1. Objectives
   1. Pick a date
   2. Choose Objectives
      1. Interdependencies: Examine network interdependencies during a cyber disruption
      2. Cyber Response Plan: Assess the sufficiency of response plans, policies and procedures
      3. Public / Private Relationships: Examine public / private sector relationships during a cyber disruption
      4. Allocation of Resources: Assess the allocation of limited technical resources during a cyber disruption
      5. Communications: Identify communication challenges and paths among organizations
2. Participants
   1. Emergency Services
      1. Computer aided dispatch (CAD) attack
         1. Automated Vehicle Location system fails
         2. CAD server infected with rootkit
         3. Police dispatch wondering if CAD is trustworthy
      2. EOC data corruption
         1. Numerous event reports in EOC data system cannot be validated
         2. Event reports are not real, EOC requesting guidance
         3. Vendor identifies EOC software vulnerability
   2. Law Enforcement
      1. Criminal database corruption
         1. CJIS queries not responding
         2. Officers report responses to IAFIS queries are wrong
         3. CJIS back on line, police chief requests briefing
      2. Offender registry corruption
         1. Media reports that Mayor and Legislators have been mistakenly included in offender registry
         2. Sex crime registry contains the names of many public figures
         3. Mayor's office requests briefing by IT department
      3. Cyber crime criminal investigation
         1. Cybercrime unit asked to investigate fraud complaint at City IT
         2. Phishing scam - site pretending to be City tax collection web site is based in Europe
         3. Citizens call City Help Desk concerned that their SSNs have been compromised
   3. Government IT
      1. Government website defacement
         1. Citizen complaints about website
         2. Website corruption confirmed, enabled by unauthorized external access
         3. Executive office asks for damage assessment
      2. Taxpayer data exfiltration
         1. Credit card processing interruption
         2. Taxpayer SSN data posted on website in Eastern Europe
         3. Media inquiry about possibility of identity theft
      3. DMV records
         1. Help Desk calls from Law Enforcement reporting large call volume of revoked licences
         2. DMV confirms database corruption
         3. Recovery plan
   4. Public Utilities / Manufacturing
      1. SCADA worm
         1. CERT report of a new control system worm like Sxutnet
         2. Local utilities and manufacturing are infected with the worm
         3. Worm signature and payload identified
      2. Insider threat to control systems
         1. Power substation failure
         2. Utility employee arrested for software sabotage
         3. Media inquiry into insider threat
   5. Health Care
      1. Patient data disclosure
         1. Three identify theft cases have been traced to leaking hospital records
         2. A total of 2000 patient records were illegally disclosed from a hospital server
         3. Hospital CEO requests HIPAA impact statement
      2. Prescription database availability
         1. Hospital prescription database is down
         2. Pharmacy says hundreds of prescription records have been deleted, rootkit found on server
         3. Can records be trusted after intrusion
   6. Banking / Finance
      1. ATM fraud
         1. Bank customers complain that ATMs are out of cash
         2. FBI calls asking for forensic data involving fraudulent cards
         3. Investigation shows that in less than one hour 30 ATMs were accessed using fraudulent cards
      2. Account transfer failure
         1. Escrow company complains that it is missing $400K due to unauthorized bank transfers
         2. Bank employee admits to opening email claiming to be a shipping receipt. IT says it was a Trojan.
         3. Escrow company wants to know what kind of security improvements will be made
   7. Telecommunications
      1. DNS poisoning
         1. Customers complain about phishing scam involving Federal Tax refunds
         2. Phishing scam linked to DNS attack
         3. DNS servers have been poisoned
      2. Botnet
         1. Customers request blocking port 6667
         2. Bot armies discovered in college campuses served by local ISP
         3. DDOS attack against US government sites
   8. Transportation
      1. Control systems corruption
         1. Traffic informations signs post unauthorized messages
         2. Rail signals inoperative
         3. Governor's office concerned about rail safety after attacks
      2. Bus / train scheduling system
         1. Customers complain that bus schedule page is not available
         2. Transit schedule page defaced
         3. Transit employee names leaked on website