Testing Your Cybersecurity Incident Response Plan


 Regarding the real world application of skills undoubtedly the most famous of all samurai Miyamoto Musashi states in The Book of Five Rings  that "You can only fight the way you practice."

As security professionals when performing assessments and audits we request and review a client's Security Incident Response Plan, if there is one. Just this week the Ponemon Institute released "The Third Annual Study  on The Cyber Resilient Organization" indicating that 77% of organizations lack a proper incident response plan. I suspect that of those organizations with a plan few have actually tested and put it to practice.

Different incidents require different responses, this can result in plans that vary significantly from those addressing minimal incidents to plans that become bloated attempting to tackle all possible scenarios. Incident response must be approached strategically with the goal of improving the organizations overall ability to operate even while under attack. Putting a well defined and documented incident plan to practice will contribute greatly to the understanding and improvement of  your organizations cyber resilience.

Putting the Plan to Practice

We need evaluate the procedures, tools and expertise of the organization while dealing with cyber incidents. This can be achieved with a table top exercise leveraging a scenario or scenarios based upon real world cyber events and threats to your organization. We have a risk management framework in place and have already performed threat modelling activities, right? Understanding your business and what is critical will assist greatly with building out your plan and having realistic attacks for the exercise that can contribute the most to your organizations resilience.

The exercise identifies gaps in documented procedures, expected outcomes as to what we think will happen versus what realistically would happen and even the skill level of respondents.  Regularly practicing incident response and identifying where to improve, whether it be documentation, procedural or employee training will support a strategic approach that can build resiliency for your organization.

The benefit of having a team that is well prepared and well versed in incident response and has "been there and done that" experience is a team that:
  • knows what to communicate and to whom
  • knows what to do and when to do it
  • learns and adapts from resolved incidents and attackers Tactics, Techniques, and Procedures (TTP)
  • continually improves process and documentation
  • can and will save your organizations reputation and financial well being 
To achieve resilience a level of maturity is required particularly within incident response. The way we practice is the way we respond, a simple mantra... but as we all know... simple is not easy. Cybersecurity is complex by its very nature and at its best is aligned with the business and considered key in the successful delivery of service, whatever that may be for the organization.


BANZAI!

Koz