“It is better to be prepared and not have an opportunity, than have an opportunity and not be prepared for it.” John Maxwell.
One of the keys to CA2 Security’s success is exercising leadership. As such, we continuously learn and share key leadership principles. Now, you may wonder what this has to do with Incident Response (IR), and I’d say everything. I’d also say take another look at the John Maxwell quote above. Preparation is where we all need to start when talking about IR. The Cybersecurity Incident Response Plan must be known and understood by all your organization’s Executive Leadership Team, Security and IT Leadership Team and key subject matter experts (whether same or separate teams depending on your size or structure), and other organizational leadership teams. Like going through a fire drill, Incident Response Testing through Tabletop Exercises is very important for organizations to understand whether they would be able to respond to a cyber incident before they happen. By performing a Tabletop Exercise team will be able to:
Setting up the right scope and objectives for your exercise is the most critical part of this process. You must have clarity about what you are trying to achieve. We are not talking about whether your Firewall or your Detection and Response tool is ready for an attack. That’s not the objective of the exercise. Your objectives should revolve around things like:
A crucial aspect to consider is what type of threat you want to test. It is essential to understand your organization and its business model; your security controls stack, the industry where you are in to have a good picture of the threat adversaries that your organization may face. There are many threats that you should consider testing and we recommend increasing the frequency of your tests progressively as you become more comfortable and start maturing your IRP. Examples include:
Another aspect within the scope and objectives that you need to consider is whether you’re going to run the exercise yourself versus bringing in a third party. I’ve done this internally; and I never liked it because I’m supposed to be responding as the leader of team, whereas if I bring someone from outside, they can be more objective and have no biases. I’m not saying you must bring a vendor. You could get help from other teams within the organization such as your internal audit team or your process improvement team. They can run it for you. Once you know who is running the exercise, then discuss the objectives and scope with them.
We recommend breaking the exercise in two sessions.
Session 1: The Operational Cybersecurity Incident Response Exercise.
The first part is to basically have the operational Incident Response Team (IRT), the people on the ground, the people with hands on the keyboard running incident detection, containment, eradication, etc. Of course, these folks should be all identified in your incident response plan. The members of this team and their “titles” depend on your organizational structure and size but generally, they would be folks from the following teams:
During the exercise, make sure that they have the plan in front of them so they can follow it and understand their responsibilities.
Session 2: The Executive Incident Response Exercise.
Then, there is the management team the C-Suite or ELT. They are a key part of any incident response effort, but they usually would not be involved in the weeds, nor do they need to be. They would work with the Incident Leader (an assigned role in your plan) who would usually be the top IT Leader (the Chief Information Officer, CIO); or Security leaders (the Chief Information Security Officer, CISO). They do not need to be deeply involved in the incident detection, containment, and eradication processes but they do need to have as much information as possible to make critical and business-impacting decisions (i.e., to pay or not to pay a Ransom; to take or not to take the entire network down). They will provide guidance on critical aspects of responding and recovering from incidents such as legal/regulatory, personnel, financial and communication matters.
It is critical for the Executive Leadership Team to participate in an exercise session in order to be properly prepared and ready to respond to incidents in the best possible way.
There are two types of exercise that you can align to the two types of sessions discussed:
Traditional Tabletop Exercise.
This type of exercise is what most companies had been doing until 1-2 years ago or so. These are led by a moderator who presents different scenarios to the team to evaluate how they respond. The exercise is basically ran using a slide deck with “what if” injects that are used to instigate conversations among the different participants. The moderator should present the scenario, i.e., “there is a phishing email, and someone clicked on it”, followed by questions to the team to see how they react to that scenario, such as “what do you do now?”; “how would the user report the issues”? or maybe, “what type of controls would protect you from it?”
The traditional type of exercise is ideal when:
Technical Tabletop Exercise: Purple Team Exercises.
This is a modern type of exercise where you bring tools to simulate an actual attack, known as a Breach and Attack Simulation tool. In this type of exercise, you bring the defending team and a simulated attacker together and see how both the defending team and their tools react to the attack. This may seem a bit intimidating for smaller organizations and teams because not many companies even have separate teams known as the Blue Team (defenders, such as a Security Operations Center) and Red Team (attacker, perhaps internal pen test team). However, you could bring in an external party like CA2 Security to lead the exercise and guide your team.
While this is not an exercise for your management team, it does provide IT and Security Leaders with excellent visibility into the effectiveness of their controls to justify the investments of their existing security program and any future needs in front of management.
We want to call this a critical part of your exercise planning because we have seen time and again how many folks do not document observations and outcomes of the exercise; even if the exercise may be performed by a vendor, sometimes they will give you a verbal report at the end of it with their recommendations, but they would not provide what we call an after actions report. Make sure that whoever is running the Tabletop Exercise provides a structured report at the end of it with their observations. We recommend that the report includes the following items (and this is what we provide at CA2 Security):
In terms of gaps, there will likely be many. However, a good moderator and partner would narrow down all those observations and recommendations to 3-5 Actionable items that your team should focus on to improve their plan. These smaller number of items should focus on quick wins help the organization respond more efficiently while reducing its risk.