Operation Veritas: Tackling Disinformation - Tabletop Exercise in a Box

Welcome to the tabletop exercise focused on responding to a potential disinformation campaign. This exercise is designed to facilitate a 1 to 1.5 hour discussion on how our organization, specifically a City, would handle and mitigate the impact of a disinformation campaign. The goal of this exercise is to foster a collaborative environment where participants can openly discuss and strategize response measures without fear of blame or judgment. It is important to emphasize that this is a no-fault, low-stress environment aimed at enhancing our preparedness and identifying areas for improvement. By engaging in this exercise, we aim to strengthen our ability to respond effectively to disinformation campaigns and protect the integrity of our city and its stakeholders. Let's work together to navigate this simulated scenario and explore the best strategies to counter disinformation.

Note: While this tabletop exercise is specifically designed with a focus on a city setting, it can be easily adapted for any agency or organization. The core principles and objectives remain the same, regardless of the specific context. By modifying the scenario and tailoring the exercise to your organization's needs, you can effectively simulate and discuss the response to a potential disinformation campaign within your unique operational framework. The lessons and insights gained from this exercise can be valuable for any agency looking to enhance their preparedness and resilience in the face of disinformation challenges.

Including the agency leadership team, cybersecurity team, public relations (communications), City attorney (legal counsel), risk management, and emergency operations as participants in this exercise is recommended.

Scenario

Day 1, 10 am

The City Manager's office begins receiving calls inquiring about a social media post that purports to provide evidence of corruption by a City Council member. The City Attorney's office also receives several calls regarding the same social media posts.

Discussion:

• How do you currently monitor social media posts related to the City or council members?

• What actions would you take in response to the situation at hand?

• How would you assess the credibility and potential impact of the social media post alleging corruption by a City Council member?

• What communication strategies would you implement to address the concerns raised by the social media post and maintain public trust in the City and its officials?

Day 1, 1 pm

The City Council member arrives at City Hall expressing concern, asserting that the allegations are false and denying ownership of the depicted emails from the social media posts. The emails suggest that the council member is accepting bribes from a construction firm selected for downtown area renovations.

City staff discovered the post on a Facebook group focused on government corruption. It includes screenshots resembling the council member's inbox. The post also claims that the original documents are available on the dark web.

Upon investigation, the IT staff failed to find any evidence of the alleged email being sent or received by the council member.

Discussion:

• What course of action do you recommend at this juncture?

• How should you address the concerns raised by residents who are contacting the City?

• Should you reach out to external entities beyond the City in response to this situation?

Day 3, 3 pm

The council member reaches out to the City Manager's office, informing them that they have received a text message demanding a payment of 2 bitcoins (equivalent to approximately $60,000) within 72 hours. The threat in the message states that if the payment is not made, a collection of City emails will be disclosed. The text has attached an email exchange between City Council member and the City Manager regarding a pending lawsuit.

Both the City Manager and the council member confirm that the attached email is genuine, although it is unrelated to the alleged bribery email.

Day 4, 9 am

The local press contacts the City, asserting that they have come across some documents on the dark web. They ask for City's response to the documents and any actions the City has taken. They also raise the concern about the privacy of City residents' information.

Discussion:

• At this point, what steps would you take to address the situation?

• How would you go about determining if a data breach has occurred and assessing the extent of the breach?

• In the event of a ransom demand, what factors would you consider when deciding whether or not to pay the ransom?

• What strategies can be employed to monitor the dark web for any documents that may be relevant to the City or its council members?

Day 5, 11 am

IT has reviewed the logs and determined that there was a login to the council member's account from a nation-state that supports terrorism. Additionally, they have discovered that several other accounts have logged in from the same IP address.

1 pm

IT staff further uncovered the original bribery email concealed within a hidden folder in the Council member's inbox. The logs reveal that it was not transmitted through the email system but rather uploaded directly into the folder. Additionally, IT staff identify similar messages hidden within the inboxes of other staff members.

Discussion:

• Do you monitor staff login locations?

• Do you enforce the use of multi-factor authentication for remote logins by staff members?

• In light of the recent cybersecurity incident, what measures can be implemented to enhance staff awareness and training on recognizing and responding to phishing attempts and other social engineering techniques?

• How can the City's public relations team proactively manage the public perception and reputation during a disinformation campaign?

• What strategies can be employed to effectively communicate accurate information, address concerns, and maintain public trust?

Conclusion:

• What will the City do about the data that was leaked and the fact that they might not know the extent of the data breach?

• Can they determine what was accessed and what was exfiltrated?

• Is there any reporting requirements on that data?

• What can the City do given they don't know the extent or types of data that has been taken?

• What can be done to potentially reduce future liability should sensitive information come to light in the future?

Hot Wash:

This dedicated session is an opportunity for an open discussion. Let's reflect on what aspects went well, what aspects encountered challenges, and identify areas that require improvement.

Facilitator Notes:

When designing a tabletop exercise, it is crucial to avoid revealing the actions of the threat actors to the participants. This is a common mistake that can result in biased responses from the participants. In real-life situations, it is often impossible to ascertain the identity of the attackers or their motives. By keeping the threat actors undisclosed during the exercise, we can simulate the uncertainty and unpredictability of real-world scenarios, allowing participants to develop more objective and effective response strategies. This approach fosters a more comprehensive understanding of the challenges associated with cybersecurity and disinformation campaigns, enhancing preparedness and resilience.

Day 1 Notes:

At the conclusion of day 1, the City finds itself in a state of uncertainty regarding the authenticity of the email in question. While a council member claims it to be fake, City staff cannot confirm its veracity. In such a situation, one crucial action the City should consider is reaching out to law enforcement. Bribery is a grave offense that demands a thorough investigation. Involving law enforcement agencies will enable the City to leverage their expertise and resources in conducting a comprehensive inquiry into the matter. By taking this step, the City demonstrates its commitment to upholding the law, ensuring transparency, and pursuing justice, thereby reinforcing public trust and confidence in its governance.

A key indicator that there might be a larger issue at hand, or that the email could potentially be disinformation lies in the fact that the IT staff was unable to locate any evidence of the email being sent or received by the system.

As part of the incident containment strategy, one of the actions staff might have suggested taking was to disable the council member's email box and prompt him to change his password while implementing multi-factor authentication. This measure aimed to restrict unauthorized access and reinforce the security of the account.

Furthermore, considering the potential bribery issue, the discussion should also have touched upon the importance of preserving evidence. Preserving evidence becomes crucial in such situations to support any potential investigation or legal proceedings related to the alleged bribery, ensuring that relevant information is safeguarded and available for scrutiny.

Day 3 and 4 Notes:

Based on the developments on day 3 and 4, it becomes evident that the situation is indeed a data breach. The identity of the threat actors remains unknown, adding to the complexity of the incident. These malicious actors have gained unauthorized access to emails that are not meant to be exposed. Their motive appears to be centered around extortion or financial gain, leading the City to presume that the threat actor is likely a cyber-criminal. The revelation of this motive underscores the seriousness of the breach and highlights the importance of promptly addressing the situation to mitigate further damage and protect the City's sensitive information.

With the press now informed and the City council member poised to be in the spotlight, a notable discussion point that may have arisen is the possibility of the potential threat actor having political motives rather than monetary motives. The nature of the attack, specifically targeting the City council member, raises the question of whether the primary objective is to tarnish the reputation or credibility of the individual rather than directly targeting the City as a whole. This consideration broadens the scope of analysis beyond financial gain, highlighting the potential influence of political motivations behind the disinformation campaign.

At this stage, the discussion should center around whether to disclose any information and, if a decision is made to do so, what the content of those statements will be. It is crucial to assess the potential implications and repercussions of public communication amidst the ongoing disinformation campaign. Careful consideration should be given to the timing, clarity, and accuracy of the statements, taking into account the need to address concerns, maintain transparency, and protect the reputation of both the City and the City council member.

Day 5 Notes:

Here is another twist: the threat actor is possibly associated with a hostile nation-state, and their connection to terrorist organizations suggests that their motive could be centered around disruption or spreading disinformation. In light of this, the discussion should veer away from considering the option of paying the ransom. It is important to emphasize that paying ransom to known terrorist groups is illegal, making it an unviable course of action. Furthermore, even if it were feasible, financial gain is highly unlikely to be the primary motive in this scenario.

However, the scenario does not definitively establish the attribution of the threat actor. It is possible that it could be a local individual with a personal motive against the council member, utilizing a VPN anonymizer to conceal their identity. Merely being associated with a nation-state known for connections to terrorist groups does not guarantee their involvement. It could also be a disgruntled resident or political rival. While the likelihood of such scenarios may be low, it underscores the importance of involving experts like the FBI to determine the attribution of the threat actor.

It is evident that the breach extends beyond the council member's account, necessitating containment measures. At the very least, resetting passwords for all identified accounts is essential. However, a more robust approach would involve resetting all passwords and implementing multi-factor authentication for all users. Followed by a complete forensic investigation.

Calling Cyber insurance provider should have happened early on in this scenario if that wasn't brought up. They would recommend cyber incident responders to evaluate the system to see if they can determine when the first account was compromised and how and what needs to be done to ensure the treat actors are not in the Cities systems.

If it wasn't discussed earlier, it is crucial to contact the cyber insurance provider early in this scenario. They can provide valuable guidance and expertise in handling the incident. The cyber insurance provider would likely recommend engaging cyber incident responders who can assess the system to identify the initial compromise and devise appropriate measures to mitigate the threat actors' presence in the City's systems. Their expertise will help determine the extent of the breach, identify potential vulnerabilities, and implement necessary safeguards to protect against future incidents.

Conclusion:

In response to the data breach and potential data leakage, the City needs to take immediate action to address the situation. The first step is to conduct a thorough investigation to determine the extent of the data breach and assess what information might have been accessed or exfiltrated. This involves engaging cybersecurity experts and conducting forensic analysis to identify the affected systems, compromised data, and potential vulnerabilities.

Once the City has a better understanding of the breach, they can evaluate whether any reporting requirements apply. Depending on the jurisdiction and the nature of the data involved, there may be legal obligations to notify affected individuals, regulatory bodies, or law enforcement agencies about the incident.

Given the uncertainty surrounding the extent and types of data that have been compromised, it is crucial for the City to prioritize comprehensive security measures. This includes enhancing network monitoring, implementing robust access controls, strengthening encryption protocols, and regularly updating security patches. Additionally, the City should consider implementing data loss prevention measures to prevent further unauthorized access or data exfiltration.

While the situation poses significant challenges, the City's response should focus on minimizing the potential impact, protecting affected individuals, and fortifying its cybersecurity infrastructure to prevent future breaches. Collaboration with cybersecurity experts and adherence to best practices will be essential in navigating this complex situation.

At the conclusion of this tabletop exercise, it is important to acknowledge that reaching a satisfactory and conclusive outcome is often challenging in real-world incidents. Rarely do organizations experience a clean and tidy resolution. Even after recovering from an incident, there may be lingering doubts and uncertainties. It is crucial to accept that achieving 100% clarity regarding the identity of the threat actor and their motives might not always be feasible.

Instead of seeking absolute certainty, the focus should be on implementing continuous improvement procedures and maintaining a robust risk management approach. By continuously assessing and enhancing security measures, organizations can strive to minimize vulnerabilities and better prepare for future incidents. This ongoing commitment to improvement and proactive risk management provides a sense of satisfaction, knowing that efforts are being made to strengthen the organization's resilience and readiness.

While the exercise may not provide a conclusive resolution, it serves as a valuable learning experience, highlighting the importance of adaptability, resilience, and ongoing vigilance in the face of evolving threats.

Hot Wash Notes:

During this reflection period, it is crucial to take thorough notes on areas that can be improved, but let's not overlook the positive actions and strategies that were suggested or implemented during the exercise. Recognize and highlight the proactive measures taken by the organization to mitigate the incident. Emphasize that no organization faces an incident alone and that there is a network of support available.

It is important to stress the value of engaging third-party resources, such as cybersecurity insurance providers, state and federal agencies, and incident response teams. Seeking assistance from these entities early on can prove highly advantageous, as they bring expertise, specialized tools, and a broader perspective to help minimize losses and enhance incident response efforts. Collaborating with external partners demonstrates a proactive and comprehensive approach to addressing cybersecurity incidents.

By acknowledging both areas for improvement and positive actions, the organization can foster a culture of continuous learning and improvement. This mindset encourages proactive risk management and the utilization of available resources to strengthen the organization's overall security posture.

Resources

• CISA has over 100 tabletop exercise packages available so stakeholders can easily find a scenario that meets their specific exercise needs. You can find them here https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages

• Find more cyber tabletop exercise information here https://www.learnsecurity.org/tools-services