The Financial Services Information Sharing and Analysis Center (FS-ISAC), has launched a series of cybercrime exercises in Europe. They are intended to test the ability of businesses to withstand a cyber-attack. The timing is good. Tesco Bank has just been fined £16.6 million for its failure to deal with a cyber-attack in 2016.
The exercises are designed to mimic an attack against a major bank. This is more than just a paper exercise. It has borrowed the approach of an increasing number of cyber ranges. It looks at how the IT security teams at one or more organisations respond to an attack. This first exercise mimics the success of the WannaCry ransomware.
According to Vincent Thiele, head of Cyber Crime Expertise and Response Team at ING Bank and FS-ISAC Board member: “The cyber-range exercise was a great step forward for the launch of the exercise programme in EMEA. ING looks forward to strengthening its relationship with other members and sharing vital knowledge and best practices with the financial services community.”
The need for a multidisciplinary defence
The FS-ISAC exercises were not just contained to the IT security team. They have a wider remit that includes crisis management. The big challenge, especially for a financial institution, is how to deal with the public response to an attack. This means that the whole crisis management team from IT through to the boardroom need to understand what is involved.
Recovery from an attack such as WannaCry is far more complex than many organisations realise. While many have comprehensive playbooks and plans, executing them can be difficult. For example, how many organisations keep plans on a secure computer disconnected from the main network? If they don’t, an attack can take out the computer with the playbook leaving the organisation in the dark.
Another challenge is how to bring the organisation back online again. This is more than just business continuity or disaster recovery. It requires an approach called cyber resiliency. This is something that Felicity March, IBM talked to Enterprise Times about recently.
Attacks against large institutions are rarely an exception. If a vulnerability exists at one institution, it is likely to exist in others. This means that regulators have had to allow cooperation to improve resiliency. This need for wider sharing of attacks and assistance once under attack is something that two of the FS-ISAC exercises focus on:
Cyber-Attack Against Payment Systems (CAPS) – This annual virtual exercise is aimed at payment companies, free to all regulated financial institutions in EMEA, Asia-Pacific and the Americas. Participating members benefit from testing their organisation’s readiness in case of an attack and free benchmarking against peers.
Cyber-Attack Against Insurance System (CIAS) – This virtual exercise simulates an attack on insurance companies to help gauge their readiness in the event of an incident. The exercise is available to all insurers via remote participation.
What does this mean
We hear a lot about the time and effort organisations claim to invest in readiness for a cyber-attack. In many cases these are little more, if even that, than paper exercises. The emergence of cyber ranges has provided a place for some degree of coordinated training. However, many of these are focused on the IT security teams and not on the wider crisis management issue.
One of the benefits of the FS-ISAC exercises is cross-company and industry wide planning. It allows organisations to share best practice when it comes to dealing with cyber-attacks. However, it needs to be far more wide reaching than it is at the moment.
In some countries, banks are required to not only prove that they can failover their systems but have to then run on those systems for a period of time. They then have to failback. This is far harder than many people realise and is a measure of how well the plans are designed and working.
FS-ISAC isn’t at that point of real-world tests nor is it driving requirements on the industry in terms of what is seen as being good practice. However, it is advancing the preparation and capability of organisations to respond to an attack.