ac&c-players guide v1 · institute of standards technologies (nist) cyber security framework...

PLAYERS GUIDE Version 1

Advanced & Cubicles Compromises

Page Left Intentional Blank Keep Going… here be dragons…

Advanced Cubicles & Compromises – v1. 3

Introduction Welcome to the world of Advanced Cubicles & Compromises! This game expands on the Black Hills Information Security – Cubicles & Compromises format by adding exciting new variables and gameplay. Cubicles & Compromises is a Tabletop Exercise. Many compliance standards require a yearly simulation that tests an organizations ability to use their Incident Response Plan effectively. Even beyond compliance standards Tabletop Exercises are a great way to improve how your Incident Response Teams work together as well as find potential issues with your Incident Response Plans. These exercises also ensure the people on the Incident Response Plan know their roles, what they need to do, and the roles of the other individuals and teams they must work with during incident response. Tabletop Exercises bring all the teams and persons involved in incident response into a room and tests their ability to respond to an incident. Generally, this would be done with a single organization using their Incident Response Plan (IRP). Advanced Cubicles & Compromise can be run for a single organization. However, it also allows for a workshop format that doesn’t require proprietary incident response plans be revealed to other players. Players create their own company using controls tied to the National Institute of Standards Technologies (NIST) Cyber Security Framework (CSF). By doing so each player can be from a different organization and think through incident response concepts including how specific controls can defend against potential attack scenarios. The game simulates an incident response exercise with injects the players must defend against. Injects are events that occur during the incident. This often begins with the organization investigating an incident. With each inject players learn more about the incident. Sometimes the information learned after subsequent injects would have changed previous decisions. Just like in a real incident response scenario players can only work with the information theyhave. Players have budget, planning, and luck on their side to keep their business from going under as it endures responding to an information security incident. However, there are new twists including fatigue and the Wheel of Business. Players must choose wisely and deploy controls that can stand up to real world security events. Each player is given a budget to purchase and improve security controls. After each event unfolds players will role dice to determine if they were able to defend against the attack. If the injects weren’t mitigated they may need to roll further to determine if the company needs to spend money to address the inject. Don’t spend all of the budget because each round the team will become more fatigued making it harder to defend against attacks. Further, the business doesn’t stop moving just because of an active incident. The Wheel of Business spins after each inject. There are 24 slots on the Wheel of Business. Each slot represents a scenario unrelated to the incident the team may have to address. Some are good, some are bad. All will affect your budget. By the end of the exercise the team with the most budget remaining is victorious! We hope that Advanced Cubicles& Compromises will give security teams a fun and exciting way to run incident response simulations. Theoretical budgets and additional randomness from fatigue and the Wheel of Business players engage players as they think through how they will address a problem they were certain their Incident Response Plan had covered! Thanks for playing and let the game begin! Ean – [email protected] – Twitter - @eanmeyer

References Black Hills Information Security – Cubicles & Compromises

Webcast - https://www.blackhillsinfosec.com/webcast-cubicles-compromises/ Printable - https://www.blackhillsinfosec.com/wp-content/uploads/2019/09/CubiclesandCompromisesPrintable.pdf

NIST Cyber Security Framework (CSF) https://www.nist.gov/cyberframework NIST CSF Components - Tiers https://www.nist.gov/node/1311101/components-framework

Table of Contents Introduction .......................................................................................... 3

Table of Contents ................................................................................. 4

Overview of Game ................................................................................ 4

Tabletop Exercise ..................................................................................... 4

What are Injects? ..................................................................................... 4

Incident Manager .................................................................................... 5

Your Company ......................................................................................... 5

Budget ........................................................................................................ 5

What are the NIST CSF Controls? ........................................................ 5 Identify ................................................................................................ 5 Protect ................................................................................................. 5 Detect .................................................................................................. 5 Respond .............................................................................................. 6 Recover ............................................................................................... 6

NIST CSF Tiers ........................................................................................ 6

Fatigue ....................................................................................................... 6

Wheel of Business .................................................................................... 6

Game Play ............................................................................................. 6

Company Creation .................................................................................. 6

Injects ........................................................................................................ 7

Rolling Against Injects ............................................................................. 7

Conclusion of Game ................................................................................ 8

The game concludes when: ..................................................................... 8

Review of Injects & Outcomes ................................................................ 8

NIST CSF Controls .............................................................................. 8

Identify ................................................................................................ 8 Protect ............................................................................................... 10 Detect ................................................................................................ 12 Respond ............................................................................................ 13 Recover ............................................................................................. 14

Overview of Game Before starting the game players must understand core components of Advanced Cubicles & Compromises. Read the following to understand more about the components that effect game play and the rules for Advanced Cubicles & Compromises.

Tabletop Exercise Tabletop Exercises help prepare companies to react to incidents. These exercises are designed to simulate how an organization may become aware of a security incident and possible breach by testing their response. Tabletop exercises allow teams to think through their reaction to security incidents. They evaluate the incident response plan by reviewing how the plan performs in the face of an unknown incident simulation. Often these exercises are required under specific regulatory or compliance standards. However, organizations shouldn’t complete tabletop exercises just because they need to for compliance. Tabletop exercises have many benefits beyond compliance. Tabletop Exercises prepare teams that don’t often work together to interact under high stress situations (Executives, Legal, External Communications, Legal, Engineers, Security, etc.). They test the Incident Response Plan. They evaluate the reactions of the Incident Response Team against likely scenarios. The Tabletop Exercise should test and prepare all aspects of the Incident Response Plan. This leads us to injects.

What are Injects? Injects are the fundamental core of a tabletop exercises. When an incident occurs teams will rarely have all the details of what happened, how it happened, or how stop the incident while it is ongoing. A tabletop exercise starts the incident response teams with a much smaller set of information than they will have by the end of the exercise. They may be informed the FBI notified them information from the organization was found on the Darkweb. They may get an alert from their logging system or SIEM that shows some unusual traffic bound for servers in a country the organization doesn’t work with. This may start the incident response and the teams must react using their Incident Response Plan, experience, and available information. Once the team reacts to the incident they receive an inject. New information is injected into the scenario. This information may have changed how they would have reacted to the discovery of the incident. Just like in the real world we should only react to the information we have. During each round of play a new inject will be revealed. The incident response team will evaluate this new information. Using their Incident Response Plan and knowledge of the situation they will make a decision about the next steps to take.


Introducing injects adds a level of real-world complexity to test the team and their incident response plan.

Incident Manager The Incident Manager can be thought of as the game master. During actual incident response the Incident Manager may be responsible for assigning resources, gathering information from teams, coordinating effort, and delivering updates to key stakeholders. In Advanced Cubicles & Compromises the Incident Manager runs the game. They deliver the injects and lead players through the game. They are also the final decision maker on what controls were effective for the given incident simulation.

Your Company Each player will create a company using the Company Creation Worksheet. Players take the role of a newly selected CISO at a company that’s operated in stealth startup mode. The company just got a major funding round. They have a minimal viable product. They need to build a security program as they have invested little time or money in building security controls. All resources were devoted to getting to the point where they had a product they could sell and receive investment. The players job is to choose controls that help adequately protect the company. Players face these challenges:

• A limited budget from their new funding round. • No controls were already in place. • Because of limited resources they can’t deploy every desired

control simultaneously. • They can’t (shouldn’t) spend all their budget before game

play starts. Injects and Business Events will require them to use additional budget during game play. If they run out of money, they are out of business.

Budget Each player will have a budget of $2,000,000.00 ($2MM) to use to deploy controls. Controls that can be used in gameplay are listed later under NIST CSF Controls. Players can use budget to deploy controls, improve controls, or respond to control failures. During gameplay events will arise that require players to utilize additional budget. Other events may occur that grant players additional budget. These will be determined during each round of play. Players should not spend all their budget before gameplay starts. When a player has no security budget remaining they are out of business and the game is over.

What are the NIST CSF Controls? The National Institute of Standards and Technology (NIST) created a framework referred to as the Cyber Security Framework (CSF) to help security professionals and organizations evaluate if they have the appropriate level of control for their organization. This framework is written as a series of statements meant to encourage an organization to evaluate if they have important security controls in place. It is vendor agnostic. It is not prescriptive either. It attempts to allow the organization to address each statement in their own way. Further, each statement and function is linked to other common control frameworks. By doing this reviewing the NIST CSF may tell an organization if it is directionality accurate in fulfilling the mandates of other common frameworks. The framework is broken into five functions. The controls also have four tiers of deployment. These will be discussed in NIST CSF Tiers. The below function category definitions are taken directly from the NIST website and can be found here: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf Identify Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.

Protect Develop and implement appropriate safeguards to ensure delivery of critical services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Identity Management and Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.

Detect Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.


Respond Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements.

Recover Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.

NIST CSF Tiers The National Institute of Standards and Technology – Cyber Security Framework (NIST CSF) lists a series of functions and statements to evaluate regarding an organization’s cyber security program. However, they also identify that simply deploying a control doesn’t mean it was deployed well or is effective. To address this in the framework NIST created implementation tiers. NIST defines four implementation tiers that evaluate how well the implemented controls address the statements made in each function of the NIST CSF. Partial Controls that are partially implemented are reactive and ad-hoc. Organizational risk awareness of the control is low. Implementation plans for the controls are inconsistent. Risk Informed Organizations deployed controls to address specific risks, but the implementation is still done in a reactionary manner. There is no apparent strategy even where plans to address risk exist. The controls and implementation of the controls are not yet proactive. Repeatable Controls within the organization are now repeatable. Reactions to events have the same process. Control functions are testable and function in a predictable way. Policy works in a well understood way and is applied consistently. Adaptive This is the final tier. Organizations have completely adopted the NIST CSF. They are able to proactively identify threats by predicting issues within the organization based on a deep understanding of their implemented controls. Controls are now agile and can adjust to business needs while still providing protection for the organization.

Fatigue The incident response will play out over a simulated five days. Each day brings a new inject. Each day the incident response team will get more fatigued. Fatigue is a real challenge for incident responders as they are often under high pressure to resolve and contain the issue as quickly as possible. They may also have other responsibilities that must still be managed during incident response. This will cause them to make mistakes and controls to be less effective. As each day goes by the team is more stressed and equally exhausted. During gameplay when players roll against injects for each day the team is responding to the incident they will get a -1 modifier to their roll against the inject. Example: By Day 4 the team has a -4 modifier from lack of sleep and fatigue when they roll against the inject. To successfully defend against an inject players must role an 11-20 on a 1d20. However, by Day 4, due to fatigue, they must role a 15 for their controls to be effective.

Wheel of Business The Wheel of Business adds additional challenges to Advanced Cubicles & Compromises. After each inject the Wheel of Business will spin. In many organizations the IR Team and Security Team are the same people. Even if they are separate teams they often have to work together during IR. Business needs don’t stop just because the teams are busy with Incident Response. There are 24 spots on the wheel: 12 are business events that impact the security team negatively 12 are business events that impact the security team positively Each player will then roll the dice listed on the Wheel of Business sheet for the event and multiply by the amount listed to determine budget lost or gained. In some cases you will get additional budget to address security challenges. In other cases the business will have made a decision that impacts security budget negatively. The Wheel of Business reminds players the business doesn’t stop moving just because it’s responding to an incident.

Game Play

Company Creation To begin the game players must create a company. When played with players from multiple companies where IR plans cannot be shared this is an imperative. Gameplay can also occur with multiple players from the same company. When this style of game play is used the company’s incident response plan and actual controls will be used against injects.


When players are from different companies, they can either use their knowledge of their incident response plan and controls to craft a company using the Company Creation Worksheet or create an all new fictional company. This is up to the player. However, even where real controls are considered the players are still limited to their budget and number of controls they can deploy. Where players are using their actual Incident Response Plan and controls deployed in their environment they will use those current controls and deployment tiers for gameplay. For workshops where multiple companies are participating they may choose to use their own controls or they can create a fictional company for use during play. Where creating a fictional company each player will choose at least 1 control per NIST CSF function and no more than 5 controls per function (Identify, Protect, Detect, Respond, and Recover). The available functions are listed in this guide under NIST CSF Controls. Players cannot simply choose to deploy zero controls and hope for the best. Although many organizations do this the investors in the company have compliance standards they want you to meet. Further, you can’t deploy everything you want. You only have the resources to deploy five controls per NIST CSF Function. Each function has a different cost. Some functions cost more to deploy than others because they take additional time, are more difficult to deploy, or require additional skills. However, the cost is not tied directly to effectiveness. Look carefully to see if some controls bring greater immediate value than others. Each control has a specific modifier. If you purchase and deploy a control its modifier is added to your roll against the inject. You may also improve the implementation of a control. NIST CSF has four implementation tiers (Partial, Risk Informed, Repeatable, and Adaptive). For each tier players improve a control they receive an additional +1 per tier to their control modifier. Example: If a player rolls against an inject using an effective control that has a +2 modifier and the controls implementation is in the Repeatable tier (Tier 3) they also receive a +3 modifier to that control for a total of a +5 modifier to their role. When purchasing implementation upgrades Tier 1 is 25% of the base control cost, Tier 2 is 50%, Tier 3 is 75%, and Tier 4 is 100%. You cannot jump to Tier 3 by paying 75% of the base control. A fully deployed control that costs $100,000 would have a total cost of ownership of $350,000 ($100k + $25k + $50k + $75k + $100k), but adds +4 to any roll where that control would help mitigate against the inject.

You cannot modify or add controls during gameplay, so choose wisely during company creation. Once players select the controls they wish to deploy and their implementation effectiveness subtract their cost from the budget. This will leave players with the amount of budget they wish to have available to address control failures or events from the Wheel of Business. Remember: Do not spend all your budget. If you incur expenses and run out of budget your company goes out of business and the game is over.

Injects The Incident Manager will reveal an inject to the players. This will give the players a limited piece of information about the incident. The players and Incident Manager will then discuss what controls may help address the revealed inject. A list of controls that would address the incident will be shown. If the player has any of these controls deployed at their company they may use the additional modifier of one control during their roll against injects. If the player has more than one control listed as effective they can choose one to add as a modifier to their roll against the inject. They cannot stack control modifiers. The Incident Manager decides which controls shall be effective. If the player has a control they believe would be effective and the Incident Manager says it wasn’t this is the final ruling. The assumption is the Incident Manager knows more about the incident and determined the control would have failed in the simulation.

Rolling Against Injects In Cubicles & Compromises gameplay a player successfully defends against the inject if they score an 11 or higher rolling a 1d20. Defenses against an inject fail when the player rolls 10 or lower. For each inject the player will roll a 1d20 and then determine their final score against the inject by:

- Adding their 1d20 roll to the modifier for 1 control (should they have an effective control)

- Add the deployment tier value for the control, if implemented, to the roll.

- Subtract fatigue from the inject. This may also be done by adding fatigue to the successful roll value at the start of the inject.

For each inject where a player fails the Incident Manager will assign an additional dice roll that determines the cost of remediating the failure. This cost is removed from the players budget. Where a player rolls a 1 this is a complete failure. No modifier can help. For each natural 1 the cost of remediating the issue is doubled and removed from the players budget.


Where a player rolls an 11-19 which can be a combination of the 1d20 roll and the modifier that comes from a control and its deployment tier the player incurs no additional cost. The control protected the company from the inject. Where a player rolls a natural 20 on their 1d20 not only did they have no remediation costs from the inject; they actually saved money! The Incident Manger will define an additional roll to determine money the player can add to their budget. Examples:

- The incident is on Day 3 giving the player a -3 modifier for fatigue. To successfully recover from the inject a player must roll a 14 (11+3).

- Player rolls a 9 on their 1d20 and they have an effective control that gives them a +3 modifier.

- They also used budget to improve the controls deployment to Tier 2 (Risk Informed) adding an additional +2.

- The total roll for the player is (9+3+2) for a total of 14. - For this player they successfully defended against the inject.

Conclusion of Game The game concludes when:

- A player runs out of budget. - The incident injects are over and the incident is resolved.

Where played with a single company the Incident Manager will move to the Review of the Injects and Outcomes. Where the game is played in a workshop with multiple companies the Incident Manager will determine which player was left with the most budget and announce the winner. In the event of a tie the players will have a best of their 1d20 roll off. Highest two rolls wins. The injects and incident are then reviewed as a group.

Review of Injects & Outcomes The Incident Master will review the entire incident with the players. Specifically, they will cover why the injects are related to real world threats and how players can improve their ability to respond to those threats. It is important that the injects and the incident use threat modeling to create a simulation to address real challenges businesses may face. Where the game is played with a single company the incident manager may deliver specific feedback for the organization to improve their Incident Response Plan. This may be in the form of a discussion or a formal report.

NIST CSF Controls Players must select at least one control for their company per NIST CSF function for a minimum of five controls. When played with a single organization’s Incident Response Plan the actual controls used at that organization will be used during play. Players may use the budget at their disposal to purchase controls and improve their deployment tiers.

Identify Asset Management

Discovery Scanner

A discovery scanner can be used to map the internal and external environment to create an inventory. This improves your chance of

detecting systems that are deployed without other controls.

Cost: $15,000

Modifier: +1

ITSM CMDB An IT Service Management Configuration Management Database is a central repository of all your inventory information and configuration data. This helps understand potential impact from down systems, dependencies, assigns system owners, and aids in tracking system lifecycles. Cost: $25,000 Modifier: +1

Asset Management Process Processes to accurately track systems and software inventory within the business. A proper process is tool agnostic and leads to better outcomes for all security processes. Cost: $75,000 Modifier: +2 Business Environment Procurement Onboarding A procurement onboarding process helps prevent “Shadow IT” and “surprise deployments” by managing who can purchase hardware and software including approvals and toll gates that must be approved before purchases. This includes requiring security reviews and approvals. Cost: $25,000 Modifier: +1


Contract Integration This process is closely related to procurement onboarding. It validates contracts for products or services brought into the business have the appropriate security language based on the risk they bring to the organization. Cost: $25,000 Modifier: +1

Project Management Tracking This process validates appropriate hours are given to the security team to deploy controls, test controls, and validate hardening for new project deployments. Cost: $75,000 Modifier: +2

Executive Support An Executive and Leadership Team that sees security as a critical partner to the business. Executive Support helps gain resources, prioritizes effort, and supports the security team when the business needs to change direction. Cost: $200,000 Modifier: +4 Governance Security Policies Well defined policies that appropriately and clearly state acceptable practices, minimum security standards, and enforcement actions. Cost: $50,000 Modifier: +2

Legal Team A legal team that is technology savvy and security focused. They see security as a critical partner during contract review. Cost: $150,000 Modifier: +3

Compliance A compliance team that sees compliance as more than “Checkbox Security”. They are focused on understanding the technical controls and how they address risk. Cost: $50,000 Modifier: +2

Risk Assessment Vulnerability Management The vulnerability management process is more than just scanners. This process is enforced and regularly managed to make sure vulnerabilities are addressed in a timely manner. It also ensures leadership is informed and understands the possible impact of vulnerabilities. Cost: $100,000 Modifier: +3

Risk Assessment Processes This is closely linked to the vulnerability management process. This process works with business partners to have a rigorous understanding of the impact of vulnerabilities. It ties deep technical knowledge to quantifiable risk in dollar amounts that leadership can easily understand. Cost: $100,000 Modifier: +3

Risk Management Strategy Risk Management Process The risk management process is different from the risk assessment process. The management process uses information from the assessment. It then works with leaders in the business to assign deadlines, track progress, and close risks. Cost: $75,000 Modifier: +2

Risk Management Policy The risk management policy defines acceptable risk for the organization. Preparing this in advance gives a definition for items the organization can or won’t accept. This is often critical to removing friction between teams as to how and when critical fixes will be resolved to remove risk. Cost: $25,000 Modifier: +1

Risk Register A risk register tracks all the known risks, where they are in resolution process, compensating controls, and resolution owners. This helps understand risk at the organization holistically and may identify risks that when paired together have impact greater than the sum of their parts. Cost: $25,000 Modifier: +1


Protect Access Control Single Sign On Single sign on allows one account to used be for authentication with all systems. This reduces the chances of forgotten accounts after an employee exits the business, is easier to manage, and decreases the complexity of the identity management process. Cost: $250,000 Modifier: +4

Multi-Factor Authentication Multi-Factor Authentication (MFA) creates a requirement for different types of authentication be used to verify an identity. A password plus a One Time Pin or a password plus a biometric like a fingerprint. This drastically reduces the chance a stolen login credential can compromise an account. Cost: $250,000 Modifier: +4

Role Based Access This process creates roles for each job function in the organization. Permissions are assigned to roles and users are assigned to those roles. When a user is added to a role they receive only the access they need to perform their job, nothing more. When users change roles they only receive the access granted to their new role. Any differences in access are removed. This is often used to achieve least privilege. Cost: $150,000 Modifier: +3

Physical Access Controls Physical access controls prevent access to sensitive areas where physical access may allow greater permissions and accessibility of data. Examples are data centers, network closets, and file storage rooms. Cost: $100,000 Modifier: +2 Awareness and Training Employee Security Awareness Training This level of training informs employees of basic security processes, the policies and standards they are held to, and possible enforcement actions if those policies aren’t met. Cost: $25,000 Modifier: +1

Developer Security Awareness Training This level of training informs developers of their role in the organization where they have access to sensitive source code, policies around code development and deployment, and secure coding practices. Cost: $25,000 Modifier: +1

Privileged User Security Awareness Training This level of training informs employees with enhanced access and privileges of their roles and responsibilities regarding protecting systems and data. Example: Domain Admins, Administrators of SOX systems, employees with access to PII or the Datacenter. Cost: $50,000 Modifier: +2

Third-Party Rules and Training This level of training is tied to third-party suppliers and partners. It informs them of their responsibilities as they are granted access to confidential business systems and data. Cost: $50,000 Modifier: +2

Data Security Encryption at Rest Encrypts data at rest within the organization using current acceptable ciphers. It also implements the encryption using current best practices. This protects data as it is stored. Cost: $50,000 Modifier: +2

Encryption in Motion Encrypts data in motion as it moves within and out of the organization. It also implements the encryption using current best practices. This protects data in the event an attacker attempts to monitor the data. Cost: $50,000 Modifier: +2

Asset Disposal Process This process validates assets that may contain sensitive information are disposed of properly. This may include hard drive shredding or drilling, data wipes, or shredding of entire devices. Cost: $20,000 Modifier: +1


CDN Content Delivery Networks cache information in globally distributed datacenters to increase performance and mitigate against load-based attacks. Cost: $75,000 Modifier: +2

Load Balancer Distributes load between systems, servers, or datacenters. This is different from a CDN, but may be used with a CDN. This determines when and how to route traffic based on the current load. Cost: $75,000 Modifier: +2

WAF Web Application Firewalls help mitigate against vulnerabilities in web applications that can’t be remediated. A WAF blocks known exploits that may impact vulnerable web applications, it does not remediate the vulnerability. A WAF only blocks potential attacks against known vulnerabilities. Cost: $75,000 Modifier: +2

Globally Distributed Datacenters Creates regional failover and performance improvements for delivery of services. This can be tied to CDN’s. In the event of a localized issue or attack impact is limited in other parts of the world. Traffic can also be shifted to datacenters that aren’t impacted by an event. Cost: $200,000 Modifier: +2

DLP Data Loss Prevention evaluates data to determine if its sensitive and takes action on it. Internally this may trigger alerts if specific users access sensitive information they do not have a need to access. Externally it can monitor and block sensitive data from leaving the environment. Cost: $100,000 Modifier: +2

CASB Cloud Access Security Brokers monitor connections to cloud services and can act as a proxy to these services limiting specific risks. Examples: Preventing data being moved to Google Drive. Proxying access to Dropbox so the user account is unknown to the end user in the event they leave the business. Cost: $100,000 Modifier: +2

Enterprise Software Deployment These tools create approved deployments and self-service functions for software and patches. These tools help maintain patches and licensing compliance as well as help prevent the installation of unapproved software. Cost: $100,000 Modifier: +2

File Integrity Monitoring This control monitors for changes to files that may result in damage to the environment, failure of audit controls, or changes to security controls. By monitoring these important files possible control failures can be detected. Cost: $100,000 Modifier: +2

Network Segmentation This control separates systems, services, and applications into like network segments. This allows specific controls to be deployed to these networks and granular monitoring to be configured. Example: A PCI network that only has systems in scope for PCI. As such monitoring and controls specific to PCI can be deployed on this network without burdening other systems. Cost: $100,000 Modifier: +2

Firewalls Firewalls create rules around what connections can be made between systems and network boundaries. Some advanced firewalls also inspect packets to determine if they should be allowed on the destination network. Cost: $100,000 Modifier: +2

IPS/IDS Intrusion Prevent System/Intrusion Detection System performs deep inspection of packets and evaluates communication across a defined boundary for malicious activity. The prevention systems stop these activities while the detection systems only alerts when a potential issue occurred. Cost: $100,000 Modifier: +2

Application Whitelisting This control validates specific binaries that are allowed to execute on a system. If a binary is not approved, such as malicious files or malware, a properly deployed application whitelist will prevent its execution. Cost: $100,000 Modifier: +2


Information protection and processes Hardened Images Hardened images and configuration look at best practices, like the Center for Information Security Critical Security Controls (CIS-CSC), and integrates the recommend configuration to increase the overall security posture of the system. Cost: $50,000 Modifier: +2

Lifecycle Management Lifecycle management is closely aligned with asset management. Where it differs is it looks holistically at the system and validates the system evolves asset tracking, policies, processes, procedures, changes, and hardening evolve as well. This helps make sure systems that are about to go End of Life have a plan for retirement before support becomes unavailable. Cost: $35,000 Modifier: +1

Backups Backups create a copy of important data so it can be recovered after a security event or disaster. This may be tape, disk-to-disk, or cloud-based backups. The type of backup is closely tied to the data’s importance to the organization as well as business continuity & disaster recovery plans. Cost: $50,000 Modifier: +2

Data Destruction Validates and destroys data that is no longer necessary for the organization to maintain. This is different from asset destruction as it looks to reduce the amount of data the company maintains that may place it at risk. Example: Keeping personally identifiable information of customers that no longer benefits the company’s operations. This may also include the required destruction of data under international law. Cost: $100,000 Modifier: +2

IR/BCP/DR Plans Incident Response Plans, Business Continuity Plans, and Disaster Recovery Plans all help the organization react to situations that critically impact business operations. These plans are necessary to quickly recover from major events that cause damage to the business. Cost: $75,000 Modifier: +2

Maintenance Patch Management This process is necessary to deploy fixes to systems and software that may prevent critical impact to the organization. A well-designed patch management process gives clear guidance as to when and how patches will be deployed. It also validates patch deployment. Cost: $100,000 Modifier: +3

Systems Maintenance Processes This process is the “care and feeding” of systems. This may include patching, but also looks at the overall health of the system. Aging hardware replacement, firmware updates, and quarterly health checks by vendors may be included in this process. Cost: $50,000 Modifier: +2

Protective Technology Audit Log Processes An audit logging process defines what will be logged, how it will be logged, where it will be logged, and for how long. This is critical as it determines an organizations ability to review events. Without it information that should be logged may go unrecorded while an abundance of unnecessary information may flood logging servers. Cost: $20,000 Modifier: +1

Privileged Access Management PAM creates a layer of access controls between systems and privileged users. Many PAM systems are configured so any enhanced access to an environment such as root or domain admin must be proxied through the PAM system. It may also log or record what is done and when with the privileged access. PAM systems often maintain credentials in such a way that even the privileged user is not aware of the credentials used to access the sensitive system. Cost: $100,000 Modifier: +2

Detect Anomalies and Events SIEM Security Incident Event Manager is often looked at as a log aggregator, however, it is more than that. A SIEM can correlate events across systems, logs, time zones, and more. This allows for alerting that is based on possible attacks that involve multiple touch points within the environment. Cost: $100,000 Modifier: +2


Log Review This process determines how logs are reviewed. This may include answering questions like: What is looked for when reviewing systems logs? How is the review documented? When anomalies are found how are they escalated for investigation? This is a critical process as logs that are captured and not reviewed leave large gaps in detection of potentially malicious actions. Cost: $50,000 Modifier: +2

Alert Review Alert review is different from log review. Alerts are configured to trigger when certain circumstances are met within log files or monitoring systems. Alert review should have specific triage assigned to the alert type and actions to take based on findings. Those actions should also have a service level agreement (SLA) to ensure the alerts are addressed in a timely manner. Cost: $50,000 Modifier: +2 Security Continuous Monitoring SOC The Security Operations Center is dedicated staff trained on the monitoring, review, identification, and escalation of potential security events. The SOC is often dedicated to responding to alerts that are predetermined in playbooks. Cost: $100,000 Modifier: +3

EDR End Point Detection and Response is a toolset deployment on systems to allow for the detection of malicious activity or files. These tools may alert the Security Operations Center allowing them to take direct action on the system. This may include isolating the server or desktop from the rest of the network. Cost: $100,000 Modifier: +2

AV Anti-Virus or traditional signature based anti-malware tools look for files that were previously identified as malicious. It does not look at the behavior of the file or process. AV is often required as part of compliance standards. Cost: $100,000 Modifier: +2

Behavioral Analysis Behavioral Analysis tools look at a baseline of how a user, system, or service behaves. When is it active? What other systems or services does it regularly connect to? If the behavior of the user, system, or service deviates from the baseline an action can be taken. This may be alerting the SOC or preventing the behavior until further review. Cost: $100,000 Modifier: +2

Vulnerability Scans Vulnerability scans may include network, server, application (dynamic or static) to identify potential weaknesses that need to be remediated to prevent exploitation. The reports from these scans can be used as part of the vulnerability management process. Cost: $100,000 Modifier: +2

Detection Processes Threat Hunting The Security Operations Center responds to alerts and events that are predefined with playbooks. Threat Hunting looks for potentially malicious activity that isn’t defined. Threat Hunters’ findings may be used to improve controls and create new playbooks for the SOC. Cost: $200,000 Modifier: +4

Red Teaming Red Teaming looks to operate as a potential adversary within an environment. This type of testing generally has a very limited excluded scope. The goal is to evaluate controls by attacking the environment in the same way as likely attackers. The output of these exercises are used to improve controls and detection capabilities. Cost: $100,000 Modifier: +2

Respond Response Planning Response Plan Process This process defines who, where, and how the organization will respond to an incident or other emergency. A well-defined response plan helps mitigate impact from a poorly executed response to a critical event. Everyone in the response plan should be trained and aware of their duties in regard to response. Cost: $75,000 Modifier: +2


Communications Communication Plan Process Over communicating, under communicating, and failure to tailor information to the appropriate audience can have far reaching impact to an organization during incident response. Communicating incorrect information at the wrong time can often worsen the situation even if the facts of the incident have not changed. Having a well-defined communication plan that includes when and how communication will be sent including to whom and by whom is critical to incident response. Cost: $50,000 Modifier: +2 Analysis Impact Analysis Proper impact analysis is critical to addressing relevant issues tied to the incident. A clear understanding of what happened and how it can be addressed is needed for leadership and incident responders to make informed decisions. Cost: $50,000 Modifier: +2 Mitigation Mitigation Plans A mitigation plan defines how the issue will be resolved. This may be a temporary or permanent fix. This plan may define timelines and owners of mitigation processes. Often a mitigation plan can be put in place before an incident as it defines who will own tracking and resolution. This allows this team to gather resources and prepare in advance. Cost: $75,000 Modifier: +2

Mitigation Processes Mitigation processes are used as part of the mitigation plan. These processes are used to deploy fixes that result in a temporary or permanent solution thusly resolving the incident. Cost: $75,000 Modifier: +3 Improvements After Actions Review/Lessons Learned Plan and Process This plan and process is critical to improving the overall security and response capabilities to an incident by an organization. Without this process avoidable incidents will repeat themselves. Cost: $75,000 Modifier: +3

Recover Recovery Planning Regular Testing and Validation of Recovery Plans Testing and validation plans are necessary as live incidents should not be the sole cause of process improvement. This may include tabletop exercises, backup & restore testing, or datacenter/network failover testing. These exercises allow for controlled testing to discover possible flaws in planning and process that could result in the inability to quickly recover from an incident. Cost: $50,000 Modifier: +2 Improvements Regular Updating of Recovery Plans If testing exercises are run, but the lessons learned from them aren’t incorporated into recovery plans the effort is wasted. Discovering problems is generally much easier than fixing them. Regularly updating recovery plans helps ensure that findings from testing are appropriately addressed. Cost: $50,000 Modifier: +2 Communications Public Relations Team A skilled PR team can often control messaging during an incident giving the leadership and incident response teams much needed time to evaluate impact against mitigation plans. The PR team may also be able to address misinformation that could cause increased undue scrutiny on the organization. Cost: $75,000 Modifier: +2

Brand Management Team The brand management team proactively develops relationships within the organization and monitors brand usage. This may include monitoring similar domain usage, brand and trademark infringement, and working with legal teams to perform take downs of potentially malicious web properties. This can be invaluable assistance during and before an incident. Cost: $75,000 Modifier: +2


Social Media Team Much like the PR team a skilled social media team can address trending topics and quell anger before it becomes a potential attack campaign. They can also detect scams that may be used to target the organization. They may also act as an early warning alarm when certain topics trend and are tied to the organization. Ex: Hacktivism, social campaigns encouraging boycotts, and attacks against the organization or suppliers. Cost: $75,000 Modifier: +2

ac&c-players guide v1 · institute of standards technologies (nist) cyber security framework...

Documents