Testing your organisation's response to cyber incidents
It’s 7:30am. You wake up to 17 missed calls and a dozen messages from staff saying they’re locked out of their machines, and all they can see is a message asking for 50 bitcoins to decrypt the company’s data.
What do you do?
Incident response exercises are the cyber security world’s version of a fire drill. They create a fictitious scenario in which your organisation experiences an incident, and is challenged to respond to it. The purpose of a cyber incident response exercise is simple: Test your response now to better respond in the event of a real cyber incident.
Why should you conduct Incident Response Exercises?
Respond faster and more efficiently to incidents
Having a streamlined process for identifying and responding to incidents will speed up the process of raising the alarm, investigating, and remediating an incident. Questions like “who would be responsible for responding to an incident, who would support and how would they communicate?” will increase the efficiency and decrease the response time to any incident.
Reduce the impact of incidents
In most, but not all cases, the faster an incident is dealt with the lower the impact will be on the business. This is particularly the case for manufacturing organisations that generate revenue on an hourly basis.
Identify and eliminate single points of failure in your incident response plan
Is your incident response plan stored on the same network that would be inaccessible in the event of ransomware? Does your support team reside across different time zones? Do you know where all your assets are? These are all issues that would stall your response to an incident, but would be identified by running an exercise ahead of time.
Remove the emotion from decision making
When do you contact your insurance company? Would you pay a ransom? What do you tell clients? These are all questions that have significant implications and ramifications, so answering them in the cold light of day will remove the dilemmas that cost precious time when responding to an incident.
Understand your business critical functions better
Running through scenarios will help identify systems, assets, or processes that are critical – or indeed not critical – to business operations.
When should you conduct Incident Response Exercises?
An IRE is a great way to test your incident response plan. Don’t have one? Here’s a template we’ve put together to help you get started. Incident Response Exercises should be run on a regular basis (at least yearly), and there are a few key milestones that should prompt the running of an exercise.
After creating/making major changes to the Incident Response Plan
This is the perfect time to identify any single points of failure in the Incident Response Plan (e.g. is the Incident Response Plan stored on the network and therefore wouldn’t be accessible in the event of a ransomware attack?).
After creating an Incident Response playbook
Playbooks for different scenarios are a way of tailoring responses to specific scenarios such as ransomware, data breaches, or process failures. However, it’s vital to test these playbooks to ensure they don’t miss any crucial part of incident response that would otherwise reduce their efficiency. For more information on IR playbooks, see Ray’s blog post here.
Following a business level cyber risk assessment
Identifying the key cyber risks to your business will help guide the types of scenarios (or risk events) that the organisation is likely to face, and this is a good opportunity to test the organisation’s response to one of those risk events.
Who should be involved in Incident Response Exercises?
In our Incident Response template (linked above) we outline the typical stakeholders in an Incident Response team. When conducting an exercise, it’s important to have a representative from each of those main areas to forge those relationships. This will help with knowing who to contact in the event of an incident, and give those members confidence in their ability to respond efficiently in a real incident. As a minimum, we would suggest the following people should be present:
Incident Manager
This is the person who would be responsible for overseeing and coordinating the response, and therefore needs to have the responsibility to make high level business decisions (e.g. CTO, CIO, CISO)
Technical representative
Usually the IT Manager or Leader, the person who will be able to answer technical questions concerning the organisation’s IT architecture and processes (patch and backup regimes, systems used, etc.)
Other department heads
Human Resources, Communications, Public Relations all may be needed for input and, in some cases, execution, so having them present can be useful
What makes a good Incident Response Exercise programme?
Get the right people involved
Having the people who would actually be involved in incident response is key to ensuring the success of the exercise and its usefulness to the business.
Make it relevant to your business/risks
Tailoring the exercises to your industry/operations will help make the exercise more relevant and better inform your Incident Response Plan.
Document and learn from it
The objective is to learn from the exercise to better respond to a real event. So use the current Incident Response Plan, document the exercise, and update the Incident Response Plan afterwards.
Rinse and repeat
Your organisation will change over time; personnel, infrastructure, threats and risks will all evolve, so testing your response regularly and updating the Incident Response Plan is key to a successful Incident Response Exercise programme.
Photo by Josephina Kolpachnikof on Unsplash