Cyber Attack Scenarios Test Responses



Heidi Price

This library item is related to the following area(s) of work:

Security and Survivability

This article was originally published in News at SEI on: March 1, 2008

Imagine how your organization would function without the Internet. Or imagine how your day would proceed—or not—in the wake of a power outage that lasts for days on end similar to the one that blanketed the northeast in darkness in 2003.

If you can, then you’ve imagined a day in the life of Marty Lindner.

As a member of the Software Engineering Institute’s CERT Coordination Center (CERT/CC), Lindner serves as both architect and designer of the worst-case cyber scenarios that an organization, whether commercial or governmental, could face.

Then he tries to make them happen. Well, sort of.

Lindner envisions and then creates scenarios for cyber attacks and other disruptive events and then tests organizational response as if the disruptive events are actually occurring. The type of scenario depends on the objectives of the exercise.

“You can have a technical objective where you find out if your IT guys really know how to apply a patch. You could also do it from a policy level. You want to understand that you really do have the policies in the right place to handle certain situations and anywhere in between,” Lindner explains.

One of the most extensive cyber exercises is “Cyber Storm,” a pseudo-cyber attack coordinated through the U.S. Department of Homeland Security’s (DHS) National Cyber Security Division (NCSD). The exercise tests how senior leaders of the U.S. government would respond to a cyber incident of national significance.

Although similar exercises had been conducted previously, the first Cyber Storm exercise was conducted over five days in early 2006 and involved more than 100 public and private organizations in five different countries. A second Cyber Storm will be conducted this spring.

During the first Cyber Storm exercise, many of the people involved weren’t aware that it was an exercise, according to Lindner. Those in the know followed a scripted response. Those who didn’t had their calls routed to someone who did.

Lindner said the goal is to try to make the exercises as “real-world” as possible.

“There are real-world problems like software flaws. A software flaw is an underlying root cause, but it’s not a problem until a bad guy takes advantage of it,” Lindner says. “The whole process is controlled. At the end of the day, the intent is not to make anyone look bad. You’re not trying to prove someone is better than another person. By going through the process, you are raising the bar.”

For more information about CERT, visit

Find Us Here

Find us on Youtube  Find us on LinkedIn  Find us on twitter  Find us on Facebook

Share This Page

Share on Facebook  Send to your Twitter page  Save to  Save to LinkedIn  Digg this  Stumble this page.  Add to Technorati favorites  Save this page on your Google Home Page 

For more information

Contact Us


Help us improve

Visitor feedback helps us continually improve our site.

Please tell us what you
think with this short
(< 5 minute) survey.