ROOM#42 is a cyberattack simulator, made in Luxembourg, enabling management teams to test their cyber-crisis management ability. Through ROOM#42, the Grand Duchy of Luxembourg has been a forerunner in putting the human factor at the heart of cybersecurity.
ROOM#42 was conducted as an applied research project, by SECURITYMADEIN.LU, the national cybersecurity agency for the economy and municipalities – via its Cybersecurity Competence Center (C3) department – considering the application of cyber and non-cyber skills in a simulated environment. The project has been operating for the past 4 years.
Cybersecurity is a key pillar of Luxembourg digital economy strategy. In cybersecurity, it is essential to consider that a crisis can be anticipated, thus requires the ability to understand emerging threats, analyse and test appropriate measures.
Regarding the concept: from simulated cyberthreats to the taste of real bad consequences
Under stress and pressure (hostile environment, time pressure, calls from journalists, multiple and parallel issues, etc.), participants have to make quick decisions, with only a little information in hand, to get their organisation through the crisis.
The exercise brings together 5 to 8 people (c-levels, executives and managers) representing key disciplines of an organisation (senior management, communication, marketing, HR, finance, legal, customer service and IT) in a simulated environment to test their crisis response competence. A typical exercise, including at least a briefing, the simulation itself, as well as an extensive debriefing, is a half-a-day training experience. While participants are exposed to coordinated cyberattacks, their behaviour and response-to-incident abilities are observed and stress-tested.
The coordinator of the exercise watches, monitors and steers the course of the exercise from a separate room, in the fashion of a roleplay. His/her interactions will mainly focus on disrupting the team in the simulator by means of the different roles s/he impersonates. That way, every exercise is adapted to best address the organisation’s needs and weaknesses, with a scenario tailored to the organisation’s cyber crisis management maturity.
With the help of “special effects”, combining dark atmosphere, lights and sound effects, diving the participants into an uncomfortable environment and with a high pace of actions happening, the ROOM#42 is a cyberattack simulator that intends to train human’s reaction, abilities and behaviour under simulated stress conditions, providing a level of stress similar to that experienced during a real attack.
The overall framework is based on the following crisis management process: Detection, Understanding, Communication, Decision, Countermeasure, Analysis.
One clear objective
The objective of ROOM#42 is to test an organisation’s cyber crisis management maturity in order to enhance its competence and increase its resilience.
The undeniable link between time, people and competence
For delivering services in a structured and organised way, which is a major performance indicator for companies, competence, expertise and therefore people are key. Stress, fatigue, fear and other emotions influenced by external events have a direct impact on the competence of people, and as such degrade the company’s capacity to act.
Competence must not only be seen as skills or technical abilities, it includes further aspects such as people management, decision-taking and communication. This means that in a critical situation, one must be able to gather relevant information and understand the situation in order to make decisions within a short period of time, under psychological pressure, as well as to anticipate the effects those decisions may have. Time is of the essence, especially when it comes to detection, understanding and decision-making. In the ROOM#42, time pressure is used to highlight its aggravating factor of an incident.
To date, no technology is able to respond to this type of challenge and consequently to replace us humans. Preparing your team with a ROOM#42 experience, will make sure that during the next cyber-incident or crisis, you have everything under control and get out of it safe and stronger.
How was this concept developed?
In order to develop and offer an exercise that answers today’s requirements, the C3 conducted a global analysis and identified the following 3 pillars: Observe, Test and Train.
In the concept of the ROOM#42, the “Observe” pillar plays a key role.
Applying the 3 pillars to the ROOM#42
Stage 1: Observe
It is essential to have a permanent observation capacity of the global cyber context in order to understand the threats and their impacts as well as the possible counter-measures to respond to them. This is crucial in order to define realistic scenarios and to be able to “test” or “train” competence and resilience.
Stage 2: Test
Based on the observations made in stage 1, scenarios are created and simulated in ROOM#42 in order to expose a team to near-real cyberattacks and test its capacity to detect, understand react and respond.
Stage 3: Observe
ROOM#42 participants are observed during the test stage, also named “simulation stage”. Key points that are observed are the followings – but not limited to:
- Ability to detect and understand an incident
- Communication skills (internally and towards third parties)
- Decision-making process
- Analysis and technical skills
- Management skills
Stage 4: Train
The purpose of a simulation with ROOM#42 is to determine the level of maturity of an organisation to face a cyber crisis and to deliver a diagnosis of the points to be improved through training thereafter.
ROOM#42 combines the “stress-testing” aspect with a training tool, by enabling people to put their skills and expertise into practice in a simulated environment. It’s an all-round experience from theory to practise and back.
Lessons learned after 4 years of operation
Observing the behaviour of the participants enabled the generation of many useful statistics about weaknesses and gaps in cyber maturity, with the aim to raise awareness and competence amongst organisations.
Knowledge gathered during the sessions conducted over the past four years (2018-2021) resulted in the following statistics – categorised following the major exercise topics:
- Ransomware:
- 85% of participants took over 15 minutes to react,
- 60% of countermeasures were insufficient,
- 40% of participants paid the ransom.
- Fake news: 65% of participants did not identify and reject fake news
- CERT: 70% of participants didn’t ask help from a local CERT (Computer Emergency Response Team)
- Crisis: 45% of participants didn’t create or activate a Crisis Team within their company
- Communication: 80% of participants missed to communicate internally
- Evidence: 95% of participants neglected to collect clear evidence about the incidents
The above-mentioned facts and figures show that training people, and all of them not only IT people, is essential in order to efficiently overcome a cyberattack.
The observations from the ROOM#42 have led to a simple conclusion: Only teams with “regular practice and training”, properly allocated skills and roles, as well as having set up a viable cyber-reaction framework (even a very simple one), can quickly and drastically reduce the impact of an incident or crisis.
ROOM#42 outcomes allowed to draw and distribute the key points of good practice in crisis management
- Trigger
Ability to detect an incident, understand it and activate the “crisis” mode.
- Scope
To set a guideline for crisis management by knowing the current “degraded” situation and the desired “minimum vital” situation.
- Priority
What needs to be saved first.
- Timeline
Drafting of a logbook listing all events, incidents and actions throughout the crisis situation
- Impact
What are the legal, financial, reputational & operational impacts? (Do not only focus on technical aspects.)
- Action
Plan, set priorities, evaluate costs, define responsibilities and deadlines.
- Team
Chaos comes with chaos. When an IT system has already been weakened by a cyberattack, cybercriminals often take that opportunity to attempt another one. Remain vigilant. Only as a team one can achieve resilience and cyber vigilance.
- The end
Getting out of a crisis is the most complicated decision to make. ROOM#42 helps participants reach that step of the process – and most importantly, to officialise the end of the attack.
“The crisis is over!” – needs to be stated officially at a certain point of time.