The War Room module was designed as a one-stop-shop to handle a crisis in its entirety. The War Room allows various users and departments to work together to assess, isolate, and contain the critical incident and work on strategies to minimize impact and risks.
The War Room consists of two main elements:

  • Dashboard
  • Workstation

The Dashboard displays up-to-date information on the Incident allowing all relevant parties to see at a glance the status of the Incident. In particular, the dashboard displays the answer to four crucial questions:

  • What happened?
  • How does it affect us?
  • What information do we have about it?
  • How are we fixing this?

The Workstation is a workbench which fosters collaborative work among all the different departments. Here, each user adds in their tactical progress, including tasks they are working on, decisions that have been taken and any other information that is relevant. They can also add in a status assessment here which includes their priority level of the Incident. Reminders are also added here which allows all the participants to know when the next big task is or when the next Status Assessment needs to be delivered.

The War Room Admin uses the information provided in the Workstation to effectively manage the Incident and adhere to strict timelines, ensuring smooth and efficient management of the Incident.

For the purposes of this article, we will take the following critical incident: “Internal data leakage in the darknet, offered for sale by an unknown user” and document how to manage this using the War Room module. The following steps should be taken.

Step One: Create the Incident with all known information in the War Room.
Step Two: Invite the relevant people to work on this Incident.
Step Three: Work with the Dashboard
Step Four: Manage Incident via the Workstation
Step Five: Close the Incident

Step One: Create the Incident

  1. In the main War Room module in the Platform, we will click the + icon.
  2. In the heading, we will add the name of the Incident “Silent Wolf”.
  3. Next, we will add the following description: “Internal data leakage in the darknet, offered for sale by an unknown user.”
  4. We will give it an initial Priority Score of 70. Later on, when other participants have added their assessments and updates, we will change the score to reflect this.
  5. We will add the following Critical Impacts which this Incident might cause:
    • PR damage
    • Product development process being hurt
    • Personal damage for employees whose private details were exposed
  6. We will add the following Risks – which could potentially escalate the incident’s severity:
    • Exposure of product secrets and plans
    • Exposure of employees confidential data
    • Unknown backdoor turned into a malware
  7. We will now add the main strategy for handling the attack: “Find the breach and assess amount and essence of leaked data, while containing the event within the organisation with minimum PR damage.”
  8. For the time being, we will leave the Operation Status empty until other users have joined and updated the Workstation with their statuses.
  9. In the Type of Incident column, select Attack and the range of the attack would be “Targeted”.
  10. We will add “Unknown” for the motivation of the attacker, the information we have at this stage and information we feel we need to get in order to resolve this Incident.
  11. Click Save. Note that we will be editing and updating the Incident Details every time we get new information from the Workstation.

Step Two: Invite Participants

The next stage is for us to invite the participants we need to work on this critical incident with us. Note that you need to have departments defined as well. For information on how to define departments, refer to the User Guide > War Room module section.

  1. We will click on the Participants tab.
  2. We will click the plus icon.
  3. We will add in a new participant with the relevant information.
  4. We will continue adding all the participants that will be working on this specific Silent Wolf attack. Each time we add a participant, an email is automatically sent to their email address with a link inviting them to join the War Room dashboard.

Step Three: Work with the Dashboard

In order to see the Dashboard, the participant will click on the link in their email while Admins will click on the Open Incident tab in the top right of the screen.
In both cases they will see a view only Dashboard showing current information. Note that the Dashboard will change according to the updated information that the Admin puts in everytime they update the Incident Details.
At this stage of the Incident Management the Dashboard will look like the screenshot below, as we don’t have all the information we need. Later on in this article, you will see a few significant changes in the Dashboard.

Step Four: Manage the Incident via the Workstation

On the top right of the screen, click the Go to Workstation button.
For more detailed information on each of the Workstation icons, please refer to the User Guide > War Room module section.
We will now start to manage the Incident using the Workstation.

  1. We will start, in our role as Admin by factually summing up the Incident.
  2. At this stage, we will add a reminder for all participants to have a meeting and to add in the meeting results in the form of a Status Assessment with an Assessment score. In order for this to appear as a ticking countdown reminder on both the Workstation and Dashboard, we will click the yellow star next to it.
  3. Next, the participants will add their own tasks based on their area of expertise.
  4. Once we have the Status Assessment and the tasks, we will click on Incident Details and update the Incident as follows:
    1. Update the priority from 70 to 80.
    2. Under the Operation Status, add in the tasks that each department has pledged to undertake.
  5. It is recommended to repeat reminders for Status Assessments and any new facts, tasks or decisions to be taken.
  6. Now, on returning to the Dashboard we will see updated information, including a graph showing the difference in priority levels over time and any new Reminders we have added.

Step Five: Close the Incident

Once you are sure that the Attack has been contained and that all the loose ends have been tied up, you can close the Incident.

  1. From the main War Room Module, highlight the Incident.
  2. Click Close Incident.
  3. Click Yes on the Confirmation message.

Need more help with this?
Click here to open a Support ticket

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.