Cybersecurity Incident Response Exercise Guidance (2024)

Cybersecurity Incident Response Exercise Guidance (1)

Author: Larry G. Wlosinski, CISA, CISM, CRISC, CDPSE, CISSP, CCSP, CAP, PMP, CBCP, CIPM, CDP, ITIL v3
Date Published: 18 January 2022
Related: Security Incident Management Audit Program | Digital | English

Information security and privacy incidents arebecoming more frequent. According to theCyberEdge Group 2021 Cyberthreat Defense Report, 2021 “…saw the largest increase in successfulattacks within the last six years.”1 In addition, itstated that “Over time, cybersecurity professionalshave come to realize that it’s more of a question ofwhen their organization will be victimized by a databreach than if.” As a result, it is more important thanever to train incident response teams (IRTs) torecognize, handle and respond to cybersecurity(and privacy) incidents.

Organizations must review cybersecurity threatsand attack vectors, understand the importance ofthe incident response plan (IRP), review responseactivities, conduct tabletop exercises, analyze theexercises to determine areas for improvement,manage reporting and conduct IRP maintenance.

IRP

The IRP provides a road map for implementing theincident response capability as defined by theorganization’s mission, size, structure, functions,strategies and goals. In addition, it identifies theorganizational approach to incident response,contains communication information and definesthe metrics associated with the incident responsecapability. The topics of information security andprivacy are usually intertwined but can beaddressed separately—each with their own plan.

Because of the varied types of organizations (e.g.,large, medium, small, international), the IRTcommunication requirements will vary. Participantsin incident communication can include Internetservice providers (ISPs); software and supportvendors; incident reporters; law enforcement;customers, constituents and partners; media; andother IRTs. IRTs can be centralized, with one team ata central headquarters; distributed, with multipleteams to support different time zones or locations;coordinated with a headquarters that managesmultiple teams; partially outsourced; fully outsourced; or using internal staff. All of theseconsiderations must be included in the IRP.

Cybersecurity Attack Vectors

The group responsible for the plan will varydepending on the organization, but the threats andattack vectors will not. Figure 1 is an analysis of thecyberattack vectors that can aid in developingdescriptive exercise scenarios.2,3It containsexamples and descriptions, vector objectives, andwho or what identified an active attack. Correctiveactions to address the problems are not included.

Cybersecurity Incident Response Exercise Guidance (2)
Source: (a) Wlosinski, L. G.; “Ransomware Safeguards and Countermeasures,” ISACA® Journal, vol. 4, 2020, https://www.isaca.org/archives

Tabletop Exercises

A major concern with implementing an IRP iswhether the plan will work. To ensure that it does,tabletop exercises should be conducted at leastannually. Tabletop exercises are defined as:

Discussion-based exercises wherepersonnel meet in a classroom setting or inbreakout groups to discuss their rolesduring an emergency and their responsesto a particular emergency situation. Afacilitator presents a scenario and asks theexercise participants questions related tothe scenario, which initiates a discussionamong the participants of roles,responsibilities, coordination and decision-making. A tabletop exercise isdiscussion-based only and does not involvedeploying equipment or other resources.4

Exercise Purpose
The purpose of tabletop exercises is to understand the roles and responsibilities of the support team, response priorities, order of events, roles of the various plans, communication requirements, and the role and use of the tools at the team’s disposal. Participants also learn how to react to various scenarios, verify procedures and determine what is missing from plans.

The agenda of the tabletop exercise should include an introduction of participants, a review of the exercise scope and logistics, scenario walk-through, a review of testing questions, the exercise, and survey completion. Afterward, the facilitator and data collector discuss the observations, survey responses and write an after-action report (AAR).

The AAR should include the date and time of the exercise, a list of participants, scenario descriptions, findings (generic and specific), observations with recommendations, lessons learned and an evaluation of the exercise (strengths, weaknesses, lessons learned). An executive briefing (i.e., exercise recap and team evaluation) may also be required if requested.

PARTICIPANTS ALSOLEARN HOW TO REACT TOVARIOUS SCENARIOS, VERIFYPROCEDURES ANDDETERMINE WHAT ISMISSING FROM PLANS.

Exercise Preparation
Once the IRP has been written, the managerresponsible for the IRP can prepare for the exercise.Assuming that the exercise participants have hadsome kind of training, preparation activitiesshould include:

  • Design the exercise—Scenarios specific to the systems (e.g., enterprise, security operations center [SOC], region) and support activities (e.g., network monitoring, log file analysis, intrusion detection, digital forensics) are created. The purpose of the SOC is to lock traffic and requests, monitor systems, keep ingress from the Internet domain, protect internal corporate systems, respond to investigations, perform digital forensics, analyze data and reports, and satisfy reporting requirements. The SOC uses tools such as Splunk, elastic search, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), a security information and event management (SIEM) system, and cyberthreat intelligence (CTI), if available.
  • Determine the topics—The exercise topics can be selected by attack vector, type of data (e.g., network, privacy, organization sensitive, system specific) and direction of attack (i.e., external or internal).
  • Determine the scope—The scope of the exercise (i.e., roles and responsibilities) can range from just the response team to the system administrator, security staff, organizational partners and vendor. The exercise can be at the management or operational level.
  • Identify the objectives—Objectives should be oriented to the purpose and content of the plan that will be exercised. Having pertinent objectives aids in exercise participation. Identify the participants and staff—This activity is intended to validate the operational procedures of the plan and the tasks of the associated personnel (who should all be invited). An exercise facilitator and data collector are assumed to be part of the exercise.
  • Coordinate logistics—Logistical concerns include the date and time, location (e.g., conference room, remote/virtual session), supporting equipment (e.g., laptops), placards, refreshments, meeting invitations, and supporting/reference documents (e.g., IRP).
  • Develop the material—The material can include presentation slides, a participant guide, facilitator guides and survey questionnaire. The questionnaire should ask about issues not discussed, plan and exercise strengths and weaknesses, information gained from the exercise, and suggested improvements to the exercise.

Exercise Scenarios
The development of information security and privacy incident scenarios for exercises should include considerations for scope and objectives, but it should also focus on the intent of the plan. Figure 2 shows examples broken down by area of focus, with the identifier of the incident and type of data.

Cybersecurity Incident Response Exercise Guidance (3)

Scenario discussion questions can cover plan activation, ownership and location. Personnel involvement (i.e., who would be contacted and how) and management action should be discussed. A review of the procedures (i.e., forensics, backup, data storage, retrieval, restoration) should also be included, along with “what if” questions.

Conducting the Exercise
There are six main activities in the incident response life cycle: preparation, identification, detection and analysis, containment, eradication and recovery, and post-incident activities. They all should be discussed in one or more tabletop exercises as questions presented by a facilitator. The activities should include:

  1. Preparation—The topics discussed in the preparation portion of the exercise include policies and procedures, critical documents, points of contact (i.e., IRT, external partners, internal partners), tools, resources, document and information accessibility, and continuous monitoring.
  2. Identification—Points to discuss during the identification phase are criteria for declaring the impact level of the incident, data to be collected, incident severity and third-party data (if applicable). Once this has been determined, discussion of the data and the level of risk to the organization (internal and external ramifications) is necessary
  3. Detection and analysis—The detection and analysis discussion should cover investigation strategy and priorities, team assignments (i.e., roles and responsibilities), scope of the incident (e.g., network, internal servers, partners, customers), tool report findings, information sharing among the team and others, management reporting, government reporting, and sources of information (e.g., malware descriptions and remediation advice, vendor resources).
  4. Containment—The containment portion of the exercise includes discussion on how containment is to be achieved, the gathering of forensic information and the removal of data that may have been published on the Internet.
  5. Eradication and recovery—The eradication and recovery discussion should focus on vulnerabilities to the processing environment (e.g., points of access or entry), cleaning and restoring infected devices, access and connectivity concerns, patching, device and software reconfiguring, and any additional weaknesses uncovered.
  6. Post-incident—The post-incident discussion should be about changes to continuous monitoring, lessons learned and improving governance. The lessons learned apply not only to the organization but also to partners and cloud providers. An exercise survey could be used to obtain additional concerns, comments and recommendations.

IRP Maintenance

Maintaining the IRP requires periodic reviews at least annually, particularly for the areas that may change frequently. The areas that may change include point of contact information, links to supporting documents, and procedures and policy. Information gained from the exercises can be used to update the plan.

Conclusion

It is important for those who write, maintain and oversee the IRP to understand its purpose, how to test/exercise the support teams, the preparation components and activities, sample scenarios, reporting, and plan maintenance. It is up to each organization to use this information to improve the level of security and privacy of the data in their organization, and thereby ensure a quick and effective response to the many types of cybersecurity incidents that can harm or cripple them.

Endnotes

1 CyberEdge Group, 2021 Cyberthreat Defense Report, USA, 2021, https://resources.perimeterx.com/c/2021-cyber-threat-defense-report?x=OxBXZ2
2Balbix, “Eight Common Cyber Attack Vectors and How to Avoid Them,” USA,https://www.balbix.com/insights/attack-vectors-and-breach-methods/
3 Tunggal, A. T.; “What Is an Attack Vector? 16 Common Attack Vectors in 2021,”UpGuard, 25 May 2021, https://www.upguard.com/blog/attack-vector
4Grance, T.; T. Nolan; K. Burke; R. Dudley; G. White; T. Good; Special Publication (SP) 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, National Institute of Standards and Technology (NIST), USA, 2006, https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-84.pdf

Larry G. Wlosinski, CISA, CRISC, CISM, CDPSE, CAP, CBCP, CCSP,CDP, CIPM, CISSP, ITIL v3, PMP

Is a senior consultant at Coalfire-Federal. He has more than 22 years of experience in IT security and privacy and has spoken at US government and professional conferences on these topics. He has written numerous magazines, newspaper and journal articles; reviewed various ISACA® publications; and written questions for the Certified Information Security Manager® (CISM®) and Certified in Risk and Information Systems Control® (CRISC®) examinations.

Cybersecurity Incident Response Exercise Guidance (2024)

References

Top Articles
Error code Plum/BattlEye query timeout > Help - Error Codes | Forums | Bungie.net
Destiny 2 Lightfall Query Timeout Fix, Error Code Broccoli, Error Code Marmot, Error Code Nightingale, BSOD Fix - RespawnFirst
Thor Majestic 23A Floor Plan
Urist Mcenforcer
فیلم رهگیر دوبله فارسی بدون سانسور نماشا
Toyota Campers For Sale Craigslist
Jonathon Kinchen Net Worth
Did 9Anime Rebrand
Phenix Food Locker Weekly Ad
27 Places With The Absolute Best Pizza In NYC
Horned Stone Skull Cozy Grove
Aita Autism
Find The Eagle Hunter High To The East
2016 Hyundai Sonata Price, Value, Depreciation & Reviews | Kelley Blue Book
Help with Choosing Parts
Evil Dead Rise Showtimes Near Regal Columbiana Grande
The most iconic acting lineages in cinema history
Available Training - Acadis® Portal
Echat Fr Review Pc Retailer In Qatar Prestige Pc Providers – Alpha Marine Group
Pizza Hut In Dinuba
Curver wasmanden kopen? | Lage prijs
Jeff Now Phone Number
Vegito Clothes Xenoverse 2
Airtable Concatenate
Powerschool Mcvsd
SOGo Groupware - Rechenzentrum Universität Osnabrück
Dal Tadka Recipe - Punjabi Dhaba Style
The Goonies Showtimes Near Marcus Rosemount Cinema
Core Relief Texas
1964 Impala For Sale Craigslist
Vlacs Maestro Login
Isablove
Dailymotion
Mobile Maher Terminal
Newsday Brains Only
Truckers Report Forums
1-800-308-1977
The Vélodrome d'Hiver (Vél d'Hiv) Roundup
Invalleerkracht [Gratis] voorbeelden van sollicitatiebrieven & expert tips
Jamesbonchai
Marcal Paper Products - Nassau Paper Company Ltd. -
Pickwick Electric Power Outage
Value Village Silver Spring Photos
Market Place Tulsa Ok
Leland Westerlund
A jovem que batizou lei após ser sequestrada por 'amigo virtual'
Bank Of America Appointments Near Me
Naomi Soraya Zelda
Nfhs Network On Direct Tv
Scholar Dollar Nmsu
Latest Posts
Article information

Author: Ms. Lucile Johns

Last Updated:

Views: 5652

Rating: 4 / 5 (61 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Ms. Lucile Johns

Birthday: 1999-11-16

Address: Suite 237 56046 Walsh Coves, West Enid, VT 46557

Phone: +59115435987187

Job: Education Supervisor

Hobby: Genealogy, Stone skipping, Skydiving, Nordic skating, Couponing, Coloring, Gardening

Introduction: My name is Ms. Lucile Johns, I am a successful, friendly, friendly, homely, adventurous, handsome, delightful person who loves writing and wants to share my knowledge and understanding with you.