centium-logo

Why and how to test your cyber incident response

December 7, 2021

Cyber attacks can happen to any business at any time – reports show that in 2021, an Australian business was targeted every 11 seconds. Targets vary from SMEs to large government departments and organisations, and they are increasing in both severity and frequency, with the capacity to cost organisations thousands of hours and millions of dollars.

A Cyber Incident Response Plan enables the timely, consistent, and appropriate response to suspected and confirmed security incidents. An effective Plan will protect information and assets and minimise harm to individuals/entities that may be affected by the incident. 

Such plans are also intended to promote consistency in the way that an organisation prepares for and responds to a security incident, by documenting roles and responsibilities, risk assessment and escalation procedures, and notification requirements.

The following video discusses the benefits of Cyber Incident Response Plans:

The Benefits of Cyber Incident Response Plans

Testing your plan is essential

The fourth annual 2019 benchmark study on Cyber Resilience (conducted by IBM Security and the Ponemon Institute) showed that more than half of organisations with Cybersecurity Incident Response Plans fail to test them. This can leave them less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.

Earlier this year, the highly regarded Ponemon Institute released its annual Cost of a Data Breach Report. This year’s report offers insights into cyber breaches from May 2020 to March 2021, alongside recommendations on how to reduce business risk. Within the report there were several key findings, including how testing has played a role in reducing the cost of a data breach:

“Organisations that had formed incident response teams and tested plans experienced data breach costs that were $2.46 million less than their counterparts.”

Now, we are presuming that you have a solid cyber security incident response plan in place, and it’s communicated to all required stakeholders. But does it work in the real world?

To quote Mike Tyson, “Everyone has a plan until they get punched in the mouth.” And when a real cybersecurity incident occurs, the punches will be flying. So, you need to regularly test your cybersecurity incident response plan, along with the capacity of the people and technology that will carry it out to make it more effective.

Picking the Right Incident Response Plan Test

If you're not motivated to do regular testing, others may provide the purpose you need. Major third-party compliance frameworks such as NSW Cyber Security Policy (CSP), MAS TRM, SOC 2 and PCI DSS, for example, require an annual test of your incident response plan, even though they don’t specify an exact testing approach. Your organisation's cybersecurity maturity and risk level may also indicate that you need semi-annual or quarterly tests.

By implementing a regular testing regime your testing will become more effective and you will have more frequent opportunities to identify components of the plan that have gone out of date.

Your customers may have more stringent security contractual requirements than the frameworks about the testing approach. We have seen some companies recently tell potential vendors that their testing process is not rigorous enough. This has resulted in the vendor having to decide whether the contract was valuable enough to justify the time and expense of running a thorough simulation test every year to satisfy and hopefully retain the customer.

The National Institute of Standards and Technology (NIST) Special Publication 800-84 defines two types of exercises and tests:

Exercises

Tabletop Exercise

A tabletop exercise is a discussion-based session where a team discusses their roles and responses during a security incident, walking through one or more example scenarios. The atmosphere is collegial and exploratory. The primary objectives of the tabletop exercise are to:

  • increase security situational awareness;
  • facilitate discussion of appropriate incident responses; and
  • identify gaps and issues in the Incident Response Plan.

In this, a facilitator presents a scenario and asks the exercise participants questions related to the scenario, which initiates a discussion among the participants of roles, responsibilities, coordination, and decision-making. It's only worth starting a tabletop exercise if you already have some form of response plan in place for the scenario you'll be running through. Tabletop exercises are great for testing plans.

Functional Exercise

Functional exercises allow personnel to validate their readiness for emergencies by performing their duties in a simulated environment. These tests not only evaluate what your team would do when confronted with a major incident but also how they would do it. Unlike simulated attacks, which are often still conducted tabletop style, functional exercises are designed to test the roles and responsibilities of specific team members, procedures, and assets involved in one or more practical aspects of a plan (e.g., communications, emergency notifications, IT equipment setup).

Functional exercises vary in complexity and scope, from validating specific elements of a plan to full-scale exercises that address all plan elements. Functional exercises allow staff to execute their roles and responsibilities in an actual emergency situation, albeit in a simulated manner.

Tests

Tests are evaluation tools that use quantifiable metrics to validate the operability of an IT system or system component in an operational environment. A test is conducted in as close to an operational environment as possible.

Tests and exercises vary in complexity and level of effort, with functional exercises and tests providing the highest assurance that incident response plans and procedures would operate as intended during a real incident. Tabletop exercises provide a good mechanism to ensure personnel with incident response duties understand their roles, responsibilities, and procedures.

Incident Response Test

Guideline NIST SP 800-61 establishes the incident response life cycle, summarised in the table below. The incident response life cycle should be the basis of the organisation’s incident response policy and procedures, and the policy and procedures should be built to include activities performed at each stage of the life cycle.

IR Lifecycle StageSummary of Incident Activities
Preparation1. Provide training and awareness for all individuals in recognising anomalous behaviour and specific reporting requirements for suspected breaches
2. Gather contact information for incident handlers
3. Gather hardware and software needed for technical analysis; and
4. Perform evaluations, such as tabletop exercises, of the Incident Response (IR) capability.
Detection & Analysis1. Monitor information system protection mechanisms and system logs
2. Investigate reports of suspected breaches
3. Notify Authorities
Containment1. Choose and implement strategy for preventing further loss based on level of risk
2. Gather and preserve technical evidence, if applicable
Eradication1. Eliminate components of the incident, such as deleting malicious code and disabling breached user accounts, if applicable.
Recovery1. Restore systems via appropriate technical actions such as: restoring from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords, and tightening network perimeter security.
Table 1: Incident Response Lifecycle

Organisations should develop test and exercise material to guide the execution of the test, including a test scenario for a hypothetical breach. The table below provides some example scenarios that can be tailored to meet organisation needs:

Breach ScenarioTabletop Exercise Objectives
Through a routine evaluation of system logs, a system administrator discovers that data has been exfiltrated from the system by an unauthorised user account.1. Determine the actions that would help prevent this type of incident (preparation).

2. Determine the controls in place that would help identify this incident, along with procedures on how to report the incident (detection and analysis).

A remote user has lost his/her laptop. The user’s job function required that organisation data be stored on the laptop.
3. How to prevent further damage (containment),

4. How to clean the system (eradication
After a recent office move, it is discovered that a locked cabinet containing sensitive data is missing. 5. How to restore the system in a secure manner (recovery).
Table 2: Sample Incident Response Evaluation Scenarios

Evaluating your testing exercise

Evaluating the exercise is a critical step to ensuring success of the incident response program. After the test or exercise is complete, the participants should conduct a debriefing to discuss observations for things that worked well and things that could be improved.

The comments and issues that emerge during the debriefing, along with lessons learned documented by the data collector during the exercise, should be captured in the Post Action Report (PAR). The PAR should also document observations made throughout the exercise and participants during the exercise and recommendations for enhancing the IR plan that was exercised.

In general, IR tests and exercises should:

  • Be organised, facilitated undertakings
  • Leverage the facilitator’s guides, participants guide, and PAR templates given in NIST SP 800-84
  • Include individuals with incident response responsibilities, such as business/mission owners, IT management, technical points of contact
  • Include simulating contact to the APRA or OAIC or Authority, or a test contact
  • Test contacts to APRA and the OAIC should be clearly identified as an exercise or test upon contact in all conversations and written submissions
  • Produce documentation that serve as verifiable evidence the exercise took place
  • Produce documentation that captures the actions necessary to identify, report, contain, and remediate the incident at each stage of the incident response lifecycle
  • Produce a PAR describing operational gaps and plans to mitigate those gaps. incident response plans, policies, and procedures need to be updated with results from the PAR

You should regularly review and update the incident response plan (including threat specific plans) and practice them regularly.

Support from security specialists

Centium has extensive experience partnering with clients to raise cyber security awareness, identify and manage cyber and IT risks, and build resilience. Our cybersecurity professionals are highly skilled at translating technical concepts into practical plans and procedures. 

We also have a proven track record creating robust incident response plans (including threat specific playbooks) and facilitating scenario tests that enable organisations to realise and address gaps in existing planning documents quickly.

Our approach allows your staff to actively participate in facilitated scenarios and role plays, while we independently observe proceedings. At the end of the workshop, we will debrief with the team, and provide a report on our findings and opportunities for improvement.

Contact our Director, Cyber, IT & Business Continuity for a no-obligation discussion on 0434 896 764 or vipan.chauhan@centium.com.au. Alternatively, browse Centium's range of Cyber, IT & Business Continuity services.  

Our Clients

Top