Although you might think that your cyber defenses are virtually impenetrable, every organization needs a plan just in case a cyber attack or breach does in fact happen. That’s exactly why you need to formulate, and continually test, a detailed cybersecurity incident response plan.
Having a cyber incident response plan is getting more important than ever. The average cost of data breaches and cyber incidents is on the rise, with the average cost of a cyber incident to U.S. companies reaching $7.91 million. Moreover, it takes an average of 196 days for companies to identify that there’s been a breach and take action in the form of a response.
How you construct and implement your cyber incident response plan (IRP) will depend heavily on your business, industry, technology infrastructure, and type of data that you handle on a regular basis. However your plan does end up taking shape, you’ll need to conduct regular incident response testing to ensure your entire organization is thoroughly prepared in the event of a sensitive data breach.
How exactly should you go about putting your cyber security incident response plan to the test? Read on to learn more about the basics of incident response testing, the why’s and how’s of its importance, and best practices to conduct the most effective testing of your plan.
Building an Incident Response Plan
Before diving into the specific best practices for any good incident response process, let’s first take a brief look at the key elements of an incident response plan and basic steps towards building one. First, you’ll want to ensure that all of the proper stakeholders are involved that will be critical not just to creating the plan, but that will also participate in ongoing incident response test scenarios. Here are some of the parties you will typically want to include:
- General Counsel and Legal
- Chief Information Security Officer, Chief Information Officer, or other IT Management
- Technical Leads in areas such as Security, Network, and/or Infrastructure)
- Human Resources
- Public Relations & Marketing
- Risk Management & Insurance
- Business Subject Matter Experts
Although it is common to designate one single team, you can also create a core team and bring on ad hoc members as needed. Also, be sure to assign alternate members with decision-making authority should a team member be unavailable when an incident arises. You also want to establish communications procedures and responsibilities in your IRP. Determine how communication will flow, and who should talk with whom.
And most importantly, review and test your incident response plan. Review the plan quarterly (at a minimum), making updates and adjustments accordingly. For example, pay special attention to any technology, policies, or roles that may have changed in the intervening time. Also, ensure that contact information has been updated for your team members and outside resources. After initially testing your plan, schedule annual tests to identify any gaps using some (or all) of the best practices below.
1. Scan for Vulnerabilities
When testing your cyber incident response plan, the first step you’ll want to take is to conduct a thorough vulnerability scan. Vulnerability scans examine the security of individual computers, network devices or applications for known vulnerabilities. Vulnerabilities are identified by running a scanner, sniffers, reviewing configurations, and the like. Vulnerabilities are identified but never fully exploited over the course of a response plan test, and also tend to be less disruptive and inexpensive when conducted by a cybersecurity partner.
Vulnerability scanning is an important part of testing any cyber incident response plan because you’ll want to first identify which parts of your system are most likely to be targeted by hackers, and therefore most relevant to your incident response plan. You’ll want to work with your cybersecurity partner to map out and conduct a vulnerability scan that will help you prepare for your cyber incident response plan.
Before starting your vulnerability scan, look for any compliance requirements based on your organization’s cybersecurity posture and business model. Work with your partner to decide on the best time and date to perform the scan. Once the scan is complete, the most important step is creating and reviewing reports that will both help fine tune your cyber incident response plan, as well as how you’ll go about testing it. Once you’ve conducted a thorough vulnerability scan, you’ll be ready to move on to the actual testing phase, knowing exactly what your critical weaknesses might be and what actions various personnel will need to take in the the event of a breach.
2. Conduct Cyber Fire Drills
As the old adage goes, “Practice Makes Perfect,” and testing your cyber incident response plan is no exception to this rule. That’s why one of the most important best practices for your incident response testing to conduct periodic “fire drills” that will simulate a cyber incident. Organizations conduct these fire drills to spot any weak links in their response plans, ensure that all personnel know exactly what to do, and refine the response plan based on any shortcomings observed in the fire drill.
Just as fire prevention isn’t only about safety awareness, building codes, and employee conduct (it’s also about smart and rapid response), comprehensive cybersecurity relies on a well-practiced and rehearsed incident response plan. Your employees may have all the documentation, manuals, and information they need in the event of an incident, but at the end of the day, there’s simply no substitute for actual practice. Anyone involved in your IT breach response team, from the C-Level all the way down to rank-and-file, should be involved in your cyber fire drills.
Employees, staff, and leadership come and go, so you’ll want to conduct fire drills on an annual basis (at minimum). How often you conduct cyber fire drills to test your response plan will depend on the nature of your business, as well as the types of systems and data that hackers might be targeting. Having a good working relationship with your cybersecurity partner will help you determine the proper intervals at which you’ll want to conduct cyber fire drills, as well as triage the results towards improving your response plan.
One of the most important aspects you’ll want to focus on during your cyber fire drill is something that many organizations fall short in during an actual incident: Interdepartmental Communications. Although most firms across all sectors and industries believe they have robust security systems in place, the weakest link in the chain often are the employees, and their inability to properly coordinate. By practicing regular digital fire drills, your entire organization will be empowered with the knowledge and tools to limit the damage and ensure a quick recovery in the (however unlikely) event of an actual breach.
3. Test Specific Scenarios
In addition to (or potentially seperate from) your cyber fire drills, you’ll want to focus on testing very specific scenarios that you’ve identified with your cybersecurity partner. This could be based on your vulnerability scan, penetration test, or a combination of other factors and strategies. Scenario-based testing of your cybersecurity incident response plan is a incredibly useful way of engaging everyone in your response team in the real-time decision-making process that goes with reacting to a critical cyber incident.
Every organization, incident, and/or breach is unique, so the specific scenarios you practice might differ drastically from organizations in different industries, geographies, etc. However, here are some of the most common scenario tests that are used to help shore up cyber incident response plans across the board:
Focused on the unique executive-level decision-making and communication strategies that are critical to any crisis response. Organization-specific scenarios are typically created based on current threat intelligence, and participants typically discuss the actions they would take without necessarily implementing them.
Scenarios designed to test the executive portion of your response plan usually involves relevant C-suite personnel (CEO, COO, CTO, CIO), board members, general counsel, PR & communications, HR, cyber threat intelligence units, and incident coordinator.
Incident Coordination Simulation
The primary objective of this scenario simulation is to test the ability of the incident coordination team to manage, respond to, mitigate and remediate the damage of a potential cyber attack. This includes interacting with the executive-level team and any third party compliance and/or regulatory bodies. These scenarios typically focus on how the “boots on the ground” part of your cyber incident response plan functions around various types of breaches and attacks.
Normally, these simulations will involve the CTO or CIO, incident response coordinator, incident response lead, investigations lead, cyber threat intelligence team, and compliance team lead. Incident coordination simulations are designed to see how these functions communicate and coordinate in the event of a breach.
Response Team Simulation
Response team scenario simulations focus more heavily on the technical actions that need to be undertaken in the event of a breach, or even if a potential threat is detected in the first place. Your cybersecurity partner will typically simulate an attack scenario by gaining access to your system (usually through social engineering or external penetration) and moving through it laterally to see how your response team implements your incident response plan. Response team scenarios test your security monitoring and incident response capabilities of your organization’s response plan.
In these simulations, you’ll want to include your security incident coordinator, incident response lead, investigations lead, technical professionals, cyber threat intelligence unit, and security operations team. Anyone that has technical roles or responsibilities in your incident response plan should be involved in your response team simulation.
Depending on what you and your cybersecurity partner decide, some of the specific types of attacks you may want to simulate in one (or all) of the above scenarios are as follows:
- Phishing Emails – Fake emails designed (that appear to be real) designed to get users or employees to unwittingly hand over passwords or other critical information.
- Malicious Attachments – Similar to phishing emails, documents or files attached to an email that appears valid, but in reality contain a virus, malware, or the like.
- Password and Other Suspicious Requests – Cybercriminals posing as employees, contractors, or third-party vendors to bait employees into divulging sensitive passwords and other access controls.
- Unauthorized Computers and Devices – Computers and devices that haven’t gone through the proper authentication processes prior to joining your network are targets for hackers. How does your response team react in the event one of these devices is compromised?
Another possible route for a response plan is MDR, or Managed Detection and Response. Learn more about it in our related article.
4. Triage Results
At the conclusion of your incident response plan test, you should conduct a debrief with your cybersecurity partner to receive immediate feedback from participants on how the test went, so that future scenarios and/or fire drills can be conducted more effectively.
Most importantly, you’ll want to identify the key areas for improvement in your incident response plan. Your testing partner will help create written reports and feedback for all levels of personnel and management involved in your incident management response plan, and adjust any incident response processes that need to be addressed.
Whether it’s for a PCI DSS incident response plan in the financial sector, HIPAA in the healthcare industry, or NIST for government contractors, the bottom line is that your incident response capabilities need to be put to the test. And that’s not just true for your rank-and-file employees and technical IT staff. Responding to cyber incidents and breaches is an organization-wide effort, which is why clearly defining who needs to do what in your response plan is critical before you even begin to test it.
Once your plan is formulated, work with your cybersecurity partner to conduct a vulnerability scan to determine which areas and potential weaknesses in both your systems and response plan that you’ll want to test. You’ll want to conduct regular cyber fire drills to see how your teams respond on the fly as if an attack was taking place in real time.
Also, don’t forget to test various managerial and executive levels under specific attack scenarios that are most likely to take place. And most importantly, go over your results with your cybersecurity partner to make the necessary adjustments, and take the time to educate your incident response team on any changes on a consistent basis.