SEBI – CSCRF Simulation and TableTop Exercise program implementation
Annexure-E: Scenario-based Cyber Resilience Testing
This is a sample template for Stock Exchange. REs are encouraged to make their scenarios in consultation with their IT Committee for REs. Sample scenarios that are targeted to cover in Cyber Response plan as well as Cyber Resiliency Testing
(Types of Attack × Potential Targeted Time intervals- On Core Systems):
WHY THIS HAS BEEN GROUPED INTO TIME ZONES
Timing and context is KEY and dictates what are the investigation steps the kind of response and restoration activities that needs to be done.
| Cyber Attack-> Time Interval | DDoS | Malware/ Malicious Code Attack | Application Level Attacks (SaaS Model) | DNS Based Attacks (Internal & Internet) | Brute Force/Authentication based attack | AD attack | |
| Pre-open Sessions | Before BOD/early Morning Before 9:00 hrs B/W 9:00 9:15 hrs | ||||||
| Regular Trading Sessions | 09:15 – 15:30 hrs | ||||||
| Closing Session | 15:30 -16:00 hrs Post 16:00 hrs |
You need to continuously build Cybersecurity incident recovery plan scenarios and run them as Table Top Simulation exercises. But to the core is your Cyber Crisis Management Plan (CCMP).
| Attack Scenario Category | Types of attacks | Impact | Response & Recovery |
| DDOS | Service Unavailability | DDOS Protection services for auto mitigation. | |
| Malware Attacks | Ransomware Spyware Trojans Bots Worms | Service Unavailability, Data Corruption, Data exfiltration, Website Defacement | 1. Isolate and contain the infected systems from overall network. Block IOCs, DNS traffic. 2. Restrict administrative and system access. 3. Monitor network traffic. 4. Restore OS, application and data from existing backups. |
| Application Level Attacks | Injection Broken Authentication & Session Management Cross-Site Scripting/request forgery | Service Unavailability, Website Defacement | 1. Monitor network traffic and logs. 2. Disable suspected user accounts and change access credentials. 3. Apply patches/changes for vulnerability. |
| DNS Based Attacks | DNS Spoofing/Cache Poisoning DNS Flood Attack DNS Encoding | Service Unavailability | 1. Analyse the traffic requests. 2. Restore DNS entries 3. Monitor the DNS requests and responses |
| Social Engineering Attacks | Phishing, QRishing | It is a method, It may lead to any of the other attack | Spam filtering policy should be configured in available tools as a precaution. |
| Watering hole | Targeted individuals, organization, group of people | Website infection, Service Unavailability | Coordination with respective agency/website owner. Isolation of affected systems. Clean/replace the affected system. |
| Brute Force | Trial and Error approach Authentication Based Attack | Service Unavailability, Unauthorized Access | 1 Proper account locking mechanism. 2. Monitoring |
| Active Directory Attack | Inappropriate access | Data Confidentiality, compromised user accounts, new user creation | 1.Review default security settings. 2.Least privilege in AD roles. |
FlexibleIR Approach and Playbooks
Our detailed After Action Reports – To get better after each Tabletop
