The World's Forum for Aerospace Leadership

  • Donate
  • Press Room
  • Renew
  • View Cart
American Institute of Aeronautics and Astronautics

    Incident Response in Practice


    In last month’s feature, we discussed how organizations can respond effectively to cyber incidents, and we recommended practicing through simulations and tabletop exercises.

    Earlier this month, the AIAA AVIATION Forum’s Cybersecurity Symposium, which was organized with the help of cybersecurity expert Jeffrey Carr, gave participants a chance to do just that. Participants played the roles of stakeholders in a fictional company, Baudelaire Aerospace, as it navigated various cybersecurity scenarios.

    In this feature, we give an overview of the recent symposium exercise, which proceeded in two parts, and present some of the key lessons learned from this, and previous, exercises.

    Budgeting at Baudelaire: Picking Priorities and Trade-Offs in Security Operations

    In the first part of the exercise, participants were briefed on key facts about Baudelaire Aerospace. Baudelaire is a (fictional) multinational corporation with 49,000 employees at 125 locations in 31 countries. In addition to its clients in North America, Baudelaire works with both civil aviation and military aerospace clients in countries such as China, Russia, Brazil, and India. The participants also had access to general information about Baudelaire’s threat environment, including emerging trends in the cybersecurity threat landscape.
    Participants were split into three teams and were given a security budget of $8 million to establish Baudelaire’s Security Operations Center, covering both physical and cybersecurity for the company. Participants had to decide what Baudelaire’s biggest risks were and how to allocate resources to mitigate them, from hiring personnel to buying technology solutions like encryption tools, access management, and cloud security services.

    Cyber Hacks on Baudelaire

    The second part of the exercise focused on responding to specific incidents, including a ransomware attack and theft of data from Baudelaire’s network: sensitive information was discovered sitting on a command-and-control server linked to an adversarial nation-state.

    As participants considered how to respond, they honed in on what additional information was necessary:

    • What data was compromised?
    • Who should be notified of the breach?
    • What remediation steps need to be taken?
    • What are the legal boundaries for actions and responses?
    • What type of support exists from the technological, legal, and business perspectives?

    After contemplating response options with subject matter experts, the teams settled on a variety of creative responses: for example, some participants decided to lure in malicious actors by creating “honey pots,” or fake network segments and documents embedded with code that “beacons” home, which allows a defender to observe and track hackers. To end the exercise, participants briefed each other and organizers on their various solutions.

    Learning from Simulations and Exercises

    The symposium was not AIAA’s first cyber exercise; it has supported other exercises in the past in partnership with Boeing, AIAA partner Good Harbor Security Risk Management, and CyberPoint LLC, a cybersecurity firm. In these exercises, participants were information security employees in real life for the companies they represented in the exercise, and the exercises focused on testing whole-of-enterprise incident response through a variety of high-pressure hacks and cyber incidents.

    Here are three key takeaways from the exercises about responding to incidents, and three key takeaways about running effective simulations and tabletop exercises:

    Key Takeaways About Cybersecurity and Responding to Incidents

    1. Every organization defines its risk profile in a unique way based on things like business operations, technology systems, and culture. Even two companies that may look alike to an outsider have different priorities. In the first part of the Baudelaire exercise, one team focused their resources on technology, and another team focused on personnel: even though they started with the exact same information, they prioritized their risks and risk mitigation priorities differently. That is exactly how it happens in organizations around the world, every day. Look back at the first issue of Protocol to see some questions that your organization can ask to understand its risks and priorities.

    2. The more that management teams can get on the same page about what they consider important before a crisis strikes, the better. When an organization is responding to a cybersecurity crisis, resources and time are very constrained, and executives often have to decide what actions to take first, second, and third, and what might not get done right away. Knowing what objectives are most important for the organization, from protecting critical data to maintaining key operations to safeguarding reputation, is key to success. Simulations won’t predict every scenario, and participants can’t play out every possible set of events, but practicing multiple scenarios will train teams to identify and decide priorities quickly and let them talk through specific examples in advance.

    3. In a crisis, coordination is key. Cybersecurity is a whole-of-enterprise, team effort, as we’ve described before in Protocol. This is especially true in incident response: most leaders in an organization have an important role to play in crisis management. But the flurry of activity and speed of information moving and changing in a crisis can result in miscommunications when there are “too many cooks in the kitchen” and things are not well coordinated. Jeffrey Carr described how participants played the Baudelaire exercise: “There were disagreements within teams on what to do, … There was a lack of clarity. We had subject matter experts disagreeing with other subject matter experts. … It’s horribly complex in real life.” Key steps to avoid these challenges include knowing to expect information overload and miscommunication, designating a single incident response manager in advance, delineating clear lines of authority, and establishing clear protocols for communications.

    Key Takeaways About Running Effective Simulations and Tabletop Exercises 

    1. Exercises can be designed to accomplish different objectives. For example, the first part of the Baudelaire exercise focused on allocating resources to identify risk mitigation priorities, while previous exercises have focused on how companies cooperate in responding to widespread attacks. Exercises can address many objectives: raising awareness; building team coordination; testing an organization’s incident response plan and how well people stick to the plan under pressure; identifying third-party dependencies outside the organization; and estimating what impact different incidents would have. Before designing an exercise, decide what objectives you are trying to meet.

    2. Having the right people present is key to success in any exercise. Sometimes, certain executives and leaders think they will not have a role in responding to an incident because they are not “IT Security” leaders, so they do not expect to be at the exercise; they may need to be reminded that incident response is a whole-of-enterprise effort. Remind them that leaders at big companies, leaders in the military, and even heads of state practice responding to crises. Plus, by taking preparedness seriously, they are setting an example for their team.

    3. Exercises can be great learning opportunities, but they have to be designed the right way to achieve maximum effect. It is important for exercises to be a comfortable learning opportunity where participants can play hard and make mistakes without fearing that they will be penalized. Having an outside facilitator who can record lessons learned and areas for improvement and deliver them in an “after action” report is also key. Facilitators can also help design the scenario to meet the right objectives. Remember that while exercises seem to be all about making bad things happen, the goal is not just to highlight weaknesses or mistakes but to build a team that can respond effectively when a real incident inevitably occurs.  

    Exercises and simulations do not need to be complicated or “high-tech,” and they are extremely useful learning opportunities, so get out there and practice, practice, practice.