On April 3, 2024, Dark Reading reported that Omni Hotels & Resorts experienced a companywide IT outage that disrupted reservations, digital key systems, and other hotel operations. Guests took to social media to vent their frustrations at the service disruptions. In this article we will explore how your organization can plan and run an effective cybersecurity fire drill exercise based on this real-world incident.
Who Is This For?
This cybersecurity fire drill exercise is relevant for any business that relies on digital systems for critical operations, especially in the hospitality, retail, and service industries. Within those organizations, this is most pertinent for IT, security, operations, communications, and executive leadership roles. The goal is to prepare for potential outages of key systems such as reservations, point-of-sale, inventory management, physical access control, etc.
Simulation Start Points
Choosing an interesting starting point is crucial for an effective and engaging cybersecurity fire drill that can stress and find gaps in your people, process, and technology. Here are some ideas for this scenario:
- Reports start coming in from multiple properties that guests are locked out of their rooms due to malfunctioning digital key systems
- The reservations system goes offline during a busy holiday weekend, leaving front desk staff unable to check guests in or out
- Social media posts about the outage start going viral, along with rumors that the company was hit by a cyberattack
- Point-of-sale systems crash, forcing restaurants and gift shops to go cash-only
Cybersecurity Fire Drill Simulation Phases
Walk through each phase of your incident response process. Using the NIST framework as an example:
- Detection and Analysis
- How do you first detect the outage? (Monitoring alerts, customer complaints, staff reports)
- How do you analyze the scope and severity? What tools and data sources are used?
- Containment
- How do you contain the impact? (Shutting down affected systems, activating backup processes)
- How is the decision made to contain vs. continuing normal operations?
- Eradication
- If the outage was caused by a cyberattack, how do you remove the attacker's access?
- What systems need to be patched, rebuilt, or replaced?
- Recovery
- What is the process to bring systems back online while ensuring security and integrity?
- How long does full recovery take and how is that decision made?
- Post-Incident Activity
- How is the incident documented and analyzed to identify lessons learned?
- What process improvements can prevent similar incidents in the future?
Inject Ideas
Injects can make the simulation more realistic and challenging. Some ideas:
- News breaks that customer financial data may have been breached
- A staff member is discovered to have caused the outage through accidental misconfiguration
- A ransomware gang claims responsibility and demands payment to restore systems
- A previous red team report warned about the exact vulnerabilities that enabled the attack
MITRE ATT&CK Techniques
Consider which ATT&CK techniques may be relevant to the attack, such as:
- Valid Accounts - Attacker may have gained access to admin credentials
- Network Denial of Service - Outage could be result of DDoS attack on hotel network
- Data Destruction - Key systems and backups could be wiped by attacker
- Endpoint Denial of Service - Digital key system outage may be from firmware corruption
- An effective cybersecurity fire drill is crucial for improving organizational readiness against real-world cybersecurity incidents like the Omni Hotels outage.
An effective fire drill exercise program is crucial for improving organizational readiness against real-world cybersecurity incidents like the Omni Hotels outage.
Get a FREE Trial
ChaosTrack is a platform that combines the best of tabletops and trainings to run ripped-from-the-headlines cybersecurity fire drills against your whole company.