Cyber Security Incident Response Drill Plan

Disclaimer

The information in this document, including dates, times, CVE-2023-12345, IP 52.132.321.132, incident details, ranks, posts, and contacts, is fictional and not intended for operational use. It functions solely as a reference template and does not reflect any organisation’s structure. Emails, calls, and materials are not associated with real companies or consultants. Customisation and validation are necessary for real-world application.

1. Purpose

This document seeks formal approval from the Crisis Management Team (CMT) for the implementation of the Exercise Poseidon Cyber Security Incident Response Drill. The drill is designed to test and validate the organization’s incident response capabilities against a simulated ransomware encryption outbreak, initiated via a phishing email campaign exploiting a known vulnerability (CVE-2023-12345), aligned with the HKECCC Incident Response Plan.

2. Overview

Exercise Poseidon simulates a multi-stage cyber attack beginning at 09:30 AM HKT on September 27, 2025, and spanning a 9-hour period until 06:30 PM HKT. The scenario involves a phishing email from a spoofed domain (vendor-phishing[.]com) with a PDF attachment containing a malicious link that exploits CVE-2023-12345, leading to the deployment of LockBit ransomware. The drill evaluates the coordination between the IM Team (including Network Team and Desktop Support Team) and CMT (including Public Affairs Team) to ensure effective detection, containment, eradication, recovery, and post-incident management, in compliance with the HKECCC Incident Response Plan and NIST SP 800-61.

3. Objectives

The primary objectives of Exercise Poseidon, subject to CMT approval, are:

  • To validate the incident response plan (IRP) against a phishing-based ransomware outbreak, adhering to the HKECCC Incident Response Plan and ISO/IEC 27035.

  • To assess coordination among the IM Team, CMT, and Public Affairs Team.

  • To identify and address gaps in processes, tools, or training.

  • To enhance organizational resilience to cyber threats, particularly those exploiting vulnerabilities like CVE-2023-12345, aligning with NIST best practices.

4. Scope and Approach

  • Date and Duration: September 27, 2025, 09:30 AM–06:30 PM HKT.

  • Venue: Corporate Headquarters, Virtual Command Center (VCC).

  • HKECCC Incident Response Plan

    • Preparation: Pre-drill planning and training, based on HKECCC preparedness guidelines.

    • Detection and Analysis: Identifying the phishing email and CVE-2023-12345, following NIST SP 800-61 detection protocols.

    • Containment: Isolating systems and blocking vendor-phishing[.]com, per HKECCC containment strategies.

    • Eradication: Removing malicious code and patching vulnerabilities, adhering to NIST eradication procedures.

    • Recovery: Restoring systems and verifying network/endpoint integrity, compliant with HKECCC recovery processes.

    • Post-Incident Activity: Stakeholder updates and lessons learned, aligned with ISO/IEC 27035 post-incident review.

  • Teams Involved:

    • IM Team: Includes Incident Commander, SOC Analysts, IT Operations, Cyber Security Team, Network Team (for network isolation), and Desktop Support Team (for endpoint recovery).

    • CMT: Includes Chief Executive Officer (CEO), Crisis Manager, Legal Advisor, Communications Lead, Business Continuity Coordinator, and Public Affairs Team (for external communication).

5. Scenarios

The drill focuses on a single primary scenario tailored to a ransomware encryption outbreak, with initial compromise via phishing, based on the HKECCC Incident Response Plan.

Scenario: Ransomware Encryption Outbreak

  • Ingests: The Security Operations Center (SOC) detects encrypted files and ransom notes on multiple systems, triggered by a phishing email campaign, as outlined in NIST SP 800-61 detection phase.

  • Attack Vector: A phishing email disguised as a legitimate vendor notification contains a malicious link that exploits a known vulnerability (CVE-2023-12345) in the organization’s email client software. This vulnerability allows attackers to execute arbitrary code, leading to privilege escalation and the deployment of the LockBit ransomware. The email originates from a spoofed domain (vendor-phishing[.]com) and includes a PDF attachment with an embedded hyperlink to a command-and-control (C2) server.

  • Topics:

    • Rapid detection and analysis of the phishing email and exploited vulnerability by the IM Team, including Network Team and Desktop Support Team, per HKECCC and NIST guidelines.

    • Containment, eradication, and recovery efforts by the IM Team to mitigate the ransomware spread, following ISO/IEC 27035.

    • Crisis Management Team and Public Affairs Team coordination with law enforcement and stakeholders during post-incident activities, aligned with HKECCC protocols.

  • Teams Involved: SOC Team, IT Operations, Cyber Security Team, Network Team (under IM Team), Desktop Support Team (under IM Team), Crisis Management Team, Public Affairs Team (under CMT).

6. Exercise Poseidon Approach

The drill simulates a ransomware outbreak starting with a phishing campaign exploiting CVE-2023-12345, conducted in a controlled environment to avoid live system disruption, following the HKECCC Incident Response Plan.

  • Date: September 27, 2025

  • Session: 9-hour exercise (09:30 AM–06:30 PM HKT)

  • Venue: Corporate Headquarters, Virtual Command Center (VCC)

  • Scenarios:

    • IM Team: Focuses on Preparation (pre-drill planning), Detection and Analysis (identifying the phishing email and vulnerability), Containment, Eradication, and Recovery, per HKECCC and NIST SP 800-61.

    • CMT: Handles strategic decision-making, stakeholder communication, and business continuity, with Public Affairs Team managing external communications during Post-Incident Activity, aligned with ISO/IEC 27035.

7. Roles and Responsibilities

Rank/Post

Responsibilities

Cyber Incident Management Team (IM Team)

Director of Incident Response

Leads the overall incident response, coordinates all team activities, authorizes escalation to CMT, ensures alignment with NIST phases and HKECCC Incident Response Plan by directing resource allocation, and approves containment and recovery strategies.

Senior Security Analyst

Oversees SOC operations, monitors security alerts in real-time, triages incidents, escalates to Cyber Security Team, logs initial detection of phishing emails and CVE-2023-12345 exploitation per NIST SP 800-61, and maintains incident timeline.

Junior Security Analyst

Assists in correlating alerts, analyzes network traffic for anomalies, identifies affected systems, supports forensic data collection during Detection and Analysis per HKECCC guidelines, and reports findings to the Senior Security Analyst.

IT Operations Supervisor

Manages system isolation, deploys patches for vulnerabilities like CVE-2023-12345, oversees backup restoration, coordinates with Network Team for service recovery per HKECCC recovery processes, and ensures system uptime post-incident.

IT Support Specialist

Executes server isolation commands, applies security updates, restores data from backups, tests system functionality post-recovery per NIST SP 800-61, and documents restoration procedures.

Chief Information Security Officer

Leads forensic analysis, traces attack vectors (e.g., vendor-phishing[.]com), identifies APT groups, implements containment strategies based on threat intelligence per ISO/IEC 27035, and advises on mitigation tactics.

Security Analyst

Conducts deep packet inspection, analyzes attack payloads, maps kill chain stages, prepares incident reports for law enforcement coordination per HKECCC protocols, and collaborates with Network Team on traffic analysis.

Network Operations Manager

Oversees network traffic monitoring, isolates compromised network segments, blocks malicious domains (e.g., C2 servers) per NIST SP 800-61, verifies network integrity post-recovery, and ensures secure configurations.

Network Administrator

Configures firewalls to block C2 traffic, monitors for APT indicators, restores network services, collaborates with Desktop Support for endpoint connectivity per HKECCC guidelines, and logs network changes.

Desktop Support Supervisor

Manages endpoint support, deploys patches for CVE-2023-12345, reimages infected systems, coordinates on-site assistance for critical locations per NIST recovery procedures, and ensures user productivity during recovery.

Desktop Support Technician

Assists end-users with incident reporting, installs security updates, restores user data from backups, verifies endpoint functionality per HKECCC protocols, and provides real-time support to affected employees.

Crisis Management Team (CMT)

Chief Executive Officer (CEO)

Provides strategic oversight, approves major decisions including resource allocation and external communications, ensures alignment with organizational priorities per HKECCC Incident Response Plan, and authorizes escalation to regulatory bodies if needed.

Director of Crisis Management

Directs crisis response, liaises with senior leadership including the CEO, approves communication strategies per HKECCC Incident Response Plan, ensures alignment with business continuity plans during Post-Incident Activity, and chairs debriefing sessions.

Senior Legal Counsel

Reviews regulatory compliance, advises on data breach notifications per ISO/IEC 27035, coordinates with law enforcement, ensures legal documentation is prepared post-incident, and assesses liability risks.

Director of Corporate Communications

Oversees internal memos, external press releases, and stakeholder updates per HKECCC communication protocols, ensures consistent messaging throughout the incident lifecycle, and coordinates with Public Affairs Team.

Business Continuity Manager

Develops contingency plans, monitors critical operations, authorizes resource reallocation per NIST SP 800-61, ensures minimal downtime during Recovery, and reports status to Director of Crisis Management.

Public Affairs Manager

Manages media inquiries, drafts public statements on the phishing attack per HKECCC guidelines, coordinates with Director of Corporate Communications, mitigates reputational impact, and oversees customer communication channels.

Public Relations Officer

Prepares social media responses, handles customer inquiries, ensures timely publication of incident updates on the HKECCC website per ISO/IEC 27035, and supports media briefings as directed.

8. Drill Assessment Objectives

Team

High-Level Goal

Scenarios/Attack Vectors

Testing Criteria

Objective of Response

Cyber Incident Management Team (IM Team)

Validate technical incident response capabilities

Phishing email exploiting CVE-2023-12345, LockBit ransomware via vendor-phishing[.]com, C2 server communication

Time to detect (within 30 mins), containment success rate (100% isolation), eradication completion (all systems patched), recovery time (within 2 hours)

Detect and analyze the attack, isolate affected systems, remove malware, restore services, and document lessons learned per HKECCC and NIST SP 800-61.

Network Team (under IM Team)

Ensure network security and resilience

Outbound traffic to C2 server (52.132.321.1321), malicious domain blocking

Successful traffic blocking (within 15 mins), network segment isolation, post-recovery integrity verification

Monitor and block malicious traffic, isolate compromised segments, restore network services, and support endpoint connectivity per HKECCC guidelines.

Desktop Support Team (under IM Team)

Maintain endpoint integrity and user support

Endpoint infection from phishing link, ransomware encryption

Patch deployment success (100% endpoints), reimaging time (within 1 hour), user support satisfaction

Deploy patches for CVE-2023-12345, reimage infected endpoints, assist users, and verify functionality per NIST recovery procedures.

Crisis Management Team (CMT)

Ensure strategic oversight and communication

Ransomware outbreak impacting operations, public and stakeholder reaction

Decision-making time (within 1 hour), communication consistency, stakeholder update timeliness

Provide strategic direction, approve resource allocation, coordinate legal and public affairs responses, and ensure business continuity per HKECCC and ISO/IEC 27035.

Public Affairs Team (under CMT)

Manage external perception and communication

Media inquiries, customer concerns via phone/branch

Statement release time (within 2 hours), social media response accuracy, customer query resolution rate

Draft and publish statements, handle media and customer inquiries, mitigate reputational impact, and update HKEC website per HKECCC protocols.

9. Proposed Agenda

An online team meeting will be formally arranged and made available for the kick-off and closing sessions.

Date
Time
Phase
Details
Who Needs to Join

Sep 27, 2025

09:00–09:30

Kick-off Meeting

Briefing the Leadership Team and CMT about the overview of drill objectives. (A team online meeting is available for remote members.)

Leadership Team, CMT, IM Team

Sep 27, 2025

09:30–10:00

Preparation & Initial Detection

Initial detection of phishing email with CVE-2023-12345 by SOC Team.

IM Team (SOC Analysts, Cyber Security Team)

Sep 27, 2025

10:00–10:30

Detection and Analysis

IM Team analyzes phishing email metadata, traces C2 server IP (52.132.321.1321), identifies CVE-2023-12345 exploitation, logs affected systems, checks if other users received the phishing email, scans for connections to C2 server, examines attack payload, identifies possible APT group and attack kill chain.

Network Team assists with traffic analysis for C2 connections;

Desktop Support Team helps identify endpoint victims.

Response actions: Identify other victims by reviewing email logs and endpoint scans, assess data loss via forensic tools, evaluate further APT attacks by matching IOCs to known threat intelligence.

IM Team (SOC Analysts, Cyber Security Team, Network Team, Desktop Support Team)

Sep 27, 2025

10:30–11:30

Containment Planning

IM Team isolates infected servers, Network Team blocks vendor-phishing[.]com and C2 traffic, IT Operations disables compromised user accounts.

IM Team (Incident Commander, IT Operations, Network Team)

Sep 27, 2025

11:30–12:30

Eradication and Recovery

IM Team removes LockBit ransomware, deploys patches for CVE-2023-12345, wipes affected endpoints, and begins restoring data from backups.

IM Team (Cyber Security Team, IT Operations, Desktop Support Team)

Sep 27, 2025

12:30–13:30

Recovery Operations

IM Team verifies system integrity, Network Team restores network services, Desktop Support Team reimages endpoints, CMT ensures business continuity.

IM Team (Network Team, Desktop Support Team), CMT (Business Continuity Manager)

Sep 27, 2025

13:30–14:30

Post-Incident Activity

CMT and Public Affairs Team update stakeholders, draft incident report, and coordinate with law enforcement.

CMT (Crisis Manager, Public Affairs Team, Legal Counsel)

Sep 27, 2025

14:30–16:30

Debriefing & Closure

Joint review of actions, identification of lessons learned, and planning for future preparedness. (A team online meeting is available for remote members.)

All personnel required

10. Injects Chronogram

Time

09:30

10:00

10:30

11:30

12:30

13:30

14:30

Inject

1

2

3

4

5

6

7

Description

Cyber SOC team found Port Scanning alert from Exchange servers

Cyber SOC detected alerts on large outbound traffic (256 GBs) towards IP address 52.132.321.1321 from Exchange servers

CRM servers have encrypted with 'LockBit' ransomware. Threat actor claims they will publish Club's data in 48 hours if they don't receive the money. LockBit CSC found on HKEC website

HK Police called SOC team asking for any cyber-attack details and whether there is data leakage

At 12:30, 508 customers enquire via phone/branch about data safety after the attack via vendor-phishing[.]com

Statement on HKEC website announced cyber-attack details and response plan mentioning phishing and CVE-2023-12345

Crisis management team: lead role on this now

IM Response

Preparation: S3: potential S2, but if server shutdown

CIMT Activated and Detection and Analysis: SOC Analysts correlate alerts, Cyber Security Team traces phishing email to vendor-phishing[.]com, identifies CVE-2023-12345, checks email logs for other recipients, scans endpoints for C2 connections, analyzes attack payload, matches to APT group (e.g., LockBit affiliates) and kill chain stages (reconnaissance, weaponization, delivery via phishing). Network Team: Monitor traffic for C2 connections and APT indicators; Desktop Support Team: Assist in scanning endpoints for victims. Response: Identify other victims via email logs and endpoint scans, assess data loss with forensic tools, evaluate further APT attacks by reviewing IOCs and threat intelligence.

Containment: Russian background hacker group identified, IM Team isolates CRM servers, Network Team blocks C2 IP, IT Operations disables affected accounts

Eradication: Remove LockBit ransomware, patch CVE-2023-12345, block C2 server access, wipe infected systems

Recovery: Restore systems from backups, Network Team verifies network integrity, Desktop Support Team reimages endpoints, test restored services

CMT Response

Notify leadership and legal advisors about phishing and CVE-2023-12345. Public Affairs Team: Draft public statement on attack vector

Post-Incident Activity: Update website with response plan. Public Affairs Team: Publish statement, Manage media

Handover to crisis management lead

11. Post-Drill Activities

  • After-Action Report (AAR): The IM Team and CMT will compile a report on the drill’s outcomes, focusing on the phishing attack and CVE-2023-12345 mitigation (Post-Incident Activity), aligned with HKECCC and ISO/IEC 27035.

  • Lessons Learned: Identify gaps and propose improvements related to the attack vector (Post-Incident Activity), per NIST SP 800-61.

  • Follow-Up Training: Schedule training on phishing awareness and vulnerability patching (Preparation for future incidents), based on HKECCC preparedness guidelines.

12. Recommendations

The IM Team recommends CMT approval of Exercise Poseidon to:

  • Validate the IRP against the simulated phishing attack and CVE-2023-12345 exploitation, adhering to the HKECCC Incident Response Plan and NIST SP 800-61.

  • Ensure effective coordination between IM Team and CMT during all NIST phases.

  • Authorize resource allocation for the drill, including personnel, tools, and communication channels.

  • Commit to post-drill actions, including the AAR and follow-up training.

13. Approval Section

The CMT is requested to review and approve the Exercise Poseidon Drill Plan. Please provide your signature and date of approval below:

Name
Title
Signature
Date

[CMT Member 1 Name]

[Title]

[CMT Member 2 Name]

[Title]

[CMT Member 3 Name]

[Title]

14. Contact Information

For questions or clarifications, please contact:

  • Incident Commander: [Name], [Email], [Phone]

  • Crisis Manager: [Name], [Email], [Phone]

Appendix A: Detailed Injects Chronogram

Overview

This appendix provides detailed information on the injects used in the Exercise Poseidon drill, including the content, format, and delivery method (e.g., email, call) for each inject scheduled in the Injects Chronogram (Section 10).

Time

Inject #

Description

Delivery Method

Content/Format

Recipient(s)

Purpose

09:30

1

Cyber SOC team found Port Scanning alert from Exchange servers

Email

Subject: [CyberDrill 2025: ] Urgent - Port Scanning Alert Detected Body: Dear SOC Team, At 09:30 HKT, our systems detected a port scanning alert originating from the Exchange servers. Please investigate immediately. Regards, SOC Monitoring System

Senior Security Analyst, Junior Security Analyst

Trigger initial detection and preparation phase.

10:00

2

Cyber SOC detected alerts on large outbound traffic (256 GBs) towards IP address 52.132.321.1321 from Exchange servers

Email

Subject: [CyberDrill 2025: ] Critical - Outbound Traffic Alert Body: Dear IM Team, At 10:00 HKT, 256 GBs of outbound traffic was detected towards IP 52.132.321.1321 from Exchange servers. Potential C2 activity suspected. Action required. Regards, SOC Monitoring System

Director of Incident Response, Senior Security Analyst

Initiate Detection and Analysis phase.

10:30

3

CRM servers have encrypted with 'LockBit' ransomware. Threat actor claims they will publish Club's data in 48 hours if they don't receive the money. LockBit CSC found on HKEC website

Email with Attachment

Subject: [CyberDrill 2025: ] Severe - Ransomware Encryption Detected Body: Dear IM Team, At 10:30 HKT, CRM servers are encrypted with LockBit ransomware. A threat actor demands payment within 48 hours, threatening data publication. LockBit CSC link found on HKEC website. Attached: Simulated ransom note (PDF). Regards, Cyber Security Team Attachment Format: PDF with text: "Your data is encrypted. Pay 50 BTC within 48 hours or it will be leaked. Contact: lockbitcsc[.]onion"

Chief Information Security Officer, Security Analyst

Escalate to Containment phase.

11:30

4

HK Police called SOC team asking for any cyber-attack details and whether there is data leakage

Phone Call

Script: "[CyberDrill 2025: ] Hello, this is Officer Lee from HK Police. We’ve received reports of a potential cyber-attack on HKEC. Can you confirm details and advise if there’s been data leakage? Please respond urgently."

Senior Security Analyst

Coordinate with external authorities during Eradication.

12:30

5

At 12:30, 508 customers enquire via phone/branch about data safety after the attack via vendor-phishing[.]com

Phone Call Log

Log Entry: "12:30 HKT - [CyberDrill 2025: ] 508 customer calls received via phone and branch offices, inquiring about data safety following a phishing attack from vendor-phishing[.]com. Escalated to Public Affairs Team."

Public Affairs Manager, Public Relations Officer

Test public response and communication during Recovery.

13:30

6

Statement on HKEC website announced cyber-attack details and response plan mentioning phishing and CVE-2023-12345

Website Update (UAT)

Format: HTML Snippet

HKEC Statement: At 13:30 HKT, we confirm a cyber-attack via phishing emails exploiting CVE-2023-12345. Our team is responding, and no data leakage is confirmed. Updates will follow.

Public Affairs Manager, Public Relations Officer

Publicize response plan during Post-Incident Activity.

14:30

7

Crisis management team: lead role on this now

Email

Subject: [CyberDrill 2025: ] Transition to CMT Leadership Body: Dear All, At 14:30 HKT, the Crisis Management Team assumes lead role for ongoing incident management. Please coordinate all actions through the Director of Crisis Management. Regards, CEO

Director of Crisis Management, Entire CMT

Handover leadership to CMT for closure.

Notes

  • Email Format: All emails will be sent from a simulated SOC Monitoring System or Cyber Security Team address (e.g., soc.alerts@hkec-simulated.com) with a clear subject line starting with [CyberDrill 2025: ] and body text detailing the inject.

  • Phone Call Format: Calls will be simulated via a recorded script or live role-play, logged with time, caller identity, and key points. All the calls shall start with this wording "CyberDrill 2025".

  • Attachment Format: PDFs will contain simulated content (e.g., ransom notes) with no executable code, delivered as read-only files.

  • Website Update Format: HTML snippets will be provided for integration into the HKEC website, ensuring real-time visibility during the drill.

PreviousScenario: Phishing Campaign with Malware / Credential Theft Detected and MitigatedNextStudent Module Registration Flow Series using Microservices & Event-Driven Architecture

Last updated

Was this helpful?