Drill IT

Cyber Security Organization

Purpose

This presentation introduces a methodology (Drill IT) to assist with the planning, organization,
and execution of incident response drills and testing the participants’ capability to detect, respond
and prevent cyber-attacks or other failure events.

Includes:
– Types of Drills
– Definition of Roles & Responsibilities
– Requirements for drill closure

2
Teamspace
https://slb001.sharepoint.com/sites/DrillIT

3
Agenda

4
Cyber Incident

“A cybersecurity event that has been determined to have an impact on the organization prompting
the need for response and recovery” NIST Cybersecurity Framework (Ver 1.1)

• Examples:
– Cyber-incident that either cripples our ability to
use information technology when conducting our
business, or it causes loss of control over
proprietary information or damage to our
reputation.
– Data Breach, where Schlumberger classified
sensitive data is moved outside the
Schlumberger locations where it is intended to
be stored.
• Causes
– Malicious actors (external or internal to SLB’s
infrastructure) wanting to do Schlumberger’s or
Schlumberger’s customers reputation harm, or make
financial gain
– Schlumberger persons that
unintentionally/mistakenly/unwittingly mis-configure
something that results in system/application/service loss.
• Targets
– on SINet, one of our classic Data Centers, at the wellsite
– in the Cloud at one of our Cloud Service Providers
– in our customer facing environments such as DELFI

Schlumberger-Private
Cyber Incident Drills

• The Cyber Security Response Plan

– InTouch [ 6279873 ]
• Different types and reach
– Planned meeting (tabletop), unannounced drill (simulation) and Real Event
– From Department to IT Operations to SL
• Roles
– Planner
– Moderator
– Observer
– Participants

Schlumberger-Private
Drill Type #1 - Tabletop

• Discussion-based • Advantages
– Establish roles during an incident – Can have a broad or narrow focus
– Evaluate responses to a particular scenario or – Economical
situation – Presents a real scenario in a non-threatening,
– Does not involve deploying equipment or other non-disruptive format
resources – Limited time and resource needs
• Objectives • Limitations
– Determine if participants can realistically talk – Provides only a high-level estimate of a
through their critical functions during an successful incident response
incident response scenario
– Leaves uncertainty regarding available skill
– Help participants become more aware of set, resources, and capabilities for execution
possible weaknesses and gaps in the Cyber of the plan
Incident Response Plan

Schlumberger-Private
Drill Type #2 - Simulation

• Operational • Advantages
– participants believe that events are actually – Gauges actual capabilities
occurring – Identifies gaps in processes & procedures
– Injecting simulated information into standard
channels, e.g. IT tickets

• Objectives • Limitations
– May take weeks to plan
– Determine if participants perform their critical
functions during an incident response scenario – Could impede normal operations
– Participation may be limited due to scheduling
– Unintended exposure to non-Drill participants
may cause panic.

Schlumberger-Private
Drill Type #3 – Real Event

• Operational • Advantages
– Actually occurred event – Validate IRP against a real event
– Getting updates & information in real time – Assess participants readiness during a real
event
– Opportunity to identify gaps in processes &
procedures
• Objectives • Limitations
– Follow existing Incident Response Plan and – Event is not planned
check if it works
– Resources may not be available
– Determine if participants perform their critical
– May affect normal operations
functions during an incident
– Update Incident Response Plan (IRP) as per
lessons learned

Schlumberger-Private
Agenda

10
Roles Definition

• Planner
– Determines objectives, topics, scope,
participants - the most time-consuming phase
of planning an exercise
– Prepares exercise material
– Plan drill length
– Review Lessons Learned section on Drill IT
web page to help improve your Drill exercise
• Moderator
– Presents the scenario, possibly in phases, and
asks the participants questions related to the
scenario
– Initiates a discussion among the participants of
roles, responsibilities, coordination, and
decision-making
– Redirects the participants’ focus from the
scenario to the objectives, should they begin
focusing too much on the content of the
scenario

Schlumberger-Private
Roles Definition

• Observer • Participants
– Is thoroughly familiar with incident response – *Follow Drill IT Checklist
plans and exercise objectives – Actively Participate in Drill
– Documents the participants’ responses – Propose Solutions
– Conducts the debriefing – Ask Questions
– Collects and documents lessons learned – Raise Concerns
– Interact with IRT team

*See appendix 1 for Checklist

Schlumberger-Private
Scenarios

• Scenarios • Sample Scenario

– A scenario is a sequential, narrative account of – At 8:15, DCS reports that it cannot establish a
a hypothetical incident that provides the remote desktop connection to an EspWatcher
catalyst for the exercise and is intended to SCADA historian at a pod in Noyabrsk
introduce situations that will inspire responses – At 8:30, a SCADA operator reports signs of a
and allow demonstration of the exercise break-in at the control room
objectives
– At 11:00, a SCADA operator reports that a key
– Use multiple short, concise scenarios. With configuration file in the SCADA system has
long, detailed scenarios, participants often been altered inexplicably
spend more time dissecting the scenario and
discussing its content than they spend on
meeting the objectives (e.g., “talk through”
critical roles and functions; identify plan
weaknesses).

Schlumberger-Private
Moderator Guidance (1)

• Scenario Questions - Common/General • Scenario Questions – Preparation

– Who decides which incident response team members would – Would we consider this activity to be an incident?
participate in handling this incident?
– What measures are in place to attempt to prevent this type of
– Besides the incident response team, what groups within the incident from occurring or to limit its impact?
organization would be involved in handling this incident?
– To which external parties would the incident be reported?
• Scenario Questions – Detection & Analysis
– What precursors of the incident, if any, might the organization
– When would each report occur?
detect?
– How would each report be made?
– Would any precursors cause the organization to attempt to take
– What other communications with external parties may occur? action before the incident occurred?
– What tools and resources are necessary to handle this – How is this incident be recognized?
incident?
– How would the incident response team analyze and validate
– What aspects of the response would be different if the this incident?
incident occurs at a different day and time?
– To which people and groups within the organization would the
– What aspects of the response would be different if the incident be reported?
incident occurs at a different physical location (onsite versus
– How would the incident response team prioritize the handling of
offsite)?
this incident?

Schlumberger-Private
Moderator Guidance (2)

• Scenario Questions - Containment, • Scenario Questions – Post-Incident

Eradication, Recovery Activity
– What strategy should the organization take to – Who should attend the lessons learned meeting
contain the incident? regarding this incident?
– Why is this strategy preferable to others? – What could be done to prevent similar incidents from
– What could happen if the incident were not occurring in the future?
contained? – What could be done to improve detection of similar
– What sources of evidence, if any, should the incidents?
organization acquire?
– How would the evidence be acquired?
– Where would it be stored?
– How long should it be retained?
– How is a chain of custody maintained?

Schlumberger-Private
Registration

Add planned drill to Registry

https://slb001.sharepoint.com/sites/Drill IT

Do NOT forget to add QUEST Meeting number & number of

action items when marking the Drill as Completed

Schlumberger-Private
Agenda

17
Executing The Drill

• Moderator • Observer
– Welcomes participants – Records observations to be included in post-
– Requests participants to introduce themselves exercise report
and describe their roles and responsibilities • Observation
under the incident response plan – Compliance
– Non-compliance
– Reviews objectives and logistics – Related issue
– Walks participants through the scenario(s) • Affected role(s)
– Poses questions designed to prompt role – Take notes for each participant role

recognition, decision-making, or coordination

among participants

Schlumberger-Private
Agenda

19
Evaluation
• Debrief
– Immediately following the exercise, the
moderator and observer should conduct an
exercise debrief
– During the debrief, the moderator asks
responders in which areas they felt they
excelled, in which areas they could use
additional training, and which areas of the plan
should be updated
Schlumberger-Private
• Post-exercise Report
– Evaluates how well exercise objectives were
met and identifies areas where additional
exercises might be necessary
– Includes debrief comments and observations
made by the moderator and observer during
the exercise
Evaluation

• Create QUEST report*, including: • In the Drill Registration form

– Action Items assigned – Provide link to QUEST report
– Drill documentation attached – Provide number of Action Items assigned
• Scenario based on template – Set status as Completed
• Participants & Roles
– Inform your Drill IT Mentor or the Cyber
• Observations Security member (Abdurraouf Issa) to validate
• Lessons Learned the Drill

*Use template in Appendix 3

• Report Lessons Learned on Drill IT Web
Page

Schlumberger-Private
Appendix 1 - DrillIT Checklist / Severity & Escalation Calculator
Don’t Panic!

Schlumberger-Private
Appendix 2 – Drill Verification Check

• In the Drill registration form

– Link to QUEST report provided (Use template in Appendix 3)
– Accurate number of created QUEST Action Items
• QUEST report created based on template and includes
– Drill documentation:
• Scenario based on template
• Participants & Roles
• Observations
• Lessons Learned
– Action Items assigned
• Drill validated by IT Security (or DrillIT Mentor)

Schlumberger-Private
Appendix 3 – QUEST Report Template

Classification Meeting Report

Type Drill IT

Meeting Date <<Date when Drill took place>>

<Area>-<Geomarket>-<Site Code> or Online Meeting

Meeting Location
(example: RCA-KZU-KZ0030)

<Drill Organization>-<Drill Name>

Subject (example for Domain: Business Systems-Business Continuity for EMS/MFGPro; example for Geomarket: ASA-APG-
Ransomware)

<<Provide list of Participants and Roles as per WorkBook>>

Attendees
(example: Planner: Andrey Melnikov; Moderator: Berris Bramble: Observer: Daron Gabriel; Participants: …)

Meeting
<<Description of scenario; Observations; Lessons Learned>>
Description

Action Items <<Mandatory. Number of Action Items reflected at Drill IT web page>>

Attachments <<Mandatory. Attach all Drill related documentations as per Drill IT-Guide>>

Notify <<Notify appropriate audience + Drill IT Mentor/Abdurraouf Issa>>

*Make sure you choose the correct location when creating a new report
24
Schlumberger-Private
Resources

• MyHub – Cyber Security:

https://slb001.sharepoint.com/Pages/ChannelPages/bbc16a1d-1a6c-42ac-adb4-ff37db2ce4dd.
aspx?csf=1&e=KK1mbX

• Drill IT Page: https://slb001.sharepoint.com/sites/DrillIT

• Cyber Security Response Plan:

https://intouchsupport.com/index.cfm?event=content.preview&contentId=6279873

Schlumberger-Private
Thank You

CyberSec | Interest and Information Channel