• Facebook
  • Twitter
  • LinkedIn
  • YouTube
Nieuwsbrief
Contact
112982

When the crisis team smartphones are ringing: inside a SANS-run tabletop that pushed a Belgian bank to the brink

By Danny Zeegers — report for NIS2.news

On Tuesday, 16 September 2025, senior leaders and incident responders from across Belgian finance, regulation and IT crowded into a workshop co-hosted by the Centre for Cybersecurity Belgium (CCB) and the SANS Institute. The session — an Executive Cyber Exercise facilitated by SANS veteran Chris Wilkes — dropped participants into a brutal, realistic tabletop: a nation-state style assault on a mid-sized bank that cascaded from odd account behavior to threats of mass public release of stolen data unless €50 million was paid in Bitcoin within 24 hours. The lessons were immediate, awkward and stark.

What made the exercise sing was pressure. Not literal smoke and alarms, but the cruel, time-compressed illusion of them: confused customers flooding call centres; legal counsel racing to interpret ransom liability; the CISO balancing containment with preservation of evidence; a CEO weighing reputational damage against operational continuity. The facilitator’s role — a seasoned hand with decades of incident, risk and executive exercise experience — was to hold up a mirror and force honest reckoning.

The scenario, in four acts

Phase 1 — Early oddities (hours 0–4): Customers report “weird changes” on account pages; the helpdesk queues explode; social media lights up with screenshots.

    Phase 2 — Escalation (4–12 hours): Forensic checks reveal exfiltrated PII, contact data and internal mail. Attackers send targeted emails to customers that appear to be legitimate bank communications containing a malicious “decryption tool” and ransom instructions.

      Phase 3 — Ultimatum (12–24 hours): Attackers threaten to publish all stolen data unless €50 million is paid in cryptocurrency within 24 hours; they warn that payments do not guarantee remediation. The regulator, press and customers demand answers.

        Phase 4 — Infrastructure collapse: DDoS & zero-day SharePoint exploit (24–72 hours): While response teams scramble to contain data loss and manage communications, a massive distributed denial-of-service campaign targets the bank’s public portals and APIs, degrading availability across digital channels. Simultaneously a previously unknown (zero-day) vulnerability in the bank’s on-premises SharePoint instance is weaponised, giving attackers persistent footholds inside core collaboration and document stores. The combination of availability collapse (customers can’t reach the bank) and deeper compromise of internal systems (backups, runbooks, and privileged credentials stored in SharePoint) breaks down recovery options and raises the stakes dramatically.

          That rush — not the technical detail — crushed many teams. It exposed mismatches between written plans and what staff actually do under pressure.

          Who matters, and what they must do — priority roadmap (expanded for Phase 4)

          Below are the immediate priorities and who should own them during the first critical 72 hours. Think of these as play calls in a match: clear, assigned, practiced.

          1. Triage & containment — CIO / CISO (Technical lead)
            • Priority: Stop ongoing data exfiltration, contain persistent access via the SharePoint exploit, and mitigate DDoS impact.
            • Key actions: Engage incident response and external forensics immediately; take compromised SharePoint offline or isolate it from the network; rotate credentials and revoke affected service accounts; implement DDoS mitigation (traffic filtering, scrubbing services, route diversion) with ISP/CDN partners; preserve forensic images.
          2. Network & availability ops — NOC / Network Engineering
            • Priority: Restore and stabilise customer-facing availability while preventing collateral damage to internal systems.
            • Key actions: Work with ISPs/CDNs to activate scrubbing; throttle or rate-limit APIs; failover to hardened endpoints; implement traffic blackholing only after stakeholder approval.
          3. Backup, recovery & integrity — Director Business Continuity / Backup Owner
            • Priority: Verify backups and recovery integrity — especially since SharePoint contained critical runbooks and privileged contacts.
            • Key actions: Validate offline and immutable backups, isolate backup targets from compromised networks, and prioritise restores for customer-facing systems.
          4. Customer protection & rapid communications — Chief Customer Success Officer / CMO / CIO
            • Priority: Protect customers from follow-on phishing and fraud; communicate availability status and safe behaviour steps.
            • Key actions: Rapid verified alerts (out-of-band SMS/push), clearly labelled warning banners in app/storefronts, and uniform templates for helpdesk scripts.
          5. Legal & regulatory liaison — Chief Legal Officer / Chief Risk Officer
            • Priority: Assess legal exposure from data publication and availability outages; ensure regulator and law enforcement engagement.
            • Key actions: Draft and send breach notifications, coordinate with national CERT and law enforcement for the zero-day exploitation, and advise on preservation of privilege.
          6. Fraud containment & transactions — Chief Fraud Officer / Payments Ops
            • Priority: Prevent fraudulent transfers and digitally mediated scams that wield stolen contact data.
            • Key actions: Apply additional transaction authentication controls, temporarily raise fraud thresholds, and collaborate with payment networks to freeze suspect flows.
          7. Identity & access control — Security Architect / IAM team
            • Priority: Respond to credential and privileged-account exposure due to SharePoint compromise.
            • Key actions: Enforce emergency password rotation, apply conditional access rules, enforce MFA resets for high-risk accounts, and quarantine service principals.
          8. Third-party / cloud coordination — Cloud Provider Account Team / Vendor Management
            • Priority: Coordinate with cloud/CDN/ISPs and SharePoint vendor support to get mitigations and emergency patches or mitigations in place.
            • Key actions: Open emergency support escalations, request DDoS scrubbing and WAF rules, obtain vendor guidance for zero-day mitigation.
          9. People & HR actions — Chief HR / Chief Human Capital Officer
            • Priority: Support overworked staff and manage insider risk and insider-exposure interventions.
            • Key actions: Rapid rostering, mental health support, enforce least-privilege access and temporary suspensions where required.
          10. Finance & decision support — CFO
            • Priority: Assess financial exposure and authorise emergency spend (forensics, DDoS mitigation, incident counsel).
            • Key actions: Release emergency funds, authorise third-party engage contracts, and model cost impacts.
          11. Reputational & executive communications — CEO / CMO
            • Priority: Provide truthful, timely external statements and preserve single source of truth.
            • Key actions: Appoint a single spokesperson, coordinate regulator and press lines, and maintain transparent customer updates.
          12. External coordination & law enforcement — CISO / CRO
            • Priority: Maintain active coordination with law enforcement, national CERT, and peer banks.
            • Key actions: Share IoCs, seek takedown support for phishing infrastructure, and coordinate cross-sector mitigation for the DDoS attacker infrastructure.

          Assigning responsibility is only half the work; the exercise showed the other half — authority. Who can take SharePoint offline? Who signs off on contactless customer notifications? Without clear decision rights, every minute becomes an argument.

          Additional lessons from the infrastructure collapse

          • Resilience is layered, not single-point. DDoS plus a zero-day exploit together show how availability and integrity failure modes cascade. Defences must include DDoS scrubbing, edge WAFs, and application-level hardening — and these must be exercised together, not in isolation.
          • Inventory and secrets hygiene matter more than you think. The fact that critical runbooks, emergency contacts and privileged credentials lived in the same SharePoint instance amplified the breach. Exercise outcome: move secrets to hardened vaults, limit privileged artifact storage, and maintain an isolated, immutable incident runbook.
          • Patch and virtual patching discipline is a board issue. Zero-days are inevitable; what is avoidable is slow patching, lack of virtual patch options (WAF rules, micro-segmentation), and a missing emergency vendor SLA.
          • DDoS responses must be contractual and practiced. Calling the CDN at midnight and realising you don’t have escalation access is a predictable failure. Contracts should include tested runbooks and contact trees.
          • Recovery depends on clean backups you can trust. If backups are reachable by compromised network paths or credentials stored in shared collaboration tools, recovery becomes a fiction. Immutable, offline copies and tested restores are non-negotiable.
          • Simultaneous threats expose governance gaps. The exercise revealed split decision rights when containment (take offline) versus continuity (keep online) were at odds — a situation that needs pre-agreed thresholds and executive delegations.

          Why an annual mandatory exercise should be the default for NIS2-covered entities

          Tabletop and simulation exercises are not a luxury — they are the difference between rehearsed muscle memory and improvisation in crisis. Under NIS2 obligations, operators of essential services must demonstrate preparedness; yearly executive exercises produce three benefits that dry compliance cannot:

          1. Stress-testing decision rights and escalation chains in a no-blame environment. Leaders learn to decide under time constraints and at the right level of authority.
          2. Unearthing brittle external dependencies early. Contracts, contact lists and vendor SLAs are validated — or broken — before the crisis.
          3. Improving cross-functional muscle memory against compound attacks. DDoS + zero-day + extortion are not hypothetical; practising these combined scenarios builds resilient orchestration across legal, PR, ops, finance and IT.

          SANS-style executive exercises, run by experienced facilitators, force messy reality into the open. The scoreboard is not “did the malware stop?” but “did customers get clear instructions, did regulators get timely notice, and did the board receive actionable options?”

          Just a thought

          After the revised scenario was played out, one board member — visibly unsettled — said: “We discovered that our backup keys were on the same shelf as the fire.” That image stuck. Under NIS2, annual rehearsal should not be an optional line item in the budget; it should be a board-level obligation. Because when the real match starts, there are no substitution periods — and simultaneous, multi-vector attacks will test every single link in your chain.

          Conclusion — Why incident registration is the keystone

          If there is one thread tying every frantic phase of this exercise together, it is the importance of incident registration and timely notification. A Belgian bank in such a situation cannot simply rely on its internal crisis room. Under regulatory duty, the institution must inform the Competent Authority (CA) and the National Bank of Belgium (NBB) without delay within 4 hours as DORA requires.

          This is more than a compliance tick-box. Timely reporting unlocks extra layers of support: regulatory guidance on disclosure thresholds, access to national threat intelligence, and coordination across the financial sector to block systemic spillover. The CCB and the Belgian CERT bring additional muscle — not just advisories, but practical mitigation, from DDoS filtering intelligence to takedown coordination for malicious infrastructure.

          In parallel, the exercise hinted at a still-confidential initiative, referred to only under NDA as the “STOP bUTTON.” Once formally launched, this service — coordinated by the CCB together with the Belgian banking community (CBB) — promises an emergency lever for critical incidents. While details remain under wraps, the intent is clear: a national-level resolution trigger that brings CERT resources, sectoral intelligence sharing, and rapid mitigation capabilities into play when a bank faces collapse under cyber siege.

          For executives around the table, this future-looking service underscored the broader point: incident registration is not just about filling in forms for regulators. It is about buying time and allies. In a world where zero-days and DDoS storms collide with ransomware and extortion, no bank stands alone.

          Laat een reactie achter

          Deel dit artikel

          Aanbevolen artikels

          Meer items

          Blijf up to date met NIS2.news

          Schrijf je in voor de nis2.news nieuwsbrief en mis nooit het laaste nieuws over NIS2