Whether you are trying to comply with HIPAA/HITECH, NAIC Model Laws, SOX, PCI DSS, ISO or the NIST Cybersecurity Framework, you must address incident response and management. In the time I have been involved in risk management, I have seen an ever-growing emphasis being placed on these functions.
I think that one of the reasons for this is that most of us have come to the realization that there is no such thing as perfect information security. Not only are data breaches and other security incidents inevitable, we are seeing that there are more and more of them occurring each year; a trend I don’t expect to change anytime soon. In addition, people are becoming increasingly concerned with their privacy and protecting their proprietary information. In response, regulators are becoming tougher on the subject too.
To have an effective incident response program you need several things: good IR policies and procedures, a detailed IR plan, a competent IR team, stakeholder buy-in and in addition… realistic practice sessions. Have you ever heard a military leader state the truism “no battle plan, no matter how well though out or detailed, ever survives long once combat is joined?” The same thing is true of an incident response plan.
We at MSI have designed and led many table-top incident response exercises over the years, and we have definitely learned some valuable lessons. One thing we have learned is that these types of exercises must be planned out and undertaken in as realistic a manner as possible. Our preferred methodology includes surprising the team with the exercise. Ideally, only the exercise instigators will have any idea an exercise is to take place until the team receives calls stating that there has been an incident.
Doing it this way is unpalatable to many organizations, and they decide to let their people know about the exercise in advance. This is understandable. But surprising the team brings the benefit of realism. Maybe some team members are on vacation, or at a dentist appointment, or away from their phones for some other reason. Something like that is almost always the case. This makes the team scramble, and may introduce some team backup members into the mix.
It is also important to unfold the details of the exercise one by one, just as they’d come in if a real incident were occurring. Maybe it starts with strange file extensions appearing in activity logs, or reports of computers “acting funny” coming into the help desk. The team is invited to relate just how they would address these issues. As this activity is going on, another source reports unusually large encrypted files egressing from the network. What would you do? From there on, the complexity increases.
We like to use real-world scenarios when we design these exercises. We will look at incidents that are occurring presently, and leverage those for our scenarios. For example, now it may be ransomware attacks. Or it may be multi-tier attacks in which cyber-criminals launch one exploit to get the IR team’s attention while running a more surreptitious attack at the same time in hopes that it will fall under the team’s radar.
We also recommend that your practice is not strictly limited to table-top exercises. These can be very helpful, but they are just not the same as real incidents. They are time-compressed and usually everyone is in the same room or on the same conference call. Given these strictures, how are you to know if your communications mechanisms are going to work as advertised? Have you actually tried working with your ISP, or attempted to reverse engineer an exploit? Have you identified all the third parties that you might need to utilize during an incident?
Because of this, we recommend that you not only perform table-tops, but that you take occasion to really go through all or some of the functions you would be performing during a real event. See if your communications really work. Take systems offline while preserving and storing evidence correctly.
Go through your “lessons learned” findings from previous exercises and see if you can find shaky IR functions to test out. In the end, the more realistic you make your IR practice, the better it will serve you when the real-deal drops on you like a stone.