“Hola bankers. Your time is running out! You have only 5 hours left to pay up the ransom before Armageddon, otherwise we will bring down your e-banking services and exfiltrate your precious data.”
This was one of the tasks set for CyLEEx19, the first cyber law enforcement exercise of its kind, which saw 20 cybercrime investigators and cybersecurity experts from the public and private sector come together at Europol’s headquarters on October 31 to test the EU Law Enforcement Emergency Response Protocol in a simulated environment.
Exercise CyLEEx19, organized by Europol’s European Cybercrime Centre (EC3) and the European Union Agency for Cybersecurity (ENISA), painted a dark scenario, inspired by malicious cyber activities affecting the public and private sector across Europe and beyond. Participants were called upon to react collectively to the simulated large-scale cyber attacks related to incidents such as misuse of IT resources, unauthorized access to systems, vulnerability exploitations, Distributed Denial of Service (DDoS), and malware infections.
Participants were asked to respond to these cyber incidents and decide on the optimal response measures, including if such threats warrant the triggering of the emergency response procedure. By performing the majority of the processes documented in the Protocol, the participants increased their preparedness in case of a real-life international cyber-attack and identified possibilities for improvement of the process.
Cybercrime investigators from the Joint Cybercrime Action Taskforce (J-CAT), namely France (Police Nationale), the Netherlands (Politie), Spain (Policia Nacional) and Norway (Politiet) took part in this exercise, alongside representatives from EC3’s Advisory Groups on financial services (Banco Santander and Citi) and the internet security industry (Palo Alto Networks), together with experts from Europol, ENISA and Eurojust.
In the wake of the 2017 WannaCry and NotPetya attacks, the Council of the European Union adopted the new EU Law Enforcement Emergency Response Protocol to address the growing problem of planning and coordinating between governments, agencies, and companies when cyber-attacks occur across international boundaries.
The Protocol determines the procedures, roles and responsibilities of key players both within the EU and beyond; secure communication channels and 24/7 contact points for the exchange of critical information; as well as the overall coordination and de-confliction mechanism.
The outcomes of the exercise and the feedback provided by the participants in the evaluation stage will be analyzed by Europol’s European Cybercrime Centre and ENISA. Detailed lessons learned will be set forth in order to establish a list of actions to improve cyber resilience and the emergency response to large-scale cyber-attacks in Europe and beyond.
