Our Views:
Cyber Incident Simulations and Tabletop Exercises
If your organisation was under cyber-attack, how would you respond?
As part of your overall cyber governance procedures, you may be familiar with the term ‘Red, Blue and Gold teaming’. A red team plays the role of the attacker, trying to find vulnerabilities and break through cybersecurity defences. ‘Blue teaming’ is the group responsible for defending an organisation’s information system by maintaining its security posture against a group of mock attackers.
‘Gold teaming’ is the organisation’s Executive and Incident Response team (IR team), testing its response plan and crisis management skills in a safe environment in order to improve the requisite skills before they’re needed. Gold teaming is most commonly conducted via a cyber incident simulation which evaluates your organisation’s level of preparedness both from an executive and technical perspective. The key outcome of a cyber incident simulation, or tabletop exercise as it is often referred, is that your organisation will have greater confidence to prepare, respond and recover in a crisis. By conducting a simulation, you will:
- establish your current state of readiness
- gain a better understanding of the cyber risks you face
- practice your decision making in a safe environment
- identify areas for improvement.
There are clear benefits to conducting regular simulations. Organisations with an IR team who have recently participated in an exercise will be better equipped to more quickly make key decisions that will reduce the overall risk and impact arising from a cyber incident.
Working with your key sponsors, you will develop a set of cyber incident scenarios that your organisation is most likely to face. Simulations and scenarios are designed based on input from the sponsors and expert knowledge of cyber-attacks, so no two simulations will be the same.
We have assisted many organisations plan for and facilitate their simulations. Performance improvement reports are issued in the days following the exercise so it is fresh in everyone’s minds and they can take immediate steps to reduce risk. Our experience goes beyond simply facilitating an exercise, as we bring real world experience to the decision-making table through our everyday experience in responding to actual incidents.
We find the most common areas for improvement are with IR plans and playbooks, roles and responsibilities, and the use of electronic control rooms.
Further, we recommend New Zealand organisations be familiar with the Coordinated Incident Management System (CIMS) and the National Institute of Standards and Technology (NIST) Incident Response Life Cycle, which consists of:
- Phase 1 – Preparation
- Phase 2 – Detection & Analysis
- Phase 3 – Containment, Eradication and Recovery
- Phase 4 – Post Incident Activity
In the preparation phase of a simulation, the IR team should have their plan to hand when an incident first occurs. Actions will include assembling the appropriate team, setting the cadence of stand-up meetings, setting up an electronic control room, and dealing with any other administrative tasks that may be required.
During the Detection and Analysis phase, the IR team will work through the process of collecting and understanding the risk and impact to hand. For example, a business email compromise will require a different approach to a ransomware attack. We often see executives want to dive into technical detail before the operation team have sufficient reliable information to hand. A balance must be struck between preparing for the worst-case scenario vs only actioning tasks that are necessary at that stage. For example, we often hear the decision to ‘notify the Privacy Commissioner and Customers’ about a possible breach, before a proper assessment of the impact is fully understood. By exercising this process in a simulated environment, you have the ability to ‘wind back the clock’ and play out the scenario again based on a different decision being made.
The next phase which includes Containment, Eradication and Recovery, is often the one where most time and attention needs to be spent as many participants will either never, or not recently, have worked through such a process. Once again, it is important to balance the requirements between the operational and executive members of an IR team, focussing on what the optimal levels of timing, communication and resource are throughout the phase. We regularly see executives request information from the operational team that is not yet available, along with an overly optimistic ‘recovery time objective’ of hours rather than days. Such conflicts are expected and encouraged in a simulation, so potential problems can be identified and resolved.
Our mission is to ‘help you prepare for, respond to, and recover from forensic and cyber incidents’. If you think it is the right time to plan for a cyber incident simulation, you can read more here, or simply get in touch.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 