After Action Report: CAPS 2024

AAR

Please create an after action report and recommendations with the following notes on the CAPS exercise as well as aggregate the survey answers together

Section 1: Account Takeovers and Unauthorized Funds Transfers

Scenario Pt 1: Several High-Value Customers have been targeted by Spear Phishing attacks via email, leading to customer account lockouts and unauthorized funds transfers. Additionally, an employee returning from a 2-week vacation has reported being unable to log in to their work account. Logs report this employee requested log in assistance a week ago.

Discussion 1:

Did we choose to adjust the assumptions provided in this scenario?
- No, the scenario is relevant to our organization
What changes did you make to the assumptions underlying the scenario
- None
Do you have a standard process if a customer reports Spear Phishing, Inability to access account, Unauthorized disbursements?
- Yes, all of these items would be immediately reported to the Fraud Alert email group including:
Has your organization experienced employee impersonation? Customer spoofing? Voice impersonation and cloning?
- Business email compromise leading to employee impersonation has occurred within the past year. Customer spoofing via phone number spoofing and contact information hijacking has occurred years prior.

Discussion 2:

Do you have employees with expertise in Security Investigations?
- Currently no, IT and Risk staff do not have expertise in Security Investigations.
Do you have a firm on retainer to support Security Investigations?
- Currently no, we do not have a firm on retainer. We maintain close relationships with Cybersecurity Firms such as Rebyc for quick response to these situations, but none officially retained.
Do you have policies in place or under review for limiting employee personal/professional information sharing in communications, voicemails, social media, and other policies?
- Currently there are no formal policies in place to limit Personal Information sharing in social media and communications. Professional Information shared on social media and communications is subject to review by Human Resources and can lead to further investigation if warranted. Covered under our Acceptable Use Policy.
How quickly and effectively could you track the movement of an impersonated employee’s credentials through your organization?
- A multi-layer system is in place to identify and track impersonated employee credentials through the organization. A relatively quick response is expected and the Zero Trust Network Environment and MFA systems allow us to effectively stop and track lateral movement through the organization.

Discussion 3:

What types of AI development has organization undertaken or would consider implementing?
- Currently, no development is performed by the organization. Some AI tools have been implemented or are considered for implementation for security monitoring and reporting, but AI tools would not be considered for roles or functions requiring elevated permissions.
Does organization classify, tag, and track assets that contain sensitive data?
- All workstations and devices with internal network access are classified by device type and encrypted with onboard tools.
Discuss the Industry Briefing - Multi-Pronged, Copycat TTPs, Global, Multiple Industries
- A coordinated attack such as the one in the briefing would be very difficult to stop outright. Our current security posture is being built up as a multi-layer system (i.e. Defense in Depth) to mitigate the most damaging aspects of these attacks and reduce the likelihood of these attacks by hardening ourselves and being less appealing for attackers.
Does organization have process to determine if vendors or third-parties were attacked?
- Currently no, the organization would only be made aware of these attacks if reported directly by vendors or FS-ISAC. Current vendor risk management programs may contain functions to aggregate breach reports from security regulators and industry leaders, but will need to verify.
Prior to the FS-ISAC briefing, would the organization suspect the attack would be a global attack against multiple industries?
- No, there is nothing to suggest this attack has far reaching implications outside the organization. The primary assumption for most attacks is that the incident is isolated, especially with the specificity of the attack vectors.

Survey:

How and where do you get intelligence when there are cyber incidents?
- Closed Source Intel (Ncontracts)
- FS-ISAC
- Open Source Intel (social media, news outlets, etc.)
FS-ISAC has secure intelligence exchange chat capability (Connect). Would you chat with other members about a topic like the one in the exercise?
- No, we have Connect credentials, but would not chat on this
FS-ISAC has a secure intelligence sharing platform (Share) Would you share information about a topic like this via Share?
- We do not know (Dependent on situation)
Would you share breach-related technical information (Indicators of Compromise) securely within the industry?
- Yes, without attribution
Does your organization have a data classification and data tagging program to track assets that may contain sensitive data?
- No, we only have a documented data classification program but no data tagging process
If your Banking institution experienced the above CAPS scenario how would you rank the following data in terms of what would be most damaging to your organization if stolen - most damaging at top
- Customer Data (Borrower Information, Collateral, Income)
- PII
- Account Specific Info
- Debit and Credit Cards
- Online Banking Credentials
- Securities & Investments
Would you need to involve an external security investigations firm or similar support?
- Yes, we would need to find one
Do your Legal/Compliance Teams have plans for a regulatory response if required?
- Yes, we are fully prepared
How does your organization validate the customer’s identity?
- Pre-arranged password/Challenge question
- Challenge with non-public information (SSN, DL #, Passport, Account #)
- Account Specific Information (Transaction date, amount & location, current balance)
How do you identify an employee identity when calling for support?
- Other: Intended to be pre-arranged password
Regarding employee impersonation in the exercise: Would your help desk and procedures likely be spoofed as easily as the scenario organization
- Less likely
How much experience does your organization have with Identity Impersonation?
- Some
Are you employing generative AI in your org?
- Yes, only in certain areas
Do you know what regulators oversee your industry?
- Yes
Do you have a list of reporting obligations with reporting timeframes due to a cyber breach event.
- No documented list
Does your organization have templates and other tools to speed up and improve internal and external communication?
- Yes
Do you have established contacts with local, regional, or federal law enforcement?
- No, but will establish
Does your organization rely on cyber insurance to cover cyber risk and breach events?
- Yes, we require critical 3rd parties to have cyber insurance
What is your organization’s policy on paying ransom to threat actors?
- Do not know
For which elements in the scenario do you have a playbook or plan
- Do not know
Are your playbooks or plans adequate based on scenario?
- Do not know
If this attack happened today, what would be your overall readiness?
- 3 - Somewhat Ready
How challenging was this CAPS exercise?
- Little/Low
How much ongoing benefit will your organization derive from CAPS?
- Little/Low

Section 2: Ransomware Demand

Scenario Pt 2: Following the initial discovery of the cybersecurity event, the organization has received a ransomware threat from Phantom Syndicate. The incident response team is meeting to discuss resolution and responses. A vendor for the organization is reporting a similar attack.

Discussion 4:

Discuss the importance of when an incident is declared
- Discussion of “when to declare” is important to gather details on the situation and to determine the full extent or potential or realized losses. It is also important to clarify with staff the scope of any potential incident to help with overall organization response and control information released to the public. However, it is also important to not delay too long to declare an incident to avoid further damages and allow the Incident Response and Crisis Management teams to begin their work as soon as feasible.
What are your policies and procedures for handling data theft and ransom demand?
- Not formally defined yet. There is currently a split on paying versus not paying at all, however overall attitude towards ransom payments remains flexible and is decided on a case-by-case basis. For example, if it is determined that the cost to the institution for not paying ransom is higher than the demanded ransom, payment should be considered as a viable option.
What type of data is most critical, most important, most damaging if stolen?
- PII and Financial Data. Internal business information such as financial data, investment information, and private business information.
Do you have Cybersecurity Insurance and what is their extortion policy?
- Beazley - Verifying with vendor
Do you have a process for determining if your vendors and third-parties are attacked?
- NContracts provides an incident tracking service for critical vendors including: Jack Henry, Ironcore, iNet, Microsoft, Verafin, Banker’s Bank Madison
Does your Compliance department have a template of resources for timeframes and deadlines for regulatory and legal reporting, and does it have mapping for regulatory obligations following an incident?
- Some information is included in our Incident Response policy.

Discussion #5:

What is your organization’s ability to manage things like emerging technology and attacks - things like AI, LLM, impersonation - do you have support on staff, on retainer? What is their availability, experience?
- Currently, we do not have tools or experience to help identify or help deal with AI or voice impersonation. We do contract Rebyc for security consulting, but they are not on retainer and do not provide immediate response services.
How easily would an employee or customer be able to update their username and password or other access credentials? Discuss your credentialing process(es), automated, manual standard, non-standard, approvals, and review. Discuss changes to strengthen.
- There is a formal process in place with our MSP to verify identity of employees before allowing or assisting with a password change, however this is not always enforced and followed. More follow up with MSP is required. Customer’s can perform password self-resets through the Banno system using confidential information unique to them.
Do you have required back up resources or providers when undertaking new development; would you treat them the same way as a critical provider?
- All vendors are vetted as critical providers to ensure maximum risk reduction for the organization. We do have backups for critical vendors including Ironcore, Jack Henry, and Centurion.

Discussion #6:

Discuss what you need to report, to whom, and by when. Consider all levels and types of regulations, regulatory bodies - for your industry, your location, your country, and other factors.
- Needs to be verified and added to the BCP and Incident Response documentation
Have you experienced a data breach?
- Small data breaches have occurred previously and there have been attempted employee credential takeovers, but no major breach incidents have occurred.
What Legal, regulatory consequences might you face from the data breach?
- Civil lawsuits could follow data breaches. Regulatory consequences need to be verified.
Would you re-establish the new AI Chatbot project as readily as the CAPS organization did?
- Likely not. The vendor response was very poor and could lead to further issues if reimplemented immediately.
What does the CAPS organization still need to do to close out the incident?
- Continue to review lessons learned and further review of the incident response for this specific scenario. Additionally, improve the identified supply chain and vendor support issues.

In Closing:

Evaluate the fictional organization’s response process, actions, and decisions. What are they doing right? What could they do differently to improve their response?
- Response times were lacking and could be attributed to large numbers of involved staff
In thinking about how your own organization would manage the incident response, and what you would do differently, how sufficient are your Incident Response plans to manage this scenario?

Survey:

Does your organization rely on cyber insurance to cover cyber risk and breach events?
- Yes, we require critical 3rd parties to have cyber insurance
What is your organization’s policy on paying ransom to threat actors?
- Do not know
For which elements in the scenario do you have a playbook or plan
- Do not know
Are your playbooks or plans adequate based on scenario?
- Do not know
If this attack happened today, what would be your overall readiness?
- 3 - Somewhat Ready
How challenging was this CAPS exercise?
- Little/Low
How much ongoing benefit will your organization derive from CAPS?
- Little/Low
What is the value vs the investment of time/resources to participate in CAPS
- Moderate/Satisfactory
How would you rate the delivery and quality of CAPS?
- Little/Low
How relevant was the CAPS scenario to your business model?
- Moderate/Satisfactory
Did the CAPS exercise lead you to identify desirable changes to your incident response process?

What are regulatory consequences for not reporting or for having an incident (ransomware) where data is leaked or lost?

Need to define incident, What is serious and when do we automatically report? Timeframes for reporting and declaring incident, written out with all regulatory bodies information added to IR

Need extortion /Ransomware Policy answer from BBR in IR Plan

AWS Security Best Practices (AWS Whitepaper)

CyberStorm