Some tabletop-exercise advice from the FBI

At the inaugural CrowdStrike Government Summit, an FBI official outlined important considerations during the disaster dress-rehearsal known as the tabletop exercise. One of them: Stay in touch, will ya?

Bryan Vorndran, assistant director of the Cyber Division at the FBI, used his closing remarks at the panel session in Washington, DC, to offer some advice for any simulated scenarios:

• Prepare for comms to go down: Know your out-of-band plan for when email, VoIP, and even execs’ personal devices go down. “We’ve had CEOs who have had their personal cell phones compromised, and…robo-texted and robo-called, so they can’t use their cell phone to engage with their organization about how to recover properly,” Vorndran told the crowd.
• Pay or not to pay: That is the heavily debated ransomware question.
• Have the board involved…as observers: Executives and operation-level personnel should determine what information will be shared with board members (and when).

An additional question to run through in the run-thru: Will details be shared with government agencies? Vorndran hopes the answer is yes, given the success of joint actions between third-party vendors, third-party intelligence, and groups like the FBI and CISA.

“Understand that you are sitting on unique value, from a net-defense perspective,” the kind that can impose cost on an adversary, Vorndran told the crowd in April.

Hafnium the battle. In March of 2021, HAFNIUM, a hacker group named by Microsoft, attacked compromised Exchange servers. The threat actors, believed to be based in China and benefitting from state sponsorship, installed malicious scripts known as web shells to exfiltrate data.

Vorndran noted the joint effort, which included notifications and advisories from CISA, Microsoft, and the FBI. A third-party intelligence company (which Vorndran intentionally chose not to name) found individual instances of malware, allowing the FBI to cut the executable and communication to HAFNIUM.

“But for Microsoft, but for the third-party threat-intelligence company, and but for the FBI coming together, we would have never been able to discover a tribute and remove that malware from the system,” said Vorndran, who also noted how the router manufacturer WatchGuard worked with the FBI, CISA, the DOJ, and UK NCSC to stop a sophisticated, state-sponsored botnet called Cyclops Blink.

Vondran’s advice to scale collaboration: Start up conversations with a CISA regional cybersecurity adviser and a local FBI field office.

“I think it’s all about dialogue for the purpose of building a trust-based relationship,” said Vorndran, noting the importance of sharing threat-intelligence observations and communicating what’s needed from the agency in return.

“Hold us accountable to that,” he said.

Let’s table this. Some questions to consider in a tabletop exercise: How do you want the FBI to engage with your organization? Do you want to introduce them to third-party breach counsel ahead of any intrusion? How will third-party incident-response teams engage with law enforcement?

Answering those questions proactively builds trust that’s helpful when dress rehearsal becomes the real deal.

“If that day comes, the efficiency of that day is already preprogrammed,” said Vorndran.—BH