Joint Cyber Defense Collaborative (JCDC) Cyber Incident Exercise Discussion

Exercise Overview

Purpose

Journalists, activists, human rights defenders, non-profits, and non-governmental organizations (NGOs), referred to hereafter as high-risk communities, rely on digital connectivity to exercise their right to free speech and advance humanitarian causes. With the rise of digital transnational repression,  threat actors that seek to undermine democracy and suppress dissent are increasingly targeting high-risk communities through cyber means.

The following set of scenarios are designed to inform high-risk communities of some potential threats to their digital security. The discussion questions and proposed mitigations that accompany these scenarios will help these high-risk communities to think about proactive measures they might take to strengthen their digital security, as well as how they should respond if they suspect or know that they have been targeted.

This document recognizes that many high-risk communities may be new to their cybersecurity journey, may not have established cybersecurity policies or plans in place, and may not have access to advanced enterprise-level cybersecurity solutions. The following scenarios are intended to help these high-risk communities identify actionable steps to prevent and respond to potential digital security threats. 

How to use the discussion document 

1. Designate an individual to lead the discussion.
2. Gather all necessary participants in a room or via a virtual platform that is conducive to group participation and collaboration. Round tables are recommended for in-person participation as they often encourage conversation.
3. Read the scenario out loud in its entirety and ensure there is participant understanding.
4. Have the leader facilitate a conversation about how the individual or organization would respond to each scenario. Identify the cybersecurity concerns that the scenario raises, the actions you would take to address these concerns, and who would be responsible for performing these actions. For organizations that have cybersecurity policies and procedures already in place, examine how the desired outcome and required roles and responsibilities compare to current documented policies and procedures. Identify gaps and document solutions to fill these gaps.

Exercise objectives

1. Participants will identify the cybersecurity threats and vulnerabilities in each scenario to understand how each threat can impact high-risk communities. 
2. Participants will gain concurrence on the best courses of action when responding to potential cybersecurity threats by walking through the scenario and discussing potential outcomes.
3. For organizations that already have cybersecurity policies and plans in place, participants will examine current policies and procedures to ensure appropriate parties are involved before, during, and after a cybersecurity incident and identify any pitfalls.
4. Participants that belong to a high-risk organizations such as non-profits and NGOs will confirm understanding of their roles and responsibilities during an incident and ensure each item is documented. Participants will be able to develop a plan, including proactive and responsive measures, for guarding against threats to their digital security.

Security protocol 

Exercise planners agreed to use Traffic Light Protocol (TLP): CLEAR. For reference purposes and additional information on TLP, please visit: https://www.cisa.gov/tlp. 

Scenario 1: Investigative research and Collaboration 

Day 1

Dr. Wise is an anthropology professor at a small liberal arts college in the United States. She leads a team of student ethnographers, who are documenting the lives of a particular activist community in a country with a repressive regime. Since the college’s budget does not allow the students to travel abroad to conduct their research in-person, the students regularly communicate with their subjects via text message and over phone calls. The students work from personal devices and upload interviews, videos, notes, and draft sections of their report to a shared cloud drive. 

After completing their primary research with their subjects, Dr. Wise and her students begin piecing together the report. On several occasions, Dr. Wise visits the websites of the activist and human rights groups. She also frequently visits the country’s official government websites on a standard browser while working from cafes using public Wi-Fi. On these websites, she finds and cites government documents and press statements that directly contradict evidence gathered from her team’s ethnographic research, revealing a coverup of human rights abuses. Dr. Wise shares some of this information with the activist community, who then broadcast the information on social media websites. A couple of the posts mention Dr. Wise and her team and allude to Dr. Wise’s upcoming publication.

Discussion Questions

• Which of the activities described above might cause Dr. Wise and her students to catch the attention of cyber threat actors and become the subjects of a targeted cyber campaign? Note: If you’re not sure, don’t worry! We will walk through areas of vulnerability for Dr. Wise and her team and provide you with some tips for how they could have minimized their risk. 
• How might the digital activities of Dr. Wise’s team make them vulnerable to cyber threat actors who are interested in learning more about their research and sources? 

Take some time to discuss and then continue to the next page to learn more about Dr. Wise’s errors and proactive measures she and her team can take.

Day 1 – Discussion Guidance 

Potential actions that might draw the attention of the adversary 

• Dr. Wise visited several official websites associated with the repressive government over public Wi-Fi on a standard web browser. 

While most websites use HTTPS, a protocol that encrypts the data you exchange with websites, your metadata remains unencrypted and can be at greater risk of being intercepted when you are connected to a public Wi-Fi network. If this metadata were to be intercepted, a threat actor could see what webpages your device is connecting with. While this might not seem particularly consequential, the websites you visit could reveal a lot about your identity, political affiliations, lifestyle, and interests. Visit Project Upskill Topic 1.4 for more information on the risks associated with using public Wi-Fi and how to mitigate them. 

In addition, your web browser captures identifying information about you and your device based on your online activities, which could allow a website’s owner to potentially identify you. A website collecting information could build a profile on you based on your interactions and your device’s identifiers and sell it to data brokers. This profile could be purchased from data brokers by a cyber threat actor targeting you. To minimize the ability for an adversary to identify you based on your digital footprint, navigate to Project Upskill Topic 6.0. Note: While it is crucial to minimize your digital footprint, this will not provide complete protection against advanced threat actors.

• Allusions to Dr. Wise’s research were highlighted on social media. 

Cyber threat actors looking to suppress dissent are likely conducting open source intelligence to learn more about dissenters. Social media is a rich source of open source intelligence, and the activists’ posts alluding to Dr. Wise’s research could have caught the attention of cyber threat actors who were already following the social media activity of those activists. Therefore, for particularly sensitive reports, it is important to factor in increased risk once the research activity becomes public knowledge through open source information, such as social media, newspaper, and magazine articles. Visit Project Upskill Topic 6.1 to learn more about the potential risks that social media introduces and how to mitigate them.

Areas of cybersecurity vulnerability

• Dr. Wise’s team is working from personal devices. 

While not every organization has the budget to supply staff with work-computers or phones, separate work devices provide an added layer of protection for staff working on projects that could raise the attention of threat actors known to silence high-risk communities. Staff with separate work and personal devices should only access work accounts on work devices and vice versa. If your organization does not have the resources to supply separate work devices, it is particularly important to ensure that associates do not use personal accounts for any work-related activities.

• The team communicates with their research subjects via text message and over phone. 

Text messages and phone calls are insecure methods of communication, which means that a threat actor may intercept communications if it gains access to your device, the other party’s device, or the network you are communicating across. In addition, certain types of malware can allow a threat actor to access your address books, text messages, and call logs. Therefore, you should use a secure messaging app with end-to-end encryption and enable multifactor authentication (MFA) to minimize the risk of unauthorized access to your messages. Discover Project Upskill Topic 4.0 to learn more about secure messaging.

• Dr. Wise and her team are working on a shared cloud drive. 

While working from a shared cloud drive promotes convenience and efficiency, collaborators should be aware that storing sensitive documents on a shared drive makes it more vulnerable to breach, since a threat actor only needs to compromise one person with access to the shared drive to gain access to the document. 

Accordingly, each teammate with access to the shared cloud drive should use strong passwords to protect their accounts (Project Upskill Topic 2.0) and enable MFA to make it harder for a threat actor to gain access to the account if the victim’s credentials are compromised (Project Upskill Topic 2.2). Moreover, the team should implement access controls on the shared drive to limit access to sensitive documents so that only those who need to edit or reference such documents have access to them. 

In addition, shared cloud drives enable threat actors to spread malware. For example, a victim of a spear phishing attack may receive a document embedded with malware, and if they upload the malicious document to their shared drive, others may download it. When others download the document onto their own devices, this could cause the malware to spread. To minimize the risk of malware, each teammate should regularly run antivirus and antimalware programs on their devices. Visit Project Upskill Topic 1.2 for more information on how to do this. Additionally, Project Upskill Topic 4.3 has more information on potential risks and mitigations associated with shared cloud drives.

When your group has finished discussing, go to the next page to continue with the scenario. 

Day 1, continued.

Because Dr. Wise used a standard browser without enabling the security features on her browser, a cyber threat actor sees that the IP address associated with Dr. Wise’s computer is frequently accessing the official government website of the country that she was researching, as well as websites of famous activist groups in that country. The threat actor easily identifies Dr. Wise and begins doing some research to formulate a targeted campaign against her. The threat actor doesn’t have to dig very deep as an internet search brings up her biography on her institution’s webpage, which includes her email address and CV. 

Day 10

Dr. Wise receives an email from a reporter: 

Dear Dr. Wise, 

My name is Carrie Smith and I am a writer for XYZ News. I am writing to you today because I am currently preparing an article related to human rights issues. Professor Donovan of your university, whom I contacted earlier, recommended you as an expert on this issue. I would be grateful if you could spare some time to answer a few questions. Thank you for considering my request. I look forward to hearing from you soon. 

Best regards, 

Carrie Smith (1.)

Dr. Wise assumes that Carrie Smith must be trustworthy because her good colleague, Professor Donovan, already spoke with Carrie. Dr. Wise emails Carrie back and accepts the interview request. 

Day 11

Carrie thanks Dr. Wise and sends an email describing the objective of her article and the purpose of the interview. The email instructs Dr. Wise to click on a link to open a shared cloud document to view the interview questions and type in her responses. 

Dr. Wise opens the link and is prompted to enter her email/Cloud account credentials to sign in and gain access to the document. 

Discussion Questions 

• What tactic has the threat actor used to target Dr. Wise?
• What steps might Dr. Wise have taken to make her less susceptible to compromise? 

Take some time to discuss, and then continue onto the next page to learn more about how the threat actor compromised Dr. Wise and strategies that she could have employed to minimize the risk of compromise.

Days 1 - 11 – Discussion Guidance 

How was Dr. Wise compromised? 

The threat actor used a type of social engineering known as spear phishing to compromise Dr. Wise’s email/cloud account. This is a tactic that is very common among adversaries that seek to target high-risk communities. 

Traditionally, the threat actor will conduct open source research to learn more about their target’s interests and expertise. Social media sites and biographies on an organization’s webpage are just two examples of sources that the threat actor might reference to craft a message that piques their target’s interest. 

Often, the threat actor will impersonate a real journalist, academic, or researcher to make their message seem more credible. (2.) In many cases, the threat actor will exchange multiple messages with their target to establish trust before sending a malicious link or attachment. 

In Dr. Wise’s scenario, the threat actor sent a link that led to a spoofed (i.e., fake) email/cloud login page, prompting Dr. Wise to enter her credentials to access a shared document. This allowed the threat actor to obtain Dr. Wise’s credentials. If Dr. Wise does not have MFA enabled on her account, the credentials are all the threat actor will need to monitor Dr. Wise’s email communications and access the documents that her research team shares in a cloud drive. (3.) Threat actors could also set up auto-forward rules to ensure that all of their target’s emails are sent to another email that the threat actor owns so they can continue to monitor communications even if they lose access to the account. (4.)

How might Dr. Wise have avoided compromise? 

Making connections with colleagues, receiving interview requests, and obtaining leads from sources they do not personally know is part of most journalists’ and academics’ everyday work lives. Here are some realistic tips for minimizing your risk of spear phishing as a person who frequently receives cold calls/emails: 

• Enable MFA on all accounts. MFA will make it much harder for a threat actor to gain access to your account even if it succeeds in compromising your account credentials. See Project Upskill Topic 2.2 for more information about how to implement MFA. 
• Attempt to validate the contact’s identity. Are there any subtle misspellings or variations in the contact’s email address? For example, Carrie Smith claims she works for XYZ News, but her email address is a variation on XYZ News’ domain, such as csmith@xyznews1.com or csmith@xyznewscompany.com.
   

• Does the contact send an email from a personal email even though they claim to be affiliated with a particular organization? For example, Carrie Smith might claim to work for XYZ News but sends the email from csmith@yahoo.com.
• Are you able to verify any of the contact’s claims about their identity? Check the person’s social media and other online sources. Do any of their claims seem fraudulent? For example, in one spear phishing attempt covered by Reuters, an Iranian advanced persistent threat (APT) actor posed as a famous journalist from The Wall Street Journal, not realizing that the journalist had moved to The New York Times a year prior. (5.)
• Can you verify the contact’s identity over a phone call or video call? 
• Unless you are certain of the person’s identity, do not open attachments or links to shared cloud documents. 
• Refer to pages 15-16 of the following Joint Cybersecurity Advisory for additional mitigation measures: North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media. 

When your group has finished discussing, go to the next page to continue with the scenario. 

Day 30

Since Dr. Wise did not have MFA enabled on her account, the threat actor easily gained access to her email account and shared cloud drive. Over the past 19 days, the threat actor has silently monitored her email communications and the documents she shares with her research team. In one email exchange, Dr. Wise and her team agreed on a publication date and transferred all their work into a final shared document. 

Day 31

A day prior to the team’s planned publication of their report, an unknown group modifies and leaks portions of Dr. Wise’s emails and the report in an attempt to discredit her team’s research. In addition, the group doxes (6.) several members of Dr. Wise’s team, publishing their phone numbers and home addresses in public forums. 

Discussion Question: 

• Once they are aware that they have been breached, what should Dr. Wise and her team do? 

Take some time to discuss, then continue onto the next page to learn more about what Dr. Wise and her team should do to respond to the data breach. 

Days 30 - 31 – Discussion Guidance 

How should Dr. Wise and her team respond to the breach? 

Given that Dr. Wise and her team have likely been targeted by a nation-state threat actor, they should seek outside expert help.

• Access Now’s Digital Security Helpline and Amnesty International’s Security Lab both offer support to high-risk communities who believe they are the subjects of a targeted attack. 
• You may also consider reporting a network intrusion, data breach, or ransomware attack to your local FBI field office.
• Consult CISA’s Cybersecurity Resources for High-Risk Communities webpage for additional resources and support. 

Additionally, at the start of any new project, Dr. Wise and her team should review and update their incident response plan (or create one if it doesn’t already exist). The incident response plan should include the following considerations:

• How should a team member communicate with and notify the rest of the group if they believe their device is compromised? 
• How should the team communicate with and notify the vulnerable communities they are working with if they believe their device is compromised? 
• Who, within your team’s organization, needs to be notified in the event of a suspected cyber intrusion? 
• What outside support will the team seek, if needed? (Some options are listed above) 
• What protective measures should team members take if they are doxed or harassed online? 
• What guidance can the team offer to vulnerable communities if a cyber intrusion leads to the exposure of sensitive information tied to these individuals or groups? 

Congratulations! You completed Scenario 1.

Scenario 2: Using third-Party Apps 

Day 1

Jeff works at an organization that provides on-the-ground humanitarian relief. There is a massive dam failure in a country with poor regulation of critical infrastructure in areas that are primarily inhabited by a minority group that is subject to government repression. Shortly after the dam failure, Jeff and several team members arrive at the location to provide aid to victims. While they are there, they decide to collect the names and contact information of victims so that they can track the aftermath of the crisis and plan future aid trips. 

Recognizing that this is sensitive data, the team agrees to download a secure messaging application (app) for communication with the victims. PrivateConvos is a popular and well-known secure messaging app. When the team searches for the app in their respective app stores, they also see PrivateConvos Pro+, which includes some additional capabilities for free. The team downloads the Pro+ version and completes their mission of delivering aid while establishing contacts in the country, who also download the PrivateConvos Pro+ app. 

Discussion question

• Are there any concerns with downloading the PrivateConvos Pro+ app? 

Take some time to discuss, and then continue onto the next page to learn more about the risks associated with downloading the PrivateConvos Pro+ app. 

Day 1 – Discussion Guidance 

Risks of downloading third-party apps 

Threat actors frequently target high-risk communities by creating malicious apps containing malware that enable them to spy on people who download the app. 

Sometimes these apps are spoofed (i.e., fake) versions of legitimate apps. For example, in 2023, security researchers discovered a malicious Android app, Signal Plus Messenger, that was designed to look like a premium version of the popular secure messaging app, Signal. The malicious Signal Plus Messenger app allowed the threat actor to collect the contact lists, call logs, Google accounts, and Signal communications of individuals that downloaded it. (7.)

Other times, threat actors will design random apps that might be of interest to their target community. For example, in 2021, Meta reported that a Chinese APT created a third-party app store with applications that would be of interest to the Uyghur population, including a keyboard app, prayer app, and dictionary app. (8.) These apps contained malware that allowed the APT to monitor the victim’s geolocation, access call logs to see who the victim was communicating with, read the victim’s SMS text messages, and access the device’s camera, microphone, and screenshot capabilities to subtly record the victim’s activities and conversations. (9.)

Steps to mitigate risks associated with third-party apps

• Never download apps from third-party app stores. Always use the official app store associated with your device. 
• Consider whether you truly need an app before downloading it. Even apps that are not “malicious” often collect a lot of personal information that can be sold to data brokers, who compile it to create robust personal profiles. Threat actors can purchase these personal profiles and use the information as part of a targeted cyber campaign. Project Upskill Topic 1.3 contains for more information on configuring your app settings to enhance your privacy. 
• Conduct due diligence before downloading an app. Are you familiar with the developer of the app? If not, research them online to see if they are a reputable vendor. If you can’t find any information to confirm that they are trustworthy, consider looking for a similar app from a different developer that you know to be trustworthy. Visit Project Upskill Topic 1.5 for more information on how to thoroughly vet third-party vendors to ensure that they will protect your privacy and security. 
• Routinely review the apps on your device. If you no longer use them, delete them! 
• Audit your app permissions. Ideally, you should examine what categories of data an app will have access to before you download it onto your device. This information is usually available in your device’s official app store. However, if you already have apps on your device, you should check your device settings to see what categories of data each app has access to. Modify app settings, delete, or replace apps if you are uncomfortable with the categories of data that they can access. Navigate to Project Upskill Topic 1.3 for more information on how to do this. 

Tips for vetting secure messaging apps 

• Reputable secure messaging apps are a far safer way to communicate than SMS text messages, which are unencrypted. Here are some features that you should look for in a messaging app: 
• End-to-end Encryption -- End-to-end encryption is essential to prevent a threat actor from intercepting messages between devices.
• Voice over Internet Protocol (VoIP) – VoIP will allow you to make voice calls across your messenger app using its security functions as opposed to traditional cellular phone calls. 
• Multifactor Authentication – A secure messaging app should use MFA to make it more difficult for a threat actor to gain unauthorized access to your account. 
• In addition to looking for an app with these features, use the principles above when vetting your app to ensure data privacy and security.

When your group has finished discussing, go to the next page to continue with the scenario. 

Day 15

Back in the United States, Jeff and his team communicate with their new contacts abroad to stay apprised of on-the-ground developments and plan their next trip. One of their contacts notes that many victims would like to draw international attention to the crisis to apply pressure on their government to improve its treatment of this minority group. 

Jeff’s team readily agrees and begins planning a social media awareness campaign to document the crisis. 

Day 25 

Jeff and several members of his team receive threatening text messages and email messages. The messages indicate that the threat actor not only knows their home addresses, but also the names of their family members and the locations of their contacts abroad. Some of the messages include audio clips of Jeff and his teammates discussing their plans for the awareness campaign while gathered in the office together. The threat actor demands that Jeff’s team halt the awareness campaign or there will be consequences.

Discussion questions

• What are some of the digital security risks associated with social media? 
• How should Jeff and his team respond to the breach?

Take some time to discuss, and then continue onto the next page.

Days 15 - 25 – Discussion Guidance

What are some of the risks associated with social media usage? 

Social media can be a rich source of open source intelligence that a threat actor can use to target high-risk communities. (Project Upskill Topic 6.2). Because social media often plays an essential role in advocacy, it is important for activists to think carefully about how they will protect themselves against the digital threats that may arise in response to their online advocacy. For example, activists might consider using an official organizational social media account as opposed to a personal or individual account to raise awareness for a cause. In addition, they should avoid sharing identifying information about themselves and others in social media posts, to the extent that they are able. 

How should Jeff and his team respond to the data breach and threats? 

Given that Jeff’s team has likely been targeted by a nation-state threat actor, they should seek outside expert help.

• Jeff’s team should strongly consider reporting the incident to their local FBI field office, especially since the APT has made credible threats against them.
• Access Now’s Digital Security Helpline and Amnesty International’s Security Lab both offer support to members of high-risk communities who believe they are the subjects of a targeted attack. 
• Consult CISA’s Cybersecurity Resources for High-Risk Communities webpage for additional resources and support. 

Additionally, at the start of any new project, Jeff and his team should review and update their incident response plan (or create one if it doesn’t already exist). The incident response plan should include the following considerations:

• How should a team member communicate with and notify the rest of the group if they believe their device is compromised? 
• How should the team communicate with and notify the vulnerable communities they are working with if they believe their device is compromised? 
• Who, within your team’s organization, needs to be notified in the event of a suspected cyber intrusion? 
• What outside support will the team seek, if needed? (Some options are listed above) 
• What protective measures should team members take if they are doxed or harassed online? 
• What guidance can the team offer to vulnerable communities if a cyber intrusion leads to the exposure of sensitive information tied to these individuals or groups? 

Congratulations! You completed Scenario 2.

Scenario 3: Others’ Cybersecurity Practices impacting your digital security 

Day 1 

Elsa is a “data journalist” at a local newspaper in a small city. Her work recently entered the national spotlight when she uncovered evidence of commercial espionage by a foreign APT group against a small, but important, defense manufacturer in her town. 

Discussion questions

• Now that Elsa’s work is in the national spotlight, and likely on the radar of foreign adversaries, what are steps that she can take to protect herself online?
• If you were the leader of the organization that Elsa works for, would you have a “threshold” for determining when an employee is “high-risk”? Would you provide any additional support or resources to high-risk employees? 

Take some time to discuss, and then continue onto the next page.

Day 1 – Discussion Guidance 

As someone whose work could attract the attention of a threat actor, what are some of the most basic steps that you can take to guard your digital security? 

1. Do not use an administrator account on your computer for daily activities. (Project Upskill Topic 1.0)
2. Protect your accounts with long, unique, and random passwords, and enable a strong form MFA (Project Upskill Topics 2.0-2.2)
3. Routinely update your devices’ operating systems and applications. (Project Upskill Topic 1.1)
4. Audit device and application settings to limit the amount of information that advertiser tracking technology can collect about you. (See Project Upskill Topics 1.3, 6.0)
5. Confirm your devices’ antivirus and antimalware programs are up-to-date and running. (Project Upskill Topic 1.2)
6. Ensure third-party developers or vendors are reputable before you adopt a new hardware or software product. (Project Upskill Topics 1.5)
7. Manage browser settings for better privacy and security and always use HTTPS when connecting to a website. (Project Upskill Topics 4.1, 4.2)
8. Avoid using public Wi-Fi. If you need to access public Wi-Fi, then operate under the assumption that a threat actor could see your internet traffic and do not access sensitive information online. (Project Upskill Topic 1.4).
9. Use encryption to protect data stored on your device. (Project Upskill Topic 3.0)
10. Be aware that a threat actor may see any identifying information that you (or a friend) posts on social media and use it to craft a targeted cyber campaign against you.  (Project Upskill Topic 6.1)
11. Physically secure your devices to prevent unauthorized access to them. (Project Upskill Topic 1.6)

Who are the “high-risk” employees in your organization, and what resources could you offer to protect their digital security as well as your own organization’s?

While the definition of a “high-risk” employee will vary based on your organization’s mission and functions, high-risk employees include:

• Anyone who is at heightened risk of being targeted by a threat actor based on the nature of their work.
• Anyone who possesses information that, if exposed, could put someone at risk, threaten the credibility of the organization, or put its mission at risk.

High-risk employees may face threats to their physical or digital security, making it crucial for organizations to provide additional support for these individuals. If compromised, high-risk targets can also provide a foothold for APTs to target others in the organization and steal sensitive data that could lead to physical, digital, or reputational harm. 

When your group has finished discussing, go to the next page to continue with the scenario. 

Day 2 

After making national news, Elsa has taken steps to make it harder for potential threat actors to find information about her online. Overall, she feels confident that she has minimized her digital footprint.

One day, Elsa’s colleague, Mark, receives a friend request from an old college buddy. Mark hasn’t heard from this individual in a long time and eagerly accepts. Shortly thereafter, the friend messages Mark, expressing interest in Elsa’s story, and asks if Mark might provide her email address so that he can ask some follow-up questions. Mark happily obliges.

Discussion questions

• Do you foresee any potential cybersecurity risks in this scenario?
• What are some of the cybersecurity risks associated with social media use and how can you mitigate them?

Take some time to discuss, and then continue onto the next page.

Day 2 – Discussion Guidance 

Potential risks associated with social media use 

In this scenario, a threat actor could be leveraging social engineering to trick Mark, who is less attuned to personal cybersecurity than Elsa, into providing Elsa’s email address. From there, the threat actor can craft a spear phishing campaign to compromise Elsa. 

Refer to Project Upskill Topic 6.1 for more guidance on personal social media usage, but here are some very basic tips: 

• Avoid social engineering attempts by not accepting friend requests or messages from strangers, as well as from people you know if the message seems out-of-the-blue. 
• Do not click on links or attachments in messages unless you have verified the identity of the sender. 
• Do not post information about yourself online that could enable a threat actor to gather your location and activities, particularly if you feel that you are high-risk. Encourage other close contacts who may post about you to do the same. 
•  Do not access your personal social media accounts from a work device or work account. 
• Reference the United States Special Operations Command Smart Cards to learn more about how to configure the settings on a variety of social media accounts for improved privacy and security. 

While this scenario discusses personal social media usage as a threat vector, the management of an organization’s social media accounts can also introduce vulnerability. Reference CISA’s Capacity Enhancement Guide: Social Media Account Protection to learn more about how your organization can minimize the cybersecurity risks associated with organizational social media accounts. 

When your group has finished discussing, go to the next page to continue with the scenario.

Day 4

It’s a particularly busy day at work when Elsa receives an email from her newspaper’s Editor-in-Chief. She’s never received an email from the Editor before and rushes to respond. The Editor has emailed her regarding a new piece that he wants her to write, with links to several articles that he wants her to read for background context. Although Elsa is normally careful to hover over links before opening them, between the commotion of the day and her excitement at receiving an assignment directly from the Editor-in-Chief, she clicks on the links without a second thought and begins researching. 

Discussion questions

• Are there any indicators that this might be a spear phishing email? 
• What steps should Elsa take to confirm the authenticity of an email before taking any further action?
• Take some time to discuss, and then continue onto the next page.

Take some time to discuss, and then scroll down to the next page.

Day 2 – Discussion Guidance 

Potential indicators of a spear phishing email 

• It is not normal for Elsa to receive emails from the Editor-in-Chief. 
• The Editor-in-Chief is a high-profile individual, which might make it easier for a threat actor to use open-source information to compromise him. In addition, Elsa is not likely to ignore an email from the highest-ranking person in her organization.
• The email contains links. 

Confirming the authenticity of an unexpected email from someone you know

Reach out to the sender through a different communication channel (e.g., phone call) to confirm that the email is legitimate. 

When your group has finished discussing, go to the next page to continue with the scenario.

Day 10 

Elsa receives a text with screenshots of her communications with several confidential sources, along with a frightening message that warns her to stop reporting on commercial espionage. If she doesn’t, the unknown threat actor will leak her information, along with her private communications. 

Discussion questions

• If you were Elsa’s organization, what policies would you develop to address a breach of privacy with regards to personal/confidential information?
• How should Elsa and the organization respond to the data breach? 

Take some time to discuss, and then scroll down to the next page.

Day 10 – Discussion Guidance 

Organizational policies for responding to a data breach

While organizations may differ in the way they respond in the aftermath of a data breach, it is important to have a plan in place that addresses the following considerations: 

• How will the organization notify potential victims of the data breach? What measures will it have in place to support or protect the victims? 
• Which authorities should the organization notify? 
• How does the organization plan to mitigate the data breach from a technical perspective? If outside help is needed, does the organization have a list of approved expert entities that they can call for support? 

Congratulations! You completed Scenario 3!

Conclusion 

Congratulations on completing this series of table-top discussions! Hopefully these scenarios helped you and your team to think about how you would respond during a cyber intrusion. Take advantage of the lessons learned from this exercise to formally write out a “plan” of the actions that you and your team members would take in the event of a similar scenario. 

Further Reading

High-risk communities should consult Project Upskill, a series of digital security guides that empower non-technical individuals to adopt best practices that will improve their personal cybersecurity posture. 

High-risk communities should also refer to CISA’s Cybersecurity Resources for High-Risk Communities page to learn more about the preventive and emergency response resources that are available for free or at a steeply discounted cost for high-risk communities. 

For questions or comments please reach out to cisa.jcdc@cisa.dhs.gov.