Recap CSB#42: 42 lessons of a daring experiment! But don’t panic…

Cyber attack simulation to face tomorrow’s challenges? And what if Room#42 didn’t exist?

  • 03 Feb, 2021

04.02, what better day to dedicate this monthly Cybersecurity Breakfast #42 to the ROOM#42?

Keynote: ROOM#42: learning by doing

After two years of service, Jérôme Jacob, founder of ROOM#42 at C3 Luxembourg (Cybersecurity Competence Center Luxembourg), gave an insight of this daring experiment that provides an extensive learning to public and private organizations on how to react when facing a cyberattack.

With special settings diving the participants into an uncomfortable situation in a very short timeframe (approx. an hour), combining dark atmosphere and lights effects, ROOM#42 is a cyberattack simulator developed to train human’s reaction, abilities and behavior.

Key figures at a glance

The many training sessions conducted over the past two years resulted in the following statistics:

· Ransomware: 85% of participants take over 15 minutes to react, 60% of counter-measures are insufficient, 40% of participants pay ransom.

· Fake news: 65% of participants do not reject a fake Press News

· Crisis: 45% of participants have never set an Emergency Response team within their company

· CERT: 70% of participants do not ask for CERT’s help (Computer Emergency Response Team)

· Communication: 80% of participants forget to communicate internally

· Evidences: 95% of participants forget to collect evidences

The above-mentioned figures show that training human factor remains essential in order to efficiently overcome a cyberattack.

8 key points to a smooth and reliable cyberattack response process

1. Trigger:

Press the red button and launch a crisis status, as soon as it becomes essential.

2. Cape:

In order to not waste time, define how to manage and coordinate a crisis situation.

3. Objective of the crisis management:

Set clear objectives and specify the roles of each key players.

4. Timeline:

Write down the events chronologically and document the situation throughout the whole process.

5. Impact analysis

What are the legal, financial, reputational & operational impacts? Do not only focus on technical consequences.

6. Action plan:

Set priorities, costs, responsibilities and deadlines.

7. Cyber vigilance:

Chaos comes with chaos. When an IT system has already been weakened by a cyberattack, cybercriminals often take that opportunity to attempt another one. Remain vigilant.

8. Time for action:

Apply and measure the effectiveness of the actions taken. In 95% of cases, people do not think of collecting evidences.

Getting out of a crisis is the most complicated decision to make. ROOM#42 helps participants reach that step of the process – and most importantly, to officialize the end of the attack.

Jérôme Jacob’s 5 tips to wisely deal with a cyberattack:

· remain cyber vigilant at all times,

· make simple decisions,

· regularly review the crisis management plan,

· master the impact analysis, and

· communicate.

Round Table

Guests: Edith Magyarics, CEO Victor Buck Services, Philippe Dann, Head of Risk & Business Advisory EBRC, Jérôme Jacob, Cybersecurity Advisor at Cybersecurity Competence Center Luxembourg & Dr Thierry Roux, Co-gérant Great-X and Président Cap Cobra-ROOM#42 (who joined from Toulouse, France)

Moderated by Pascal Steichen, CEO SECURITYMADEIN.LU

During the Round Table that followed the Keynote, all participants discussed the main elements that make an efficient response to a cyberattack, based on their own experiences with ROOM#42. They all acknowledged that one key element: training the human factor is essential.

Teamwork must be part of the equation to solve the attack

Cybersecurity is a concern for everyone and a cyberattack should be advised and dealt with company-wise, as a team, involving all key players at the right time.

During trainings in ROOM#42, participants are locked together into one single room and face the so-called challenge of internal communication:

· What information is relevant to share? with whom?

· How should the information be delivered in order to make it clear and useful to the targeted recipient?

· How is everyone involved in the crisis management? Does everyone know his role?

· As some crises can be long-lasting, how to approach such scenarios? How to organize the handover to one team to another and make sure everyone is reachable as well as fully capable of handling his part at the time he is supposed to?

Edith Magyarics, CEO Victor Buck Services, who together with her team underwent a training in ROOM#42, advised several times to “avoid the blame culture. Singling out someone will not bring any solution, finding a way out together instead will. People are the solution”, she continued.

Easing the decision-making process & setting a Business Continuity Process

Based on his extensive expertise at ERBC (800 exercises in over 20 years), Philippe Dann, Head of Risk & Business Advisory EBRC recommends to “catch information and collect evidences from everyone involved in the situation management. That way, decision-making process will get easier and more efficient. A Business Continuity Management System is essential. It must be provided by the Top Management”.

Dr. Thierry Roux, Co-gérant Great-X and Président Cap Cobra-ROOM#42, added that “agility and responsiveness lead to an efficient action plan. It is of utmost important to keep in mind the overall business and not only the technical part of the incident”.

External communication must not be avoided or forgotten

Although it is not easy to disseminate information externally, this part of the crisis management process is necessary to minimize or avoid any bad buzz or false news. “Compagnies must monitor press and social media throughout the process”, said Philippe Dann.

Sharing experiences & lessons learned with various partners

Participants of this round table discussed another element that strengthens the preparation to a cyberattack: debriefing the after-test lessons learned (how to apply them to the organization in real life).

Although an incident never happens the way people are trained for, practice drives continuous improvement and a clear crisis management plan avoids panic.

Edith Magyarics, about her experience with ROOM#42: “We learn everyday but what we learned that day was essential. Although the training in ROOM#42 is a gamification, it needs to be taken seriously. It can happen in real life, no matter how prepared your company is. Being prepared is key to an efficient crisis management process”.

Philippe Dann added “training in a traditional meeting room is like a casual meeting, but doing it in ROOM #42 is taking participants out of their comfort zone”.

To end this session, Jérome Jacob acknowledged his willingness, and that one of C3 Luxembourg, to further enhance the training provided by ROOM#42 by adding time zones as additional settings to the experiment and make it reliable to compagnies with international reach. “At ROOM#42, we use data and experience from CIRCL (Computer Incident Response Center Luxembourg) to build cyberattack scenarios that are really close to reality”, he said.

Jérôme Jacob reminds that “ROOM#42 is a training tool designed to open participants’ mindset and help shape their emergency response plan”.

“When facing a cyberattack, do not panic. Keep calm and go with the plan. Training allows organizations to become more mature in the process of responding to an attack” - Jérôme Jacob

More info about ROOM#42 and registration here

Watch the full Cybersecurity Breakfast #42: