Bank has experienced a widespread technology outage rendering
it unable to accurately and securely perform transactional duties within the interbank network. Due to the far reaching
implications of the outage on members of the financial community, we will be monitoring the situation and conducting an
investigation to determine if certain penalties may apply.
Please provide your any input you feel will be valuable to our discovery efforts. I’ll be available at +1 (212) 555-3464 if you
would like to speak by phone.
Thanks,
Kevin Sumner
Senior Bank Examiner - Federal Reserve Bank
Search all messages…<Ctrl+K>
Logout
CFO
youknightbank.com
This message was sent with High importance.i
File Edit View Go Message Tools Help
Get Mail Write Tag
Inbox
Drafts
Sent
Follow Up
All Documents
Junk
Trash
Views
Folders
Archive
Tools
Other Mail
Reply Reply To All Forward Mark As More
From: Sumner, Kevin (Federal Reserve Bank) To: Chief Financial Officer
Subject: URGENT: Outage & Interbank Impact Cc:
Jan Finkle Status Update Fri 04/21/2017 3:45PM 1K
Kevin Sumner URGENT: Outage & Interbank Impact Fri 04/21/2017 4:00PM 1K
Sender Subject Date Size

37. The wargame has ended.

38. [ Debrief Video ]

39. #RSAC
Cyber wargaming lessons learned
39
Cyber events have an accelerated rate of escalation and
unfold more ambiguously than traditional crises
Impacts resulting from actions and decisions during
cyber incident response, even at a low level, are
greater and broader than those of a traditional incident
The scope of incident responders expands well
beyond technology during cyber incident response
1
2
3

40. #RSAC
Cyber Incident Response Success
40
Simulate realistic incidents regularly. By exercising the
plan, organizations can build “muscle memory” and
respond more effectively and consistently.
Organizations should embrace
technologies that enable operational
resiliency and proactive detection and
response capabilities.
Simple, flexible and distributed plans
provide guidance to responsible parties
throughout the organization. Understand
where external help is needed and have
contracts and capabilities in place
beforehand.
Determining legal, regulatory, and compliance
issues in the midst of a crisis is a bad place to be.
Prepare ahead and incorporate these
considerations into the CIR plan.
Educate executives on crisis communication
plans and their associated responsibilities.
Setting tone at the top of organizational
hierarchies has cascading impacts.
Prevent your plans from becoming “shelf
ware” by training your CIR team
periodically.
Carefully select CIR team members and
confirm they have the requisite skills and
experience to perform responsibilities
outlined in the plan.
Involve business operations in cyber Incident Response
planning so that mission critical processes and systems are
available when crises occur.
Cyber
Incident
Response
Legal, Risk, &
Compliance
The Plan
Supported by
Technology
Simulate the
Event
Operations
Cyber
Education
Cyber
Response
Team
Executive
Management

41. #RSAC
Effective cyber wargame exercises leverage a
carefully selected combination of high-fidelity
injects designed to mimic the real world.
Injects are revealed based upon player
actions and decisions, typically via:
Players will respond more realistically to
realistic injects – leading to improved
identification of strengths and weaknesses.
RELEVANCE TO THE BUSINESS READINESS TO EMBRACE CHALLENGES
Effective cyber wargame exercises are built
from the ground up to reflect an
organization’s specific business context,
organizational structure, operating
procedures, systems, data, etc.
Exercises should be designed so that
outcomes will impact how the business will
make decisions moving forward.
REALISM FOR THE PLAYERS+ +
Effective cyber wargame exercises involve
participants that are excited to embrace cyber
challenges and ready to remediate identified
weaknesses. Common outcomes include the
need to improve capabilities related to:
Designing an effective cyber wargame
41
Paper contentLive phone calls
Pre-recorded video The Facilitator
Delivery
Scenario
Audience
Objectives
Debrief
Business context
Report
Briefed actorsPre-recorded audio
IS risk
assessment
Cyber incident
response
Core security
services
Threat
Intelligence
Technical
resilience
Cyber
forensics
User ID
management
Business
engagement