Target embraces cyber war gaming to improve incident response

SAN FRANCISCO -- Target's cyber war gaming exercises have gotten so realistic that one member of the executive team thought a simulated incident was the real thing.

In a session titled, "Enterprise Incident Management: How to Get Everyone Ready for a Crisis" at RSA Conference 2020, Target director of enterprise incident management Erin Becker discussed how the retailer uses cyber war gaming and simulated attacks to better prepare Target employees and executives for a range of incidents. Becker said Target has conducted three years of war gaming and tabletop exercises and how it has built "muscle memory" for the organization all the way up to CEO Brian Cornell.

Becker showed how the company uses "injects" such as mock TV news reports, phone calls and emails to initiate its cyber war gaming exercises. One specific example shown during the presentation was an internally produced mock news clip that announced a new data breach that hadn't actually happened.

"Breaking news today from KrebsOnSecurity. A new article claims that Target, the fifth largest retailer in the United States, has suffered another significant data breach. This time with 75,000 credit card numbers being illegally obtained and posted online. According to the article, quote, 'it's unclear how much information the hackers may have access to. The 75,000 credit cards may just be the tip of the iceberg.' Despite request for comment, law enforcement officials have not publicly confirmed that the information online originated from Target. Moreover, it is still uncertain how long ago the compromise occurred and whether these card numbers are even active. If true, this would obviously be a setback given Target's massive 2013 data breach," the fake news report said.

Becker said injects such as the mock news clip help get the war game participants in the right mindset.

"As you can imagine, if our teams came in and saw that video, it sets them in character. It gets that momentum going and it gets that blood pumping to make sure that they really are feeling these war games and that they know how to respond in a capable way," she said.

Becker said in year two of its war gaming program, the security team simulated a major incident with several injects that were so convincing one of the newly appointed members of the executive team, who hadn't been fully briefed on the exercise, thought Target was actually breached. "It definitely shows how much you can push those injects to feel real," she said.

In year three of the war gaming program, Becker said the team built more complex attack scenarios and simulations and even launched a "surprise" exercise that only the facilitators knew about in advance. It was elevated to the executive leadership team, who only had 20 minutes on their schedule, but when their time was up, Cornell decided to keep the exercise going and stayed for an additional hour and a half.

"It was amazing because it shows the partnership that we have all the way up to the CEO," she said.

Andrew Morrison, strategy, defense and response leader for Deloitte, agreed that cyber war gaming is a valuable component for enterprise security programs. "You have to have muscle memory for what you do in these scenarios," Morrison said. "And you can only do that through training and drilling and war gaming."

Becker's presentation also went into the creation of Target's overall cyber response program and the four levels of escalation that determine who in the company needs to be involved with the response and remediation efforts. She recommended creating a severity framework that ranks incident types, with the highest severity being Target's 2013 breach and the lowest severity being employees downloading unapproved software to their systems.

Becker also urged audience members to keep their incident response plans short and simple.

"Make a simple, simple process," she said. "Leave that 50-page plan on the shelf to collect dust because if you pull that out it will be too complex and hard to respond to in the heat of the moment. Reduce it, pull out the key things and make a one-pager."

Security news director Rob Wright contributed to this report.