Prompting for Cyber Incident Response Practice- a generative AI example

So today I decided to play a game, classic War Games style, for those who know. I asked gemini.google.com to do a simulated cyber attack for me, complete with escalating injections, and an evaluation of my responses. I'll redact it a bit here, but feel free to borrow this prompt (or any of the injects), and use it yourself on any of the more advanced generative ai tools (gemini, copilot, chatGPT4). I plan to use it in an upcoming cybersecurity exercise I'm running. It will work for an executive team, as well as a technical one, just modify your COO role to a CISO role in section C.

Here's the prompt that I used, word for word. Edit as appropriate for your org. Bold responses are gemini.google.com, but will work in chatGPT4 and copilot. Remember this is dynamic so your responses won't match mine 100%.

[Copy This into gemini.Google.Com to Begin]

"Let's play a cyber incident response simulation game. You will be the storyteller and incident manager for a virtual company facing a series of cyber security challenges. I will take on the role of the company's COO in making strategic decisions to navigate through these challenges.

Here’s how we will structure the game:

A) Setting the 1st Scene: Start by describing the company, its industry, and the initial signs of a cybersecurity incident. In this case, the company is a medium sized school district with 20,000 students and 3000 staff with both on prem and off prem services. There is no need to repeat this for injects 2 through 4.

B) Injects: Present a series of 4 cybersecurity incidents (injects) in a sequential timeline manner, each an escalation making the overall cybersecurity situation worse. Each inject should pose a unique challenge, ranging from detecting unusual network activity to handling ransomware demands, data leaks, internal misinformation, insider threats, and regulatory compliance issues.

C) Decision Points: After each inject, ask me, as the COO, to make a decision on how to respond. Include considerations such as risk management, business continuity, public relations, legal implications, and internal communications. Provide at least 3 response options.

D) Dice Roll: Once I make a decision, roll a die to determine the outcome. The die roll can range from 1 to 4, with varying degrees of success or challenge based on the roll. Adjust the outcome plus or minus 1 based on how well-thought-out my decision response is.

Points System: Assign points based on the effectiveness of each decision. Positive points for successful outcomes and negative points for less effective ones.

Debrief: At the end of the game, provide a debriefing session to discuss the outcomes, lessons learned, and areas for improvement in cyber incident management as well as an evaluation of performance.

Remember to keep the scenarios realistic and relevant to current cybersecurity challenges. Let’s begin with the first inject. What is the first sign of trouble at the company?”

[Copy End]

Begin Simulation:

It's a Friday afternoon, and you're settling into your last Zoom meeting of the week. Suddenly, the IT Director bursts in, face grim. "We've got a situation," he announces. "Multiple reports are coming in from teachers and staff. Their school devices and district email are displaying strange pop-up messages telling them their data is encrypted and demanding a ransom. It appears we're under a widespread ransomware attack."

Panic starts to bubble in your stomach. 20,000 students, 3,000 staff, countless critical files potentially locked up. This is the first sign of trouble. What's your initial course of action, COO? Remember, your decision will be influenced by risk management, business continuity, public relations, legal implications, and internal communications. Take your time, weigh your options, and make the call. We'll see where the dice roll takes us from there.

Answer: ... and either give it the dice roll result, or ask it to roll a 1d6 for you

I admire your decisive and comprehensive response to the initial signs of the ransomware attack! Here's how your decision might unfold based on a 5-sided die roll:

Roll 1-2: Your prompt actions mitigate the attack significantly. The incident response plan guides a swift response, offsite tapes are readily available, and immutable backups verify intact. The MSSP and cyber insurance company lend immediate expertise. Communications team prepares clear messages for stakeholders, emphasizing transparency and reassurance. No admin rights prevents privilege escalation, limiting the blast radius.

Roll 3-4: While some systems remain compromised, swift activation of the MSSP helps identify patient zero and contain the spread. Immutable backups prove reliable, allowing for a fast data restore. Communications, though slightly delayed, are accurate and coordinated, minimizing panic.

Roll 5-6: Unfortunately, the attack infiltrates deeper than anticipated. Data recovery from offsite tapes takes longer than expected, impacting school operations. Public relations face a scramble to control the narrative amidst media attention.

Overall, your prompt and comprehensive response puts the school district in a favorable position to recover from the ransomware attack. Remember, even a bad die roll can offer valuable lessons for future preparedness. Let's see how the situation unfolds with the next inject!

[Inject #2: The Expanding Blast Radius]

Time: Saturday afternoon, 24 hours after the initial ransomware attack.

Situation:

While the incident response team continues to make progress, the blast radius of the attack appears to be expanding. Reports are coming in of strange activity across various district systems:

• Student attendance records: Teachers report discrepancies and missing data in student attendance records.
• Financial systems: Unusual login attempts and suspicious transactions are detected on the district's financial systems.
• School website: The school website is defaced with a taunting message from the attackers, claiming they have access to more sensitive data.

Decision Point:

The pressure is mounting. You need to make a decision to address these new developments while managing the ongoing recovery efforts.

Here are some options to consider:

• Full system shutdown: This would prevent further data corruption and unauthorized access, but it would also completely disrupt school operations for an extended period.
• Isolate compromised systems: This would limit the spread of the attack and allow unaffected systems to continue functioning, but it might be difficult to identify and isolate all affected systems.
• Focus on critical systems: Prioritize restoring access to critical systems like student records and emergency communication channels, even if it means leaving less critical systems offline for longer.
• Negotiate with the attackers: While not preferred, some organizations choose to pay the ransom to regain access to their data quickly. However, this does not guarantee success and can encourage further attacks.

What will your decision be? Remember to weigh the risks and benefits of each option and consider the following factors:

• Impact on students and staff: How will your decision affect the ability of students to learn and staff to work?
• Data security: Can you be confident that any sensitive data remains secure?
• Financial implications: How much will your decision cost in terms of downtime, recovery efforts, and potential ransom payments?
• Reputational damage: How will your decision be perceived by parents, the community, and the media?

Take your time, weigh your options, and make the call. The next dice roll will determine the outcome of your decision!

Bonus:

To help you make your decision, here are some additional resources:

• CISA Ransomware Recovery Guide: https://www.cisa.gov/stopransomware/ransomware-guide
• FBI Cyber Response Resources: https://www.fbi.gov/investigate/cyber

I'm here to help you navigate this challenging situation. Make your decision, and let's see where the dice take us next!

Answer... (and dice roll)

[Inject #3: The Smoking Gun]

Time: Tuesday morning, two days after the initial attack.

Situation:

The MSSP has been working tirelessly to investigate the attack timeline. They've discovered a smoking gun: a compromised user account belonging to a disgruntled former IT employee. This account appears to be the initial access point for the attackers. Further investigation reveals:

• The employee was recently terminated for data security violations.
• Logs show suspicious activity from the compromised account before the attack, including unauthorized access attempts and data exfiltration.
• The attackers used the compromised account to deploy malware and escalate privileges, enabling them to spread the ransomware across the network.

Decision Point:

With this new information, you face a critical decision:

Option 1: Public Disclosure:

• Pros: Transparency fosters trust and demonstrates a commitment to accountability. It might deter future attacks and potentially help identify other victims through public information sharing.
• Cons: Premature disclosure could jeopardize the ongoing investigation and potentially tip off the attackers. It could also damage the school's reputation and attract unwanted media attention.

Option 2: Controlled Communication:

• Pros: Maintains control over the narrative, preventing misinformation and protecting sensitive information. Allows for coordination with law enforcement and communication with stakeholders without jeopardizing the investigation.
• Cons: Lack of transparency might raise concerns and erode trust. Public pressure for information could eventually force disclosure, potentially hindering the investigation.

What will your course of action be? Remember to weigh the pros and cons of each option and consider the following factors:

• Impact on the investigation: Will public disclosure hinder the investigation or potentially alert the attackers?
• Reputational damage: How will the public perceive the school's actions and communication strategy?
• Legal and financial implications: Are there any legal or financial risks associated with disclosing or withholding information?

Once you've made your decision, let's see how the dice roll determines the outcome and how the public reacts to your chosen approach.

Answer... and dice roll

[Inject #4: Navigating the Recovery Landscape]

Time: One month after the initial attack.

The recovery process is in full swing, but challenges remain. While some systems are restored, others require more extensive work. Data restoration is progressing, but not yet complete. Parents and staff are understandably anxious about the situation.

Here are the key challenges you face:

• Data Recovery Delays: Restoring encrypted data is a complex and time-consuming process. Some critical files might be lost permanently, causing inconveniences and potential legal issues.
• Budgetary Constraints: The attack has placed a significant financial strain on the school district. Balancing security upgrades with existing budgetary limitations requires creative solutions and potential grant applications.
• Staff Morale and Training: The incident has shaken staff confidence and raised concerns about data privacy. Addressing these concerns and providing comprehensive security training are crucial for long-term resilience.
• Public Scrutiny and Media Attention: The local media remains interested in the progress and potential consequences of the attack. Maintaining transparency while navigating public scrutiny is a delicate balancing act.

Decision Points:

1. Data Recovery Prioritization:Option 1: Prioritize restoring critical systems and data impacting daily operations, even if it means leaving some non-essential data unrecovered. Option 2: Invest in specialized data recovery services to maximize data retrieval, even if it delays the restoration of some systems.
2. Budgetary Solutions:Option 1: Implement cost-effective security measures like open-source tools and prioritize patching existing vulnerabilities.Option 2: Apply for grants and seek funding opportunities from government agencies or cybersecurity organizations.
3. Staff Communication and Training:Option 1: Organize town halls and individual meetings to address staff concerns and answer questions transparently.Option 2: Implement mandatory cybersecurity training programs to educate staff on best practices and incident response procedures.
4. Media Engagement:Option 1: Continue issuing regular press releases and hold press conferences to update the public on progress and lessons learned.Option 2: Limit media interactions and focus on communicating directly with stakeholders through school channels.

Remember: There's no single "correct" answer. Consider the potential risks and benefits of each option and weigh them against your specific priorities and resources.

Let me know your decisions on these critical areas, and we'll see how the dice roll determines the impact of your choices on the recovery process and public perception.

Answer... and roll dice.

[Inject #5: Rebuilding with Resilience]

Time: Six months after the initial ransomware attack.

The school district has made significant progress in recovering from the attack. Most systems are back online, data is largely restored, and security measures have been significantly strengthened. However, the incident continues to resonate within the community.

Challenges:

• Lingering Anxiety: Some staff and parents still harbor anxieties about data security and potential future attacks.
• Reputational Rebuilding: While most stakeholders recognize the school's prompt response and recovery efforts, a few lingering negative media mentions remain.
• Security Maintenance: Balancing ongoing security vigilance with resource limitations and competing priorities requires strategic planning and resource allocation.
• Sharing Lessons Learned: The school has valuable insights from the incident that can benefit other institutions, but concerns about revealing vulnerabilities need to be addressed.

Decision Points:

1. Community Outreach:Option 1: Organize school-wide forums and informational sessions to address lingering anxieties and rebuild trust with stakeholders.Option 2: Focus on internal communication and staff support, relying on official updates and school communication channels for external information.
2. Public Image Rehabilitation:Option 1: Proactively engage with media outlets to transparently share lessons learned and showcase security improvements.Option 2: Maintain a low media profile and let positive word-of-mouth rebuild the school's reputation.
3. Security Maintenance Strategy:Option 1: Implement cost-effective security tools and processes, prioritizing continuous monitoring and incident response training.Option 2: Invest in advanced security solutions and personnel, even if it requires budget adjustments or grant applications.
4. Knowledge Sharing:Option 1: Publicly share anonymized versions of the incident report and lessons learned to benefit other institutions facing similar threats.Option 2: Engage in private cybersecurity communities and conferences to share insights while protecting sensitive information.

Remember: Each option comes with its own advantages and disadvantages. Consider the potential impact on stakeholder trust, reputation, resource allocation, and future security posture when making your decisions.

Let me know your choices for these critical areas, and we'll see how the dice roll determines the effectiveness of your chosen strategies and the long-term impact of the incident on the school district.

Answer... and roll dice

[Inject #6: Conclusion]

Congratulations on navigating the complex aftermath of the ransomware attack! Your choices led to a positive outcome, with the school community rebuilding trust, enhancing security, and even contributing to broader cybersecurity knowledge. However, the dice roll also highlighted lingering challenges that require ongoing attention.

Here are some potential next steps to consider:

1. Deep Dive into Lingering Anxieties:

• Conduct surveys or focus groups to understand the nature and extent of residual anxieties among stakeholders.
• Develop targeted communication strategies to address specific concerns, potentially utilizing infographics, FAQs, or one-on-one support sessions.
• Partner with mental health professionals to offer resources and support for individuals struggling with anxiety related to the incident.

2. Reputational Management:

• Continue engaging with media outlets, but on your own terms. Proactively issue press releases highlighting positive developments, community engagement efforts, and security upgrades.
• Partner with satisfied parents and community members to act as positive voices and share their experiences through testimonials or media interviews.
• Consider digital reputation management tools to monitor online mentions and proactively address any negative narratives.

3. Sustainable Security Funding:

• Conduct a cost-benefit analysis of different security solutions and identify cost-effective measures that provide optimal protection.
• Explore public-private partnerships with cybersecurity companies or government agencies to leverage resources and expertise.
• Advocate for increased cybersecurity funding within the school district and seek grant opportunities from relevant organizations.

4. Knowledge Sharing Expansion:

• Collaborate with cybersecurity researchers or academic institutions to develop case studies and educational materials based on your experience.
• Organize workshops or training sessions for other schools or organizations, sharing best practices and lessons learned in a practical format.
• Contribute to industry publications or conferences to raise awareness and promote collective defense against evolving cyber threats.

Remember, security is an ongoing process, not a one-time event. By addressing lingering anxieties, managing your reputation, securing sustained funding, and continuing to share knowledge, you can solidify the school district's resilience and pave the way for a future free from the fear of cyberattacks.

Cyber Incident Response GenAI Tabletop Prompt © January 19, 2024 by April Mardock