Don't Wanna Cry: A Cyber Crisis Table Top Exercise for Assessing the Preparedness against Eminent Threats

Abstract

Cyber Security Exercises are emerged as useful tool for assessing and improving preparedness of the organizations and nations against cyber threats. Cyber security exercises of different types & duration with various objectives are conducted across the globe. These exercises vary from quiz type exercises to full simulated attack based exercises. One such type of exercise is Table Top Exercise (TTX). TTX are discussion based exercises involving decision makers of the participating entities to meet and discuss the response during the hypothetical emergency situations. These exercises primarily focused on to clarify roles and responsibilities, assessment of effectiveness of plans and further improvements in cyber security. In this paper we presented Objective, Design and Execution of Cyber Crisis Table Top eXercise (CCTTx) named "Don't WannaCry" conducted for Indian entities. 5 CCTTx involving decision makers from 65 organizations with the objective to encourage self-realization of true cyber security posture of their own entity were conducted in 2017.Exercises were divided into three segments starting with (i) Self-assessment in which participating organization self-assess their cyber security posture in pre-defined 6 domains, followed by (ii) Exercise Play in which participating entity act as a hypothetical entity and respond to the presented cyber crisis situation and finally (iii) Hotwash session was executed with purpose of inducing self-realization of their true cyber security posture. Exercise take away for participants was self-realization and identification of improvement plan to enhance cyber security posture of their entities against the cyber attacks. These exercises are unique in design, execution and their objective of self-realization by the participating entities. Success of these exercises is evident from the feedback and adoption of exercises for domestic purpose by participating organizations.