Cyberattacks are all too common in business today. If your own company is affected, quick but prudent action is required — and the C-suite suddenly must make decisions in areas they may otherwise be unfamiliar with.
If executives are unprepared for such a situation and react incorrectly, the very existence of the company is quickly at stake. To avoid this, Cisco came up with “Cyber Simulator Suite 404,” a tabletop scenario to help executives learn to deal with dangerous IT incidents in a fun way.
I had the opportunity recently to play Suite 404 with two IT journalist friends. Here’s what this incident response management training exercise is like and the kinds of lessons it can help executives learn about incident response.
Simulation on paper
The first encounter with Suite 404 seems downright anachronistic. In a meeting room, there are four game boards and a number of event-based playing cards — a setting is somewhat reminiscent of the classic game Monopoly. And in the age of PDFs and the like, even the game instructions are printed on paper. Truly a throwback.
But what am I actually getting worked up about here? We are training for a cyber incident in which, in an emergency, our company’s IT is at stake. And what tools would we have available in the worst case scenario? Flipcharts, paper pads, pens, and maybe even a cell phone. So the game setting may be a good fit after all.
The game scenario: Decision-making put to the test
In Suite 404, we take on the role of members of the executive board who are tasked with supporting their CEO in dealing with a cyber crisis. Our company is a fictional five-star hotel group — the Vauban Hotels.
Simulation of a cyber attack in the form of a classic board game.
Hill
The simulation itself consists of three game phases. In the first phase, seemingly everyday incidents are analyzed to determine the extent to which they have a negative impact on our hotel business. The four categories of service, reputation, sales, and cybersecurity must be taken into account.
Then, using printed log files, you have to find three anomalies that give an indication of how the hackers broke into our network. In the last part of the game, you have to demonstrate your team’s decision-making skills. Here, the task is to respond clearly to a series of incidents. There is no “either,” “maybe,” or “or” as a course of action. We can only choose between two courses of action.
So, everything should be easy going, right? After all, the three of us players have decades of journalistic IT reporting between us — including stories about cyberattacks. The game scenario isn’t new territory for us.
Easy entry — before the cardinal error of procrastination
Our mood was accordingly relaxed at the beginning. The task here was to assess the relevance of incidents such as a failure of the electronic door lock system in the hotel rooms or the Excel table of room bookings no longer being available. To what extent do the events affect our service, sales, our company’s reputation, and our cybersecurity?
These are not complete disasters, but annoying incidents that disrupt ongoing operations. We discussed with great enthusiasm whether the respective incident had “no negative impact at all” or “maximum negative impact” on one of the four categories mentioned.
This was a mistake that would later come back to haunt us. The time we wasted on trivial matters meant we later missed out on making important decisions about really critical situations. In addition, to prevent the players from becoming too comfortable, the playing time is limited to 30 minutes. This does lead to a certain level of stress at some point — but more on that later.
But OK, we had mastered phase one of the game. The next step was to find the hacker who had penetrated our system. A task that can be a solvable challenge today thanks to modern intrusion detection systems and IT forensics.
Find the hacker in the log file
Find the hacker – search the printed log files.
Cisco
If only the IT system was up and running to support us. In the simulation we had to make do with printouts of two pages of log files, each about A3 in size. We were supposed to discover three anomalies in these — under time pressure, because thanks to our dawdling in the first part of the game, time was running against us.
Nevertheless, we managed to discover two of the three anomalies within a reasonable amount of time. However, we completely overlooked the third, actually obvious manipulation — we were simply trying too hard to think outside the box and to put ourselves in the hacker’s shoes, which might be a sophisticated approach. Or to put it another way: We didn’t see the forest for the trees. In order not to spoil the suspense for future players, we won’t reveal here which anomalies were in the log files.
Additional disturbances
All I can say is that they can be found with structured thinking and sound IT basic know-how. But it is precisely these structured processes that become challenges when the game leader suddenly intervenes with another challenge:
“This is the concierge, the Royal Family is complaining about an incorrect booking.” So stop studying the log files and focus on the new, current problem, and then dive back into the depths of the log files.
Focus on the core problem
Even in the third phase of the game, we were not spared from such disruptions — for example in the form of the event “Influencer Pretty Beauty does something stupid in the posh hotel bar and it ends up on TikTok — BBC calls and asks for a statement.”
It was clear that as journalists we immediately addressed this problem. In the debriefing we were then told that this was a mistake, because at the height of the crisis it was important to concentrate only on tackling the most urgent core problems.
Making targeted decisions
And the third phase of the game is the catastrophe. It is certain that the IT system has been hacked and a number of incidents occur that require immediate action. The simulator always offers two options for action. All too often, you have to choose between the plague and cholera.
The consequences of your own actions are also immediately shown to you with another event card. So that after a wrong decision, a feeling of frustration can certainly set in immediately. But there is no time to deal with frustration for long, especially if, like us, you wasted a lot of time in the first part of the game. Now it’s all about making decisions quickly and rigorously.
Lessons learned
All in all, we can still pat ourselves on the back. Despite mistakes, our team achieved 25 out of 30 possible points. We are also one experience richer, with some hard-earned lessons learned:
- Don’t get bogged down in a crisis.
- Commit to fast, stringent decision-making processes.
- Limit analysis to brief but well-founded discussions.
- Weigh up the consequences.
- Focus on core problems.
- Refresh basic knowledge.
- Practice working without supporting technologies (paper, pen).
- Practice for emergencies.
See also:
- Tabletop exercises explained: Definition, examples, and objectives
- Tabletop exercise scenarios: 10 tips, 6 examples
- How to create an effective incident response plan
- Plan now to avoid a communications failure after a cyberattack